Free security.txt Validator
Check whether a site publishes a valid security.txt · the RFC 9116 file that tells researchers how to responsibly report vulnerabilities.
Frequently asked
Where should security.txt live?
At /.well-known/security.txt (the canonical location). A copy at /security.txt is tolerated for legacy reasons, but the well-known path is required by RFC 9116.
What fields are required?
A Contact field is mandatory. An Expires field is required by RFC 9116, and the file should be served over HTTPS. Recommended extras include Encryption, Policy, Acknowledgments, and Preferred-Languages.
Run a full security scan →