How to Add a security.txt File to Your Website in 5 Minutes (With a Generator)
Source: Dev.to
If you’re running a website in 2026, you probably care about security.
You might have HTTPS, HSTS, CSP, maybe even a bug‑bounty program.
But there’s a tiny text file most sites still miss:
/.well-known/security.txtIt’s a simple file that tells security researchers how to contact you if they find vulnerabilities on your site.
What is security.txt?
security.txt is a proposed standard (RFC 9116) for publishing security contact information for your website.
It works like robots.txt:
| File | Purpose |
|---|---|
robots.txt | Tells search engines how to crawl your site |
security.txt | Tells security researchers how to report vulnerabilities |
The file normally lives at:
https://example.com/.well-known/security.txtInside, you list things like:
- Who to contact (email or URL)
- A link to your security policy
- Optional: your PGP key, acknowledgments page, hiring info, etc.
When someone finds a bug, they can go to that URL and follow the instructions instead of guessing where to report it.
Why it matters
-
Many security issues go unreported because there’s no clear place to send them.
-
A
security.txtfile says: “If you find something, here’s exactly how to tell us.” -
Even a small SaaS, indie project, or side project looks more mature with a simple line like:
Policy: https://example.com/security-policy Contact: mailto:security@example.com -
It’s just a small text file, served over HTTPS, updated occasionally—one of those “10 minutes now, potential lifesaver later” tasks.
Fields you can include
The standard defines several fields. You don’t need all of them; the most common are:
| Field | Example |
|---|---|
| Contact | Contact: mailto:security@example.comContact: https://example.com/security-contact |
| Expires | Expires: 2026-01-01T00:00:00Z |
| Policy | Policy: https://example.com/security-policy |
| Acknowledgments | Acknowledgments: https://example.com/security-acknowledgments |
| Encryption | Encryption: https://example.com/pgp-key.txt |
| Hiring | Hiring: https://example.com/careers |
| Canonical | Canonical: https://example.com/.well-known/security.txt |
You can also add comments with #:
# Security contact for Example Corp
Contact: mailto:security@example.com
Policy: https://example.com/security-policy
Expires: 2027-01-01T00:00:00ZThat’s it—just a structured text file.
Creating security.txt manually
- Read the RFC (or a blog post) to understand the syntax.
- Decide which fields you need.
- Copy/paste examples and adjust them for your site.
- Ensure the
Expiresdate is a valid future timestamp. - Save the file as
security.txt, place it in/.well-known/, deploy, and test.
Using a generator
Several online generators exist. One example is the CodersTool security.txt generator:
- Open the generator in your browser.
- Fill in the key fields (Contact, Policy, Expires, optional fields).
- Click Generate.
- Copy the output or download the file.
- Save it as
security.txtand deploy it to/.well-known/.
The generated snippet looks like:
# security.txt for Example SaaS
Contact: mailto:security@example.com
Policy: https://example.com/security-policy
Acknowledgments: https://example.com/security-acknowledgments
Expires: 2027-01-01T00:00:00Z
Canonical: https://example.com/.well-known/security.txtNo login, no project setup, no CLI required.
Deploying security.txt on various platforms
The goal is always the same: serve the file from
https://yourdomain.com/.well-known/security.txtHow you get it there depends on your stack.
Static sites (HTML/CSS/JS)
Create a .well-known folder at the root of your site:
/your-site-root/
index.html
…
/.well-known/
security.txtUpload the folder as you normally would and test:
https://yourdomain.com/.well-known/security.txtStatic site generators (Hugo, Jekyll, etc.)
Add .well-known/security.txt to your static or public folder so it ends up in the final build output.
Laravel / PHP
Option A – Static file
/public/
index.php
…
/.well-known/
security.txtLaravel will let the web server serve the file directly.
Option B – Dynamic route (if you prefer generating it on the fly)
// routes/web.php
Route::get('/.well-known/security.txt', function () {
return response(file_get_contents(public_path('.well-known/security.txt')))
->header('Content-Type', 'text/plain');
});.NET / IIS
- In the site’s root folder, create a
.well-knowndirectory. - Drop
security.txtinto it. - Ensure IIS is allowed to serve
.txtfiles (default configuration usually permits this).
/wwwroot/
web.config
…
/.well-known/
security.txtASP.NET Core (Kestrel + reverse proxy)
- Place
.well-known/security.txtintowwwroot, or - Map a route that returns the text file.
CDN / Cloudflare / Fastly
- Make sure the origin serves
/.well-known/security.txt. - Verify the CDN isn’t blocking or rewriting that path.
- If the CDN offers its own
security.txtfeature, decide whether to use it or let the origin file pass through.
Verify deployment
-
Open a browser and navigate to
https://yourdomain.com/.well-known/security.txt. -
You should see the plain‑text content you created.
-
Optionally, use a tool like
curl:curl -I https://yourdomain.com/.well-known/security.txtCheck that the response status is
200 OKand theContent-Typeistext/plain.
Once verified, you’re done—your site now provides a clear, standardized way for security researchers to contact you.