SECURITY.TXT VALIDATOR
Validate your security.txt file against RFC 9116. Check required fields, expiry dates, PGP signatures, and best practices. No signup required.
SECURITY.TXT IS STEP ONE
CHECK ALL 700+ SECURITY REQUIREMENTS
Vulnerability disclosure policy, security headers, DNS configuration, exposed secrets, API vulnerabilities, and more. UNPWNED checks everything in one scan.
RUN FULL SECURITY SCAN (FREE)FREQUENTLY ASKED QUESTIONS
What is security.txt?
security.txt is a standard (RFC 9116) that lets organizations communicate their vulnerability disclosure practices. It tells security researchers how to report vulnerabilities they find on your site.
Where should security.txt be placed?
The standard location is /.well-known/security.txt (recommended). The legacy location /security.txt is also recognized. This tool checks both locations automatically.
What fields are required?
RFC 9116 requires two fields: Contact (at least one URI for reporting vulnerabilities) and Expires (an ISO 8601 date indicating when the file should be considered stale).
Do I need a security.txt?
Yes. Without one, security researchers who find vulnerabilities on your site have no clear way to report them responsibly. This often leads to public disclosure or vulnerabilities going unreported.
What is the Expires field for?
The Expires field ensures stale security.txt files don't persist indefinitely. It should be set to no more than one year in the future and updated regularly to confirm the file is still maintained.
Is this tool free?
Yes, completely free with unlimited checks and no signup required. For a comprehensive security audit covering 700+ checks beyond security.txt, try the full UNPWNED scan.
MORE FREE TOOLS