Free security.txt Checker (RFC 9116)
Check whether a site publishes a valid /.well-known/security.txt and validate it against RFC 9116 — the required Contact and Expires fields, a non-expired date, optional Encryption / Policy / Canonical fields, and whether the file is PGP-signed.
By scanning, you confirm you own or have permission to test this domain. Not a substitute for manual penetration testing.
What this security.txt checker checks
How it works
Read-only· fetches one well-known file- 1We fetch /.well-known/security.txt (and the legacy /security.txt) with a plain GET.
- 2We validate it against RFC 9116 — the required Contact and a non-expired Expires field, plus Policy, Encryption, Canonical and a PGP signature.
- 3Nothing beyond that single file is requested.
Why it matters
A security.txt gives researchers a clear, authoritative way to report vulnerabilities to you instead of disclosing them publicly or to the wrong inbox. It is quick to add and signals a mature security posture.
Frequently asked questions
Is the security.txt checker free?
Yes — no sign-up. We fetch the file from the standard locations and validate its fields against RFC 9116.
Where should security.txt live?
At https://your-domain/.well-known/security.txt. A copy at /security.txt is allowed for legacy reasons, but the .well-known path is canonical.
What must a security.txt contain?
At minimum a Contact field (a mailto: or https: URL) and an Expires field with a future date. Encryption, Policy and Canonical are recommended.