Free Tool
Security.txt Checker
Validate your security.txt vulnerability disclosure file and make sure researchers know how to report issues safely.
Sign in with Google or GitHub to run the scan. Start with a free scan.
What this tool checks
This page uses ZeriFlow's deterministic website security engine and focuses the guidance on the configuration area above. For the full report, run a complete free security scan.
Key Checks
File Location
Checks whether security.txt is available from the standard well-known path.
Contact Field
Verifies that researchers have a clear email, web form, or other approved contact method.
Expiration
Flags missing or expired Expires values so the file does not look abandoned.
Policy Links
Reviews optional disclosure policy and canonical fields for clarity and consistency.
Recommended Baseline
Path
Publish at /.well-known/security.txt over HTTPS.
Contact
Include a monitored security contact or reporting form.
Expires
Set an Expires date and refresh it before it becomes stale.
Canonical
Use Canonical to identify the official URL for the file.
FAQ
What is security.txt?
security.txt is a standard file that tells security researchers how to report vulnerabilities responsibly. It is usually served from /.well-known/security.txt.
Where should security.txt be located?
The preferred location is /.well-known/security.txt. Some sites also redirect /security.txt to the well-known path.
What fields should security.txt include?
At minimum, include Contact and Expires. Many teams also add Canonical, Policy, Preferred-Languages, and Encryption.
Does security.txt make my site secure?
No. It does not fix vulnerabilities. It improves disclosure workflow by giving researchers a clear, official reporting channel.
Need the full security picture?
ZeriFlow combines deterministic website checks across headers, TLS, DNS, cookies, and email security with monitoring, reporting, and AI-powered developer workflows where implemented.