security.txt is a standardized file that provides information on how to report security vulnerabilities for a website. The file is placed in the .well-known directory (e.g., https://example.com/.well-known/security.txt) and contains contact details, such as email addresses or links to encryption keys, for the team responsible for the site’s security.
Its primary purpose is to offer a clear point of contact for security researchers and ethical hackers who discover potential vulnerabilities, ensuring that issues are reported directly to the proper channels.
Who uses it?
Organizations of all sizes use security.txt, from small websites to large enterprises, to establish a formal method of vulnerability disclosure. This practice helps organizations improve security by encouraging responsible disclosure and providing a clear process for how users or researchers can report bugs or vulnerabilities.
Security researchers, ethical hackers, and other professionals often rely on these files to quickly understand the protocol for reporting discovered vulnerabilities, thereby improving overall cybersecurity practices.
Technical Notes
Typically placed in /.well-known/security.txt
Example
Contact: mailto:security@example.com
Encryption: https://example.com/pgp-key.txtWebflow
Webflow does not directly support security.txt, but redirects may work.
Webflow has recommended this approach;
https://share.getcloudapp.com/v1um4rqz
- Create your ads.txt file, with the content you want
- Upload it to your site assets
- Get the URL of the uploaded asset
- Create a redirect from
/ads.txtto your URL - Publish your site
To ensure no problems with the redirects you can use a reverse proxy solution like Sygnal's Hyperflow to deliver your files reliably.
