security.txt generator

Tyler Hall Tech's
security.txt Generator

Create an security.txt file for your website

UThis tool is designed to help website administrators create a security.txt file, a proposed standard that enables websites to define their security policies clearly and concisely. The security.txt file makes it easier for security researchers to report security vulnerabilities.

Step 1

Create a text file called security.txt under the .well-known directory of your project.

Recent changes to the specification

The date format for Expires has changed to ISO 8601. An example of the new format is Expires: 2021-12-31T18:37:07.000Z.

Contact Required

A link or e-mail address for people to contact you about security issues. Remember to include "https://" for URLs, and "mailto:" for e-mails. See the full description of Contact

Expires Required Only 1 allowed

The date and time when the content of the security.txt file should be considered stale (so security researchers should then not trust it). Make sure you update this value periodically and keep your file under review. See the full description of Expires

Encryption Optional

A link to a key which security researchers should use to securely talk to you. Remember to include "https://". See the full description of Encryption

Acknowledgments Optional

A link to a web page where you say thank you to security researchers who have helped you. Remember to include "https://". See the full description of Acknowledgments

Preferred-Languages Optional Only 1 allowed

A comma-separated list of language codes that your security team speaks. You may include more than one language. See the full description of Preferred-Languages

Canonical Optional

The URLs for accessing your security.txt file. It is important to include this if you are digitally signing the security.txt file, so that the location of the security.txt file can be digitally signed too. See the full description of Canonical

Policy Optional

A link to a policy detailing what security researchers should do when searching for or reporting security issues. Remember to include "https://". See the full description of Policy

Hiring Optional

A link to any security-related job openings in your organisation. Remember to include "https://". See the full description of Hiring

CSAF Optional

A link to the provider-metadata.json of your CSAF (Common Security Advisory Framework) provider. Remember to include "https://". See the full description of CSAF

Step 2

You are ready to go! Publish your security.txt file. If you want to give security researchers confidence that your security.txt file is authentic, and not planted by an attacker, consider digitally signing the file with an OpenPGP cleartext signature.


What is the purpose of security.txt?

It facilitates the reporting of security vulnerabilities by researchers to organizations.


Is security.txt an RFC?

Yes, security.txt is standardized as RFC 9116.


Where should I place the security.txt file?

Preferably under /.well-known/security.txt or as a fallback in the root directory /security.txt.


Will adding an email address expose me to spam?

Email is optional. If concerned about spam, use a contact form URL instead.


Generate Your security.txt

Ready to start? Use our generator below to create a security.txt file tailored to your organization’s needs and enhance the security posture of your site.


Learn More

For more information on the security.txt standard and detailed instructions, visit the official security.txt documentation.

Skip to content