Skip to main content

2 posts tagged with "LlmsTxtKit"

Posts featuring or about LlmsTxtKit, the C#/.NET library and MCP server for llms.txt files.

View All Tags

The llms.txt Access Paradox: The Data Nobody Wants to Hear

Terminal diagnostic dashboard showing three systemic findings: thin llms.txt adoption (105 out of 1 million sites), zero AI providers confirming inference-time usage with Google rejecting the standard, and Cloudflare's three overlapping WAF control layers where custom rules override AI crawl settings across 20% of all websites.
· ~14 min read
Ryan Goodrich
Ryan Goodrich
Technical Writer, AI Enthusiast, and Developer Advocate

In Part 1, I told the story of discovering that my own hosting infrastructure was blocking AI crawlers from reading the llms.txt file I'd specifically published for them. A Web Application Firewall (WAF), the security layer that inspects every inbound HTTP request, can't tell the difference between "AI system reading curated content as intended" and "malicious bot probing endpoints for vulnerabilities," and the result is a paradox that would be hilarious if it weren't also my actual production environment.

That was the personal version, the "I discovered this at 11 PM and said words I can't publish on a professional blog" version. This is the systemic version. The one where I pull at the thread and the whole sweater starts to unravel.

Because once I started asking "how widespread is this?", the answers didn't just confirm the WAF problem. They complicated the entire premise of what llms.txt is supposed to do. And I mean the entire premise.

I Tried to Help AI Read My Website. My Own Firewall Said No.

Terminal split-screen: the left pane shows a well-formatted llms.txt file with green checkmarks; the right pane shows a curl request using a GPTBot user-agent returning a 403 Forbidden response, with the WAF evaluation listing every failed check. Tagline: the file is perfect, nobody can read it.
· ~11 min read
Ryan Goodrich
Ryan Goodrich
Technical Writer, AI Enthusiast, and Developer Advocate

I did everything right. I wrote the file. I followed the spec. I deployed it to production. I even tested it in my browser: clean Markdown rendering, proper H2 sections, curated links with useful descriptions. My llms.txt file was, and I say this without hyperbole, the best piece of structured content I had ever placed at a root URL. I was proud of that file, in the way that only a documentation-first developer can be proud of a Markdown file that nobody has read.

Then an AI system tried to read it, and my own infrastructure said no.

Not a polite "no, sorry, you don't have permission." Not even a helpful "no, that file doesn't exist." The kind of no where Cloudflare intercepts the request before it touches my server, decides the visitor looks suspicious on the basis of (and I love this) being exactly the kind of visitor the file was created for, and serves a JavaScript challenge page instead. To the AI crawler, my lovingly curated Markdown might as well not exist. In its place: a blob of obfuscated HTML designed to prove the visitor is human. Which, by definition, the AI crawler is not. Nor does it aspire to be. That's the entire point.

Welcome to what I've started calling the llms.txt Access Paradox: the structural conflict between publishing content for AI systems and running the security infrastructure that blocks them. It's the kind of problem that makes you close your laptop, open it again, and start writing a research paper instead of just a blog post.