Saltar al contenido principal
All Guides

Security.txt

Weight: 8% of your AX score. The /.well-known/security.txt file follows RFC 9116 and provides security researchers (and AI agents) with a standardized way to find your security contact information.

security.txt not found

Create /.well-known/security.txt with at minimum the two required fields:

Contact: mailto:security@your-site.com
Expires: 2027-12-31T23:59:59.000Z

# Optional but recommended
Canonical: https://your-site.com/.well-known/security.txt
Preferred-Languages: en
Policy: https://your-site.com/security-policy
Generator
Use securitytxt.org for an interactive generator, or run npx ax-init and select "security.txt".

Required field missing

RFC 9116 requires two fields:

  • Contact: — a mailto: or https: URI for security reports (e.g., Contact: mailto:security@your-site.com)
  • Expires: — an ISO 8601 date when the file should be considered stale (e.g., Expires: 2027-12-31T23:59:59.000Z)

Add the missing field(s) to your security.txt. The Expires date should be no more than 1 year in the future — set a calendar reminder to update it before it expires.

Expired security.txt

Your security.txt's Expires date is in the past. This means the file is technically stale and should not be trusted.

Update the Expires: field to a future date. A common practice is setting it 6-12 months ahead:

Expires: 2027-06-30T23:59:59.000Z

Missing optional fields

While not required, these optional fields provide additional context:

  • Canonical: — the canonical URL of this security.txt file
  • Preferred-Languages: — languages you accept for security reports (e.g., en)
  • Policy: — link to your security disclosure policy
  • Encryption: — PGP key for encrypted reports
  • Hiring: — link to security job openings