From NikkiWiki
Jump to navigation Jump to search
[Image.]  A "/security.txt" file helps to make your website more secure by providing a standardized means for security researchers to contact you about any security vulnerabilities discovered on your website.  Photo depicts a secured red padlock with a heart-shaped pattern of glittery sequins. [1] [2] [3]

The SECURITY website protocol involves adding a plaintext file of "/security.txt" and/or "/.well-known/security.txt" that provides information about how to contact the website administrator in the case that any security vulnerabilities are discovered on the website. [4] [5]



As with all webtext files, you should use an advanced text editor such as Notepad-Plus-Plus (not Microsoft Windows Notepad). [6]  Files should be saved with Unix line endings and UTF-8 (Unicode Transformation Format Eight-Bit) character encoding.


SECURITY is somewhat redundant with HUMANS and more technical to set up and use.  If you already have "/humans.txt" then you don't really need "/security.txt" but it can be helpful as it provides a standardized way for security researchers (as opposed to any human) to reach you in case a security vulnerability is discovered on your website.


I recommend to put "security.txt" in the root webdirectory ("/") together with "/robots.txt", "/sitemap.txt", and "/humans.txt", but a copy should also be placed in "/.well-known/" since this is the recommended location from the protocol.  When you make an update to "security.txt", remember to save it to both locations.


A canonical "security.txt" should only be accessible by HTTPS (Hypertext Transfer Protocol Secure).


If your site does not have a security certificate, then you should use a comment in the Robots Exclusion Protocol ("/robots.txt") instead of using "security.txt" to specify any security contact info. [7] [8] [9]  In the example Robots Exclusion Protocol below, "security.txt" has been replaced by "security.htm" as a nonsecure HTTP link to the security policy webpage without using the SECURITY protocol.

User-agent: *
# Security:
# Humans:


Comments are added to SECURITY with a hash ("#") at the beginning of a new line.

# A comment.


"/security.txt" for Nicole Sharp's Website is given below.

Expires: 2024-01-18
Preferred-Languages: en
# Security for Nicole Sharp's Website.
# 2023-09-06 Nicole Sharp


The "Expires" field should be for either a) the day before your next domain name registration renewal date or b) the day before your next webhosting service renewal date, whichever is soonest.  If you don't renew your domain name registration or your webhosting service, bad things can happen and your website security policy should be considered voided (since you don't have a website any more).  This also means that you should update "security.txt" each time you renew your domain name registration and/or webhosting service.

"Expires" takes the form of an ISO 8601 date.  The actual date of expiration depends on timezone so you should set the expiration time to zero hundred hours zulu (UTC) the day before the date of expiration.  This will put the time of the expiration for the website security policy as somewhere between zero and twenty-four hours before the time of expiration for the website.


"Preferred-Languages" is in the form of two-letter ISO 639-1 language codes or three-letter ISO 639-3 language codes for languages that do not have two-letter codes.


"Canonical" refers to the preferred uniform resource locator (URL) for "security.txt".  If you forget to update "/.well-known/security.txt", it tells security researchers that the canonical version is at "/security.txt" instead.  The canonical URL (uniform resource locator) must be an HTTPS link.


SECURITY should be added to the Robots Exclusion Protocol ("/robots.txt") as a comment ("#").  This lets anyone viewing the Robots Exclusion Protocol for the website know that you have specified a contactpage to report security vulnerabilities to.  An example Robots Exclusion Protocol with SECURITY is given below.

User-agent: *
# Security:
# Humans:

see also


  1. commons:category:padlocks
  2. commons:category:padlocks by color
  3. commons:category:red padlocks


cybersecurity, development, ROBOTS, robots.txt, security, security.txt, TXT, webdevelopment