Battle of Locust Grove

Example of a simple robots.txt file, indicating that a user-agent called "Mallorybot" is not allowed to crawl any of the website's pages, and that other user-agents cannot crawl more than one page every 20 seconds, and are not allowed to crawl the "secret" folder.

robots.txt is the filename used for implementing the Robots Exclusion Protocol, a standard used by websites to indicate to visiting web crawlers and other web robots which portions of the website they are allowed to visit.

The standard, developed in 1994, relies on voluntary compliance. Malicious bots can use the file as a directory of which pages to visit, though standards bodies discourage countering this with security through obscurity. Some archival sites ignore robots.txt. The standard was used in the 1990s to mitigate server overload; in the 2020s many websites began denying bots that collect information for generative artificial intelligence.

The "robots.txt" file can be used in conjunction with sitemaps, another robot inclusion standard for websites.

History

The standard was proposed by Martijn Koster,[1][2] when working for Nexor[3] in February 1994[4] on the www-talk mailing list, the main communication channel for WWW-related activities at the time. Charles Stross claims to have provoked Koster to suggest robots.txt, after he wrote a badly-behaved web crawler that inadvertently caused a denial-of-service attack on Koster's server.[5]

The standard, initially RobotsNotWanted.txt, allowed web developers to specify which bots should not access their website or which pages bots should not access. The internet was small enough in 1994 to maintain a complete list of all bots; server overload was a primary concern. By June 1994 it had become a de facto standard;[6] most complied, including those operated by search engines such as WebCrawler, Lycos, and AltaVista.[7]

On July 1, 2019, Google announced the proposal of the Robots Exclusion Protocol as an official standard under Internet Engineering Task Force.[8] A proposed standard[9] was published in September 2022 as RFC 9309.

Standard

When a site owner wishes to give instructions to web robots they place a text file called robots.txt in the root of the web site hierarchy (e.g. https://www.example.com/robots.txt). This text file contains the instructions in a specific format (see examples below). Robots that choose to follow the instructions try to fetch this file and read the instructions before fetching any other file from the website. If this file does not exist, web robots assume that the website owner does not wish to place any limitations on crawling the entire site.

A robots.txt file contains instructions for bots indicating which web pages they can and cannot access. Robots.txt files are particularly important for web crawlers from search engines such as Google.

A robots.txt file on a website will function as a request that specified robots ignore specified files or directories when crawling a site. This might be, for example, out of a preference for privacy from search engine results, or the belief that the content of the selected directories might be misleading or irrelevant to the categorization of the site as a whole, or out of a desire that an application only operates on certain data. Links to pages listed in robots.txt can still appear in search results if they are linked to from a page that is crawled.[10]

A robots.txt file covers one origin. For websites with multiple subdomains, each subdomain must have its own robots.txt file. If example.com had a robots.txt file but a.example.com did not, the rules that would apply for example.com would not apply to a.example.com. In addition, each protocol and port needs its own robots.txt file; http://example.com/robots.txt does not apply to pages under http://example.com:8080/ or https://example.com/.

Compliance

A robots.txt has no enforcement mechanism in law or in technical protocol, despite widespread compliance by bot operators.[6]

Search engines

Some major search engines following this standard include Ask,[11] AOL,[12] Baidu,[13] DuckDuckGo,[14] Google,[15] Yahoo!,[16] and Yandex.[17] Bing[18] is still[when?] not fully compatible with the standard as it cannot inherit settings from the wildcard character (*).[19]

Archival sites

Some web archiving projects ignore robots.txt. Archive Team uses the file to discover more links, such as sitemaps.[20] Co-founder Jason Scott said that "unchecked, and left alone, the robots.txt file ensures no mirroring or reference for items that may have general use and meaning beyond the website's context."[21] In 2017, the Internet Archive announced that it would stop complying with robots.txt directives.[22][6] According to Digital Trends, this followed widespread use of robots.txt to remove historical sites from search engine results, and contrasted with the nonprofit's aim to archive "snapshots" of the internet as it previously existed.[23]

Artificial intelligence

Starting in the 2020s, web operators began using robots.txt to deny access to generative artificial intelligence bots. In 2023, Originality.AI found that 306 of the thousand most-visited websites blocked OpenAI's GPTBot in their robots.txt file and 85 blocked Google's Google-Extended. Many robots.txt files named GPTBot as the only bot explicitly disallowed on all pages. Denying access to GPTBot was common among news websites such as the BBC and The New York Times. In 2023, blog host Medium announced it would deny access to all artificial intelligence web crawlers as "AI companies have leached value from writers in order to spam Internet readers".[6]

GPTBot complies with the robots.txt standard and gives advise to web operators about how to disallow it, but The Verge's David Pierce said this only began after "training the underlying models that made it so powerful". Additionally, some bots are used both for search engines and artificial intelligence, so cannot be blocked for only one purpose.[6]

Security

Despite the use of the terms "allow" and "disallow", the protocol is purely advisory and relies on the compliance of the web robot; it cannot enforce any of what is stated in the file. [24] Malicious web robots are unlikely to honor robots.txt; some may even use the robots.txt as a guide to find disallowed links and go straight to them. While this is sometimes claimed to be a security risk,[25] this sort of security through obscurity is discouraged by standards bodies. The National Institute of Standards and Technology (NIST) in the United States specifically recommends against this practice: "System security should not depend on the secrecy of the implementation or its components."[26] In the context of robots.txt files, security through obscurity is not recommended as a security technique.[27]

Alternatives

Many robots also pass a special user-agent to the web server when fetching content.[28] A web administrator could also configure the server to automatically return failure (or pass alternative content) when it detects a connection using one of the robots.[29][30]

Some sites, such as Google, host a humans.txt file that displays information meant for humans to read.[31] Some sites such as GitHub redirect humans.txt to an About page.[32]

Previously, Google had a joke file hosted at /killer-robots.txt instructing the Terminator not to kill the company founders Larry Page and Sergey Brin.[33][34]

Examples

This example tells all robots that they can visit all files because the wildcard * stands for all robots and the Disallow directive has no value, meaning no pages are disallowed.

User-agent: *
Disallow: 
User-agent: *
Allow: /

The same result can be accomplished with an empty or missing robots.txt file.

This example tells all robots to stay out of a website:

User-agent: *
Disallow: /

This example tells all robots not to enter three directories:

User-agent: *
Disallow: /cgi-bin/
Disallow: /tmp/
Disallow: /junk/

This example tells all robots to stay away from one specific file:

User-agent: *
Disallow: /directory/file.html

All other files in the specified directory will be processed.

User-agent: BadBot # replace 'BadBot' with the actual user-agent of the bot
Disallow: /

This example tells two specific robots not to enter one specific directory:

User-agent: BadBot # replace 'BadBot' with the actual user-agent of the bot
User-agent: Googlebot
Disallow: /private/

Example demonstrating how comments can be used:

# Comments appear after the "#" symbol at the start of a line, or after a directive
User-agent: * # match all bots
Disallow: / # keep them out

It is also possible to list multiple robots with their own rules. The actual robot string is defined by the crawler. A few robot operators, such as Google, support several user-agent strings that allow the operator to deny access to a subset of their services by using specific user-agent strings.[15]

Example demonstrating multiple user-agents:

User-agent: googlebot        # all Google services
Disallow: /private/          # disallow this directory

User-agent: googlebot-news   # only the news service
Disallow: /                  # disallow everything

User-agent: *                # any robot
Disallow: /something/        # disallow this directory

Nonstandard extensions

Crawl-delay directive

The crawl-delay value is supported by some crawlers to throttle their visits to the host. Since this value is not part of the standard, its interpretation is dependent on the crawler reading it. It is used when the multiple burst of visits from bots is slowing down the host. Yandex interprets the value as the number of seconds to wait between subsequent visits.[17] Bing defines crawl-delay as the size of a time window (from 1 to 30 seconds) during which BingBot will access a web site only once.[35] Google provides an interface in its search console for webmasters, to control the Googlebot's subsequent visits.[36]

User-agent: bingbot
Allow: /
Crawl-delay: 10

Sitemap

Some crawlers support a Sitemap directive, allowing multiple Sitemaps in the same robots.txt in the form Sitemap: full-url:[37]

Sitemap: http://www.example.com/sitemap.xml

Universal "*" match

The Robot Exclusion Standard does not mention the "*" character in the Disallow: statement.[38]

Meta tags and headers

In addition to root-level robots.txt files, robots exclusion directives can be applied at a more granular level through the use of Robots meta tags and X-Robots-Tag HTTP headers. The robots meta tag cannot be used for non-HTML files such as images, text files, or PDF documents. On the other hand, the X-Robots-Tag can be added to non-HTML files by using .htaccess and httpd.conf files.[39]

A "noindex" meta tag

<meta name="robots" content="noindex" />

A "noindex" HTTP response header

X-Robots-Tag: noindex

The X-Robots-Tag is only effective after the page has been requested and the server responds, and the robots meta tag is only effective after the page has loaded, whereas robots.txt is effective before the page is requested. Thus if a page is excluded by a robots.txt file, any robots meta tags or X-Robots-Tag headers are effectively ignored because the robot will not see them in the first place.[39]

Maximum size of a robots.txt file

The Robots Exclusion Protocol requires crawlers to parse at least 500 kibibytes (KiB) of robots.txt files,[40] which Google maintains as a 500 kibibyte file size restriction for robots.txt files .[41]

See also

References

  1. ^ "Historical". Greenhills.co.uk. Archived from the original on 2017-04-03. Retrieved 2017-03-03.
  2. ^ Fielding, Roy (1994). "Maintaining Distributed Hypertext Infostructures: Welcome to MOMspider's Web" (PostScript). First International Conference on the World Wide Web. Geneva. Archived from the original on 2013-09-27. Retrieved September 25, 2013.
  3. ^ "The Web Robots Pages". Robotstxt.org. 1994-06-30. Archived from the original on 2014-01-12. Retrieved 2013-12-29.
  4. ^ Koster, Martijn (25 February 1994). "Important: Spiders, Robots and Web Wanderers". www-talk mailing list. Archived from the original (Hypermail archived message) on October 29, 2013.
  5. ^ "How I got here in the end, part five: "things can only get better!"". Charlie's Diary. 19 June 2006. Archived from the original on 2013-11-25. Retrieved 19 April 2014.
  6. ^ a b c d e Pierce, David (14 February 2024). "The text file that runs the internet". The Verge. Retrieved 16 March 2024.
  7. ^ Barry Schwartz (30 June 2014). "Robots.txt Celebrates 20 Years Of Blocking Search Engines". Search Engine Land. Archived from the original on 2015-09-07. Retrieved 2015-11-19.
  8. ^ "Formalizing the Robots Exclusion Protocol Specification". Official Google Webmaster Central Blog. Archived from the original on 2019-07-10. Retrieved 2019-07-10.
  9. ^ Koster, M.; Illyes, G.; Zeller, H.; Sassman, L. (2022-09-14). "Robots Exclusion Protocol". IETF Documents. Archived from the original on 2022-09-22. Retrieved 2022-09-22.
  10. ^ "Uncrawled URLs in search results". YouTube. Oct 5, 2009. Archived from the original on 2014-01-06. Retrieved 2013-12-29.
  11. ^ "About Ask.com: Webmasters". About.ask.com. Archived from the original on 27 January 2013. Retrieved 16 February 2013.
  12. ^ "About AOL Search". Search.aol.com. Archived from the original on 13 December 2012. Retrieved 16 February 2013.
  13. ^ "Baiduspider". Baidu.com. Archived from the original on 6 August 2013. Retrieved 16 February 2013.
  14. ^ "DuckDuckGo Bot". DuckDuckGo.com. Archived from the original on 16 February 2017. Retrieved 25 April 2017.
  15. ^ a b "Webmasters: Robots.txt Specifications". Google Developers. Archived from the original on 2013-01-15. Retrieved 16 February 2013.
  16. ^ "Submitting your website to Yahoo! Search". Archived from the original on 2013-01-21. Retrieved 16 February 2013.
  17. ^ a b "Using robots.txt". Help.yandex.com. Archived from the original on 2013-01-25. Retrieved 16 February 2013.
  18. ^ "Robots Exclusion Protocol: joining together to provide better documentation". Blogs.bing.com. Archived from the original on 2014-08-18. Retrieved 16 February 2013.
  19. ^ "How to Create a Robots.txt File - Bing Webmaster Tools". www.bing.com. Archived from the original on 2019-02-07. Retrieved 2019-02-06.
  20. ^ "ArchiveBot: Bad behavior". wiki.archiveteam.org. Archive Team. Archived from the original on 10 October 2022. Retrieved 10 October 2022.
  21. ^ Jason Scott. "Robots.txt is a suicide note". Archive Team. Archived from the original on 2017-02-18. Retrieved 18 February 2017.
  22. ^ "Robots.txt meant for search engines don't work well for web archives | Internet Archive Blogs". blog.archive.org. 17 April 2017. Archived from the original on 2018-12-04. Retrieved 2018-12-01.
  23. ^ Jones, Brad (24 April 2017). "The Internet Archive Will Ignore Robots.txt Files to Maintain Accuracy". Digital Trends. Archived from the original on 2017-05-16. Retrieved 8 May 2017.
  24. ^ "Block URLs with robots.txt: Learn about robots.txt files". Archived from the original on 2015-08-14. Retrieved 2015-08-10.
  25. ^ "Robots.txt tells hackers the places you don't want them to look". The Register. Archived from the original on 2015-08-21. Retrieved August 12, 2015.
  26. ^ Scarfone, K. A.; Jansen, W.; Tracy, M. (July 2008). "Guide to General Server Security" (PDF). National Institute of Standards and Technology. doi:10.6028/NIST.SP.800-123. Archived (PDF) from the original on 2011-10-08. Retrieved August 12, 2015. {{cite journal}}: Cite journal requires |journal= (help)
  27. ^ Sverre H. Huseby (2004). Innocent Code: A Security Wake-Up Call for Web Programmers. John Wiley & Sons. pp. 91–92. ISBN 9780470857472. Archived from the original on 2016-04-01. Retrieved 2015-08-12.
  28. ^ "List of User-Agents (Spiders, Robots, Browser)". User-agents.org. Archived from the original on 2014-01-07. Retrieved 2013-12-29.
  29. ^ "Access Control - Apache HTTP Server". Httpd.apache.org. Archived from the original on 2013-12-29. Retrieved 2013-12-29.
  30. ^ "Deny Strings for Filtering Rules : The Official Microsoft IIS Site". Iis.net. 2013-11-06. Archived from the original on 2014-01-01. Retrieved 2013-12-29.
  31. ^ "Google humans.txt". Archived from the original on January 24, 2017. Retrieved October 3, 2019.
  32. ^ "Github humans.txt". GitHub. Archived from the original on May 30, 2016. Retrieved October 3, 2019.
  33. ^ Newman, Lily Hay (2014-07-03). "Is This a Google Easter Egg or Proof That Skynet Is Actually Plotting World Domination?". Slate Magazine. Archived from the original on 2018-11-18. Retrieved 2019-10-03.
  34. ^ "/killer-robots.txt". 2018-01-10. Archived from the original on 2018-01-10. Retrieved 2018-05-25.
  35. ^ "To crawl or not to crawl, that is BingBot's question". 3 May 2012. Archived from the original on 2016-02-03. Retrieved 9 February 2016.
  36. ^ "Change Googlebot crawl rate - Search Console Help". support.google.com. Archived from the original on 2018-11-18. Retrieved 22 October 2018.
  37. ^ "Yahoo! Search Blog - Webmasters can now auto-discover with Sitemaps". Archived from the original on 2009-03-05. Retrieved 2009-03-23.
  38. ^ "Robots.txt Specifications". Google Developers. Archived from the original on November 2, 2019. Retrieved February 15, 2020.
  39. ^ a b "Robots meta tag and X-Robots-Tag HTTP header specifications - Webmasters — Google Developers". Archived from the original on 2013-08-08. Retrieved 2013-08-17.
  40. ^ Koster, Martijn. "RFC 9309: Robots Exclusion Protocol". www.rfc-editor.org. Archived from the original on 2022-10-05. Retrieved 2022-12-08.
  41. ^ "How Google Interprets the robots.txt Specification | Documentation". Google Developers. Archived from the original on 2022-10-17. Retrieved 2022-10-17.

External links