How to Add security.txt to Webflow

You can do this

Webflow supports this natively, which puts it ahead of most hosted platforms. You create a folder in the Assets panel and publish. Here is the exact file to use, plus the quirks nobody mentions.

Genuinely supported, no workaround needed. There are a few limits and one odd deduplication behaviour worth knowing.

The short answer

Webflow lets you serve files from /.well-known/, which is exactly where security.txt has to live. Most hosted platforms cannot do this at all. Webflow can, and it takes about five minutes.

Go to the Assets panel, create a folder named well-known, upload your file into it, and publish. That is the whole method.

Note the folder name has no leading dot. You name it well-known, and it is served at /.well-known/.

What security.txt is for

It is a plain text file that tells a security researcher how to report a problem to you. Someone finds a flaw in your site, checks security.txt, and emails the right person. Without it, they either give up or post about it publicly.

It is small, it is cheap, and it takes you from "no way to report this" to "here is who to tell". That is the entire value.

The file to use

Here is a valid, minimal security.txt. Two fields are mandatory under RFC 9116 and both are here.

Contact: mailto:[email protected]
Expires: 2027-01-01T00:00:00.000Z

Change the address to one a human actually reads. Set Expires to a date less than a year from now. Both fields are required, and Expires must not appear more than once.

Adding it in Webflow

Save the file above as security.txt on your computer, then:

  1. 1.Open your project and go to the Assets panel.
  2. 2.Create a folder and name it exactly well-known. No dot at the start.
  3. 3.Upload your security.txt into that folder.
  4. 4.Publish your site. Nothing is live until you publish.
  5. 5.Visit https://yourdomain.com/.well-known/security.txt on your live domain and confirm it loads as plain text.

The limits you need to know

The feature is real but it is not unlimited. These are the constraints.

Only .json, .txt and .md

File types are restricted. A .txt file is exactly what you need here, so this one does not affect you.

100KB maximum per file

Your security.txt will be a few hundred bytes. Not a concern.

Maximum 30 files

Plenty for security.txt and anything else you might serve from well-known later.

Not available on webflow.io staging

This is the one that catches people. Test on your live custom domain, not on staging. Staging will not serve it and you will think it is broken.

The deduplication quirk

This one is genuinely strange and worth knowing before it confuses you.

Webflow deduplicates assets by content, not by filename. Upload two files with identical contents and they replace each other, regardless of what they are named.

So if you decide to serve both security.txt and another well-known file that happen to contain the same text, you will end up with one file, not two. Give each file distinct content and the problem disappears. It is rarely an issue in practice, but when it bites, the cause is not obvious.

Which plan you need

Here we have to be honest rather than precise. Webflow's own documentation conflicts on this. One page says "Premium (and legacy Business)", another says "Business and higher". Those do not describe the same thing, and Webflow's Business tier is now legacy anyway.

So the accurate answer is: you need a paid site plan. Check your own plan in your Webflow dashboard rather than trusting any tier name you read in a guide, including this one. Webflow renames tiers and the guides do not keep up.

What RFC 9116 actually requires

Getting the file live is most of the work. Getting it correct is the rest. The spec has real requirements.

  • It must be at /.well-known/security.txt. Not /security.txt. The spec allows a redirect from the legacy top-level location to the well-known one, never the reverse.
  • It must be served over https. On Webflow that is automatic.
  • Content-Type must be text/plain; charset=utf-8. A .txt file should get this, but load it on your live domain and check the response before you call it done.
  • Contact is mandatory. The spec says it "MUST always be present". A security.txt without it is not valid.
  • Expires is mandatory too, and this is the one people miss. It "MUST always be present and MUST NOT appear more than once". It was added in RFC 9116, so older examples online do not have it, and files copied from those examples are invalid.

It needs a reminder in your calendar

Because Expires should be less than a year in the future, security.txt is not a set-and-forget file. It expires on purpose. The idea is that a stale file with a contact address nobody monitors is worse than no file at all, so the spec forces you to reconfirm it.

An expired security.txt is itself a finding. Scanners flag it, ours included. So when you set that date, put a calendar reminder a month before it for updating the file and republishing. Ten minutes of work, once a year.

Check it worked

Publish, then load https://yourdomain.com/.well-known/security.txt on your live domain. Remember it will not work on webflow.io staging.

Our free safety check looks for the file at the right path and reports it alongside your SSL, security headers and email authentication. If you want to see how other platforms compare on this, the fix-it matrix has the honest picture. Webflow is one of the few that says yes.

Check your work in seconds

Run your site through our free safety check to confirm the fix is live, and see what else a shopper would notice.

Run a free check

Frequently asked questions

Can I add security.txt to a Webflow site?

Yes, natively, which puts Webflow ahead of most hosted platforms. Go to the Assets panel, create a folder named well-known with no leading dot, upload your security.txt into it, and publish. It is then served at /.well-known/security.txt.

Why is my security.txt not loading?

First check you are testing on your live custom domain. Webflow does not serve well-known files on webflow.io staging, so it will always look broken there. Then confirm you published after uploading, and that the folder is named exactly well-known with no dot at the start.

Which Webflow plan do I need for this?

A paid site plan. We would rather say that than name a tier, because Webflow's own pages conflict on it, with one saying "Premium (and legacy Business)" and another saying "Business and higher". The Business tier is now legacy too. Check your plan in your dashboard.

What has to be in the file?

Two fields are mandatory under RFC 9116: Contact and Expires. Contact is how researchers reach you. Expires must be present, must appear only once, and is recommended to be less than a year in the future. Most examples online predate the Expires requirement and are therefore invalid.

Do I have to update security.txt every year?

Yes, and that is deliberate. Expires should be under a year out, so the file needs republishing before it lapses. An expired security.txt is a finding in its own right, because it signals nobody is watching that inbox. Set a calendar reminder a month before your Expires date.

Can I upload other files to the well-known folder?

Within limits. Webflow allows only .json, .txt and .md files, 100KB maximum each, and 30 files total. One quirk to watch: Webflow deduplicates by content, so two files with identical contents will replace each other regardless of their names.

security.txt on other platforms

Other fixes for Webflow

See the full fix-it matrix →

Prove your site is safe.

Once it is fixed, show it. Get a badge your shoppers can verify, backed by continuous checks. Free to start.

Get started free Run a free check