Custom security.txt Implementation Guide
Quick Start
- Create a text file named
security.txt - Add the required fields (Contact and Expires)
- Add any optional fields that are relevant to your organization
- Place the file in the
.well-knowndirectory of your website - Ensure it's accessible at
https://example.com/.well-known/security.txt - Make sure to keep the file updated and review it periodically
Fields Explanation
Below is our recommended default template for a security.txt file:
# Organization Name
Contact: mailto:security@example.com
Expires: YYYY-MM-DDT00:00:00.000Z
Preferred-Languages: en
Required and Optional Fields
A standard security.txt file contains several fields:
| Field | Required | Description |
|---|---|---|
| Contact | Required | Email address, phone number, or web page URL for reporting vulnerabilities |
| Expires | Required | The date after which the security.txt file should be considered stale |
| Encryption | Optional | Link to a key to be used for encrypted communication |
| Acknowledgments | Optional | Link to a page where security researchers are recognized |
| Preferred-Languages | Optional | A comma-separated list of language codes |
| Canonical | Optional | The URLs for accessing this security.txt file |
| Policy | Optional | Link to the security policy page |
| Hiring | Optional | Link to security-related job positions |