Skip to main content

Fix Guides

How to Add a security.txt File

Give security researchers a standard way to report vulnerabilities.

Quick fix

To add security.txt, create a plain-text file at /.well-known/security.txt containing at least a Contact: line (email or reporting URL) and an Expires: date. Serve it over HTTPS and re-scan to confirm.

security.txt is a standard (RFC 9116) file that tells security researchers how to report vulnerabilities responsibly. Its absence means well-meaning finders have no clear channel, and the scanner flags it. Adding it takes minutes and signals a mature security posture.

Check your website

See how your site handles how to add a security.txt file — free, no account needed.

Business impact

When a researcher finds a flaw, you want them contacting you — not disclosing publicly or selling it. A security.txt file provides that channel and demonstrates to customers and auditors that you take security seriously. It is a low-effort, high-signal trust improvement.

Why this happens

The scanner flags "security.txt Missing" when no file is served at /.well-known/security.txt (or the legacy root path), and "security.txt Missing Contact Field" when the file exists but omits the required Contact: field. Per RFC 9116, the canonical location is /.well-known/security.txt, it must be served over HTTPS, and it must include Contact: and Expires:. Optional fields include Encryption:, Policy:, Acknowledgments: and Preferred-Languages:.

How to confirm the issue

Manually: visit https://yoursite.com/.well-known/security.txt. A 404 means it is missing.

With Plexa Trust: look for "security.txt Missing" (or "security.txt Missing Contact Field"). Re-scan after publishing the file.

Step-by-step fix

  1. Create a plain-text file named security.txt.

  2. Add at minimum: Contact: mailto:security@yourdomain.com and Expires: 2027-01-01T00:00:00Z.

  3. Optionally add Policy, Encryption (PGP key URL), and Preferred-Languages.

  4. Place it at /.well-known/security.txt served over HTTPS.

  5. Set a calendar reminder to refresh the Expires date before it lapses.

  6. Re-scan to confirm the finding clears.

Platform-specific fixes

Apache / Nginx

  1. Create the directory .well-known in your web root and add security.txt.

  2. Ensure the server serves dotfiles/dotfolders under .well-known (usually allowed by default).

  3. Confirm it loads over HTTPS.

WordPress

  1. Upload .well-known/security.txt via SFTP to the site root, or use a plugin that manages .well-known files.

  2. If a rewrite intercepts the path, add an exception so the static file is served.

Netlify / Vercel / static hosts

  1. Place security.txt under public/.well-known/ (or your static root).

  2. Redeploy; the file will be served at /.well-known/security.txt.

Cloudflare

  1. If origin serves the file, no change is needed — confirm it is not cached as a 404.

  2. Alternatively use a Cloudflare Worker/Redirect to serve the file, ensuring HTTPS.

How to verify the fix

  • Use a monitored security@ address or a reporting form URL.

  • Keep the Expires date current — an expired file is treated as stale.

  • Point Policy: to a short vulnerability disclosure policy page.

  • Re-scan with Plexa Trust and confirm the security.txt findings clear.

Common mistakes

  • Placing the file at the root only, or not over HTTPS.

  • Omitting the required Contact: field.

  • Letting the Expires date lapse.

  • Using an unmonitored inbox that never sees reports.

Frequently asked questions

Where exactly does security.txt go?

At https://yoursite.com/.well-known/security.txt, served over HTTPS. The root-level path is a deprecated fallback.

What fields are required?

Contact and Expires are required per RFC 9116. Contact can be an email (mailto:) or a reporting URL.

What does Expires do?

It tells researchers the file is current. Past the date, tools and finders treat it as stale — refresh it periodically.

Do I need a bug bounty to have security.txt?

No. It just provides a contact channel for responsible disclosure. A bounty is optional.

Can I add a PGP key?

Yes, via the Encryption field pointing to your public key, so reporters can send encrypted details.

Will this expose me to more attacks?

No. It gives ethical finders a way to reach you; it does not reveal vulnerabilities or increase your attack surface.

What is the Policy field?

A link to your vulnerability disclosure policy explaining scope, expectations and safe-harbour for researchers.

How do I confirm the fix?

Load /.well-known/security.txt over HTTPS and re-scan with Plexa Trust.

Think you've fixed it?

Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.

Verify with a free scan

Upgrade to Pro for monitoring