From fed7b832f6634fc10bb07bb57f964c14317cab43 Mon Sep 17 00:00:00 2001
From: Jonas Stendahl <jonas@stendahl.me>
Date: Sat, 25 Apr 2026 01:53:52 +0200
Subject: [PATCH] Move keep-internet-working.yaml before deny rules in Anubis
 policy

---
 anubis/policy.yaml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/anubis/policy.yaml b/anubis/policy.yaml
index 90d32d28..d35943cc 100644
--- a/anubis/policy.yaml
+++ b/anubis/policy.yaml
@@ -20,6 +20,10 @@ bots:
         - '"Hx-Request" in headers'
         - 'headers["Hx-Request"] == "true"'
 
+  # Allow well-known routes (favicon, robots.txt, .well-known/) before any deny
+  # rules so crawlers can always fetch these regardless of user-agent.
+  - import: (data)/common/keep-internet-working.yaml
+
   # Deny Meta/Facebook crawlers (meta-externalagent, facebookexternalhit, FacebookBot).
   - name: deny-meta-crawlers
     user_agent_regex: meta-externalagent|meta-webindexer|FacebookBot
@@ -44,9 +48,6 @@ bots:
   # Challenge Firefox AI previews.
   - import: (data)/clients/x-firefox-ai.yaml
 
-  # Allow well-known routes (favicon, robots.txt, .well-known/).
-  - import: (data)/common/keep-internet-working.yaml
-
   # Allow social media OG tag fetchers so link previews work when users share
   # Metron URLs. These bypass the challenge entirely rather than using the
   # openGraph passthrough, which would amplify bot attacks by hitting Django