OneWebDesk
All tools
한국어|English

security.txt Checker

Check for /.well-known/security.txt and its required fields.

The security.txt checker verifies whether a site publishes a /.well-known/security.txtfile and whether it contains the fields a security researcher needs to report a vulnerability. Enter a domain and the server fetches the standard location for you, extracting fields like Contact, Expires, Encryption, Policy and Acknowledgments and flagging anything missing.

security.txt is a plain-text file standardized as RFC 9116. It tells anyone who finds a security issue exactly where to report it, so reports don't get lost or disclosed publicly by mistake. Many government and enterprise sites already publish one, and it has become a basic signal of security maturity.

What is security.txt (RFC 9116)

security.txt is a standardized text file that states a site's security contact and vulnerability disclosure policy in a way both humans and machines can read. The canonical location is /.well-known/security.txt; some sites also keep a legacy copy at the root (/security.txt). This tool tries both.

Key fields

  • Contact (required): an email, URL or phone to receive reports. At least one is needed.
  • Expires (required): when the file's information stops being valid. Refresh before then.
  • Encryption: where to find a public key for encrypted reports.
  • Policy: a link to the vulnerability disclosure policy.
  • Acknowledgments: a page thanking researchers who contributed.
  • Preferred-Languages / Canonical: preferred languages and the file's canonical URL.

Authoring and operations tips

Serve the file over HTTPS and, in production, sign it (e.g. with PGP) to prevent tampering. Keep Expires within about a year and refresh it regularly. Periodically confirm the contact is still monitored and the file has not expired so reports don't fall through the cracks. Since security.txt is just one signal of security maturity, use the security headers checker to confirm baseline defenses like HSTS and CSP are in place too.

Frequently asked questions

Where should security.txt live?
The canonical location is /.well-known/security.txt. Some sites also keep a legacy copy at the root (/security.txt) for compatibility. This tool checks both.
Are Contact and Expires mandatory?
Yes. RFC 9116 requires both. Without Contact there is no reporting path; without Expires you can't guarantee the information is current.
Does a missing file mean the site is insecure?
Not by itself. It just means there's no advertised reporting channel, so researchers have a harder time finding whom to contact. Publishing one is recommended.
Is the domain I enter sent anywhere?
Our server only requests the standard paths on the target site. Private IPs and internal addresses are blocked by SSRF protection, and results are cached for just 60 seconds.
What if it says Expires has passed?
The file exists but its expiry time is in the past, so the information may be stale. If you operate the site, update the Expires value.

Related tools

Web Security
CSP Generator
Build a Content-Security-Policy header for your site's resources.
SRI Hash Generator
Generate Subresource Integrity hashes for external JS/CSS.
Password Policy Generator
Generate a password policy and its rules for your service.
Security Headers Checker
Check and grade security headers like HSTS, CSP and X-Frame-Options.
Cookie Security Check
Check Secure, HttpOnly and SameSite flags on response cookies.
Mixed Content Checker
Find insecure http resources loaded on an HTTPS page.