Home Tools Pricing API Docs About Sign in Get started

security.txt Checker

Web Security

Fetch and validate a site’s /.well-known/security.txt against the RFC 9116 standard.

What is security.txt Checker?

security.txt Checker retrieves the standard security.txt file and validates its structure and required fields, so you know exactly how to report a vulnerability — and whether the organization follows responsible-disclosure best practice.

For defenders, it is a quick conformance check; for researchers, it is the fastest way to find the right contact and policy.

What it validates

Presence & location — checks the canonical /.well-known/ path.
Contact — verifies a reporting channel is published.
Expires — flags missing or stale expiry dates (required by RFC 9116).
Policy, Encryption, Canonical — confirms recommended fields where present.

Where it fits in your workflow

→Find the correct disclosure contact before reporting a bug.
→Audit a client’s security.txt for standards conformance.

Use security.txt Checker

Run it from your dashboard.

Create free account Sign in Use via API

At a glance

CategoryWeb Security

RunsServer-side

Token cost 3 / run (free tier)

AccessFree

Status● Live

Frequently asked questions

Is security.txt mandatory?

It is a recommended standard (RFC 9116), not a legal requirement — but its presence signals a mature security program and gives researchers a clear reporting path.

Explore more tools →