security.txt

Per RFC 9116

Security contact file per RFC 9116. Required by the EU CRA from September 2026.

What is this, and when do I need it?

What is this?

The security.txt file is a small text file (RFC 9116) at the hidden path /.well-known/security.txt of your site. It tells security researchers at a glance where to report vulnerabilities (email, PGP key, web form) - and in which languages, with what response time, under which disclosure policy.

Without security.txt, reports either pile up in a generic mailbox (where they stagnate) or never arrive (because the finder cannot locate an address and gives up). With security.txt, you get structured, well-intentioned reports.

When do I need it?

Useful today as soon as you run a web app, a login page, an API endpoint, or any online service - anything where misuse can leak data or cause harm.

Mandatory from September 2026 for manufacturers of digital products with EU market access. The EU Cyber Resilience Act (CRA) requires a published, coordinated disclosure channel - security.txt is the simplest way to satisfy that.

/.well-known/security.txt per RFC 9116
# security.txt per RFC 9116
# Host under /.well-known/security.txt with Content-Type: text/plain; charset=utf-8
# Created with Dernium Webtools

Contact: mailto:security@example.com
Expires: 2027-07-03T18:03:53Z
Preferred-Languages: de, en

Kostenlos, ohne Gewähr (Best-Effort). Erzeugte wie geprüfte Angaben sind unverbindlich; für fehlerhafte oder unvollständige Ergebnisse und Konfigurationen übernehmen wir keine Haftung. Anwendung und Prüfung erfolgen in eigener Verantwortung, vor dem Produktiveinsatz bitte testen.

Free, no warranty (best effort). Generated and inspected values are non-binding; we accept no liability for erroneous or incomplete results or configurations. Use and verification are your own responsibility; please test before production use.

Deployment

The file must be reachable at /.well-known/security.txt with content type text/plain; charset=utf-8, both for the apex domain and the www variant. Optionally also at the root path (/security.txt) as a legacy fallback.

Recommended: clearsign it with PGP/Inline (RFC 9116 § 3.3) so an attacker cannot tamper with the contents in a MITM scenario. Tools like gpg --clearsign produce that format.

Inspect an existing security.txt of a domain

Fetches /.well-known/security.txt for the given domain (plus root fallback) and checks the fields against RFC 9116.

Try with:

Server path: this inspection does NOT run browser-local. We fetch the DNS record or HTTPS response via our server. We do not log the queried domain or the result. 12 requests per minute per IPv4 address or IPv6 /64 subnet.