To add security.txt, create a plain-text file at /.well-known/security.txt containing at least a Contact: line (email or reporting URL) and an Expires: date. Serve it over HTTPS and re-scan to confirm.
security.txt is a standard (RFC 9116) file that tells security researchers how to report vulnerabilities responsibly. Its absence means well-meaning finders have no clear channel, and the scanner flags it. Adding it takes minutes and signals a mature security posture.
Check your website
See how your site handles how to add a security.txt file — free, no account needed.
Business impact
When a researcher finds a flaw, you want them contacting you — not disclosing publicly or selling it. A security.txt file provides that channel and demonstrates to customers and auditors that you take security seriously. It is a low-effort, high-signal trust improvement.
Why this happens
The scanner flags "security.txt Missing" when no file is served at /.well-known/security.txt (or the legacy root path), and "security.txt Missing Contact Field" when the file exists but omits the required Contact: field. Per RFC 9116, the canonical location is /.well-known/security.txt, it must be served over HTTPS, and it must include Contact: and Expires:. Optional fields include Encryption:, Policy:, Acknowledgments: and Preferred-Languages:.
How to confirm the issue
Manually: visit https://yoursite.com/.well-known/security.txt. A 404 means it is missing.
With Plexa Trust: look for "security.txt Missing" (or "security.txt Missing Contact Field"). Re-scan after publishing the file.
Step-by-step fix
Create a plain-text file named
security.txt.Add at minimum:
Contact: mailto:security@yourdomain.comandExpires: 2027-01-01T00:00:00Z.Optionally add Policy, Encryption (PGP key URL), and Preferred-Languages.
Place it at
/.well-known/security.txtserved over HTTPS.Set a calendar reminder to refresh the Expires date before it lapses.
Re-scan to confirm the finding clears.
Platform-specific fixes
Apache / Nginx
Create the directory
.well-knownin your web root and addsecurity.txt.Ensure the server serves dotfiles/dotfolders under .well-known (usually allowed by default).
Confirm it loads over HTTPS.
WordPress
Upload
.well-known/security.txtvia SFTP to the site root, or use a plugin that manages .well-known files.If a rewrite intercepts the path, add an exception so the static file is served.
Netlify / Vercel / static hosts
Place
security.txtunderpublic/.well-known/(or your static root).Redeploy; the file will be served at /.well-known/security.txt.
Cloudflare
If origin serves the file, no change is needed — confirm it is not cached as a 404.
Alternatively use a Cloudflare Worker/Redirect to serve the file, ensuring HTTPS.
How to verify the fix
Use a monitored security@ address or a reporting form URL.
Keep the Expires date current — an expired file is treated as stale.
Point Policy: to a short vulnerability disclosure policy page.
Re-scan with Plexa Trust and confirm the security.txt findings clear.
Common mistakes
Placing the file at the root only, or not over HTTPS.
Omitting the required Contact: field.
Letting the Expires date lapse.
Using an unmonitored inbox that never sees reports.
Frequently asked questions
Where exactly does security.txt go?
At https://yoursite.com/.well-known/security.txt, served over HTTPS. The root-level path is a deprecated fallback.
What fields are required?
Contact and Expires are required per RFC 9116. Contact can be an email (mailto:) or a reporting URL.
What does Expires do?
It tells researchers the file is current. Past the date, tools and finders treat it as stale — refresh it periodically.
Do I need a bug bounty to have security.txt?
No. It just provides a contact channel for responsible disclosure. A bounty is optional.
Can I add a PGP key?
Yes, via the Encryption field pointing to your public key, so reporters can send encrypted details.
Will this expose me to more attacks?
No. It gives ethical finders a way to reach you; it does not reveal vulnerabilities or increase your attack surface.
What is the Policy field?
A link to your vulnerability disclosure policy explaining scope, expectations and safe-harbour for researchers.
How do I confirm the fix?
Load /.well-known/security.txt over HTTPS and re-scan with Plexa Trust.
Think you've fixed it?
Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.
Verify with a free scan