Disclosure

security.txt (RFC 9116) Checker

Make it obvious how to report vulnerabilities - the RFC 9116 way.

Hands off to the full WebShield scanner, which covers this check alongside every other header, DNS and email auth probe.

security.txt (RFC 9116) is the one-file standard that turns 'how do I report a bug to this company?' from a 30-minute research exercise into a GET request. A well-formed file at /.well-known/security.txt gives researchers a contact, a disclosure policy and a PGP key. WebShield validates every required and recommended field, flags expired files, and confirms the serving MIME type.

What this tool checks

File served at /.well-known/security.txt (canonical location)
Served over HTTPS with Content-Type: text/plain
Contact: field (required, at least one)
Expires: field (required, ISO-8601, not in the past)
Canonical: field matches the fetched URL
Policy: field (recommended)
Encryption: field references a PGP key (recommended)
Preferred-Languages: field (recommended for i18n)
PGP cleartext signature on the file (recommended)

Why it matters

If a vulnerability researcher cannot find a contact in two minutes, two things happen: either they give up, or they post to Twitter. security.txt is a 30-second investment that pre-empts every "we tried to tell you" thread that starts on a disclosure mailing list. It is also a signal to bug bounty triagers that your org takes reports seriously.

How WebShield tests this

WebShield fetches https://<domain>/.well-known/security.txt over HTTPS, parses each directive line, checks the Content-Type and HTTP status, and validates the Expires date. If a PGP signature is present, the scanner reports the signature structure but does not currently verify the key.

Paste-ready fixes

security.txt (minimum)

Contact: mailto:[email protected]
Expires: 2027-01-01T00:00:00Z
Canonical: https://example.com/.well-known/security.txt

security.txt (recommended)

Contact: mailto:[email protected]
Contact: https://example.com/security/report
Expires: 2027-01-01T00:00:00Z
Canonical: https://example.com/.well-known/security.txt
Encryption: https://example.com/.well-known/pgp-key.asc
Preferred-Languages: en, es
Policy: https://example.com/security/policy
Acknowledgments: https://example.com/security/hall-of-fame

Nginx (serving)

location = /.well-known/security.txt {
    default_type text/plain;
    alias /var/www/html/.well-known/security.txt;
}

Vercel (serving)

{
  "headers": [
    {
      "source": "/.well-known/security.txt",
      "headers": [
        { "key": "Content-Type", "value": "text/plain; charset=utf-8" }
      ]
    }
  ]
}

Frequently asked

Is security.txt legally required?

Not in most jurisdictions, but it is widely expected: CISA, ENISA and the UK NCSC all recommend it, and government bug bounty programs (US, UK, NL) require it. For regulated industries, check your sector guidance.

What happens when Expires passes?

Researchers should treat an expired security.txt as stale - the contact may be wrong or the policy may have changed. Automated scanners will flag an expired file as an error, so set Expires at least 12 months out and renew on a calendar reminder.

Can I use a PGP-signed security.txt?

Yes - the RFC recommends it. The file body is signed with a PGP cleartext signature. The signing key should be the same one linked in Encryption:. This prevents an attacker who compromises your web server from substituting a fake contact.

Should security.txt live at the apex or every subdomain?

At the apex (/.well-known/security.txt) is the primary location. For user-generated subdomains or SaaS tenant subdomains, the apex file covers reports about those too, so long as Canonical points at the apex URL.

Knowledge base

Exposed `.git` Directory

Critical severity · Exposure

Knowledge base

Exposed `.env` File

Critical severity · Exposure

Knowledge base

Server Information Leakage

Low severity · Misc

Tool

CSP Checker

Validate your CSP in one scan - catches the mistakes linters miss.

Tool

HSTS Preload Checker

Test HSTS before you preload - because you only get to do it wrong once.

Tool

Cookie Security Checker

Audit every Set-Cookie on the page - the flags that matter, in one scan.

All tools

What this tool checks

File served at /.well-known/security.txt (canonical location)

Served over HTTPS with Content-Type: text/plain

Contact: field (required, at least one)

Expires: field (required, ISO-8601, not in the past)

Canonical: field matches the fetched URL

Policy: field (recommended)

Encryption: field references a PGP key (recommended)

Preferred-Languages: field (recommended for i18n)

PGP cleartext signature on the file (recommended)

Why it matters

Paste-ready fixes

security.txt (minimum)

Contact: mailto:[email protected]
Expires: 2027-01-01T00:00:00Z
Canonical: https://example.com/.well-known/security.txt

security.txt (recommended)

Contact: mailto:[email protected]
Contact: https://example.com/security/report
Expires: 2027-01-01T00:00:00Z
Canonical: https://example.com/.well-known/security.txt
Encryption: https://example.com/.well-known/pgp-key.asc
Preferred-Languages: en, es
Policy: https://example.com/security/policy
Acknowledgments: https://example.com/security/hall-of-fame

Nginx (serving)

location = /.well-known/security.txt {
    default_type text/plain;
    alias /var/www/html/.well-known/security.txt;
}

Vercel (serving)

{
  "headers": [
    {
      "source": "/.well-known/security.txt",
      "headers": [
        { "key": "Content-Type", "value": "text/plain; charset=utf-8" }
      ]
    }
  ]
}

Frequently asked

Is security.txt legally required?

What happens when Expires passes?

Can I use a PGP-signed security.txt?

Should security.txt live at the apex or every subdomain?

security.txt (RFC 9116) Checker

What this tool checks

Why it matters

How WebShield tests this

Paste-ready fixes

Frequently asked

Related

security.txt (RFC 9116) Checker

What this tool checks

Why it matters

How WebShield tests this

Paste-ready fixes

Frequently asked

Related