Free Tool

Security.txt Generator & Validator

Validate your RFC 9116 security disclosure file or generate one from scratch — no login, instant results.

Input
How it works: We fetch /.well-known/security.txt directly from your domain. If blocked by CORS, we fall back to the WebAudit scanner for presence detection.
RFC 9116 — security.txt is an internet standard for disclosing how to report security vulnerabilities. It should live at /.well-known/security.txt (preferred) or /security.txt. Contact and Expires are required fields. All others are optional but recommended.
Required Fields
Optional Fields
security.txt preview 
# Generated by webaudit.in
Place at /.well-known/security.txt on your web server. Renew before the Expires date — expired files are flagged by scanners.
Best practice: Set Expires to exactly 1 year from today. Add a calendar reminder to renew it before then. The file must be served over HTTPS.

Frequently Asked Questions

What is a security.txt file?
A security.txt file is a standard (RFC 9116) that tells security researchers how to report vulnerabilities on your website. It lives at /.well-known/security.txt and contains contact info, policy links, and an expiry date.
Where should I place my security.txt file?
Place it at /.well-known/security.txt on your web server. It must be served over HTTPS. You can also add a fallback at /security.txt.
What fields are required in security.txt?
Only two fields are required: Contact (an email or URL where researchers can report issues) and Expires (the date the file expires). All other fields like Policy, Encryption, and Acknowledgments are optional but recommended.
Is security.txt mandatory?
Not legally, but US federal agencies are required to have one. It's considered a security best practice and shows you take vulnerability disclosure seriously.