A security.txt file is a small, standardised text file that tells security researchers exactly how to report a vulnerability to you. It is quick to add and signals that you take security seriously, which is one of the privacy signals we check.
See how your domain is doing in your dashboard under Domains, then open the report for step-by-step recommendations.
security.txt is an internet standard (RFC 9116). It is a plain text file you host at a fixed, well-known location so that anyone who finds a security issue on your site knows where to report it, instead of guessing or staying silent.
Having one earns points in your Privacy Signals check and reassures visitors and researchers alike that there is a responsible person behind the website. It costs nothing and takes a few minutes.
Create a plain text file named security.txt with at least a contact method and an expiry date. A good starting point:
Contact: mailto:[email protected] Expires: 2027-01-01T00:00:00.000Z Preferred-Languages: en Canonical: https://yourdomain.com/.well-known/security.txt
Contact is the only required field, but Expires is strongly recommended so people know the information is current. Update the file before that date passes. You can also add Policy: (a link to your disclosure policy) and Acknowledgments: if you have them.
The file must be reachable over HTTPS at:
https://yourdomain.com/.well-known/security.txt
Create a folder named .well-known in your website root and put security.txt inside it. On most hosts you can do this with your file manager or over FTP/SFTP. The leading dot in the folder name matters, keep it.
A copy at https://yourdomain.com/security.txt is allowed as a fallback, but the /.well-known/ location is the one we look for first.
.well-known directory, or drop the file in via SFTP. Some security plugins add security.txt for you./.well-known/security.txt in your project and deploy.After adding it, load the URL in your browser to confirm it returns the text (not a 404). Your next TrustedOrigin scan will pick it up automatically.
Stuck or not sure how to apply this to your setup? Email [email protected] and a human will help you through it.