HomeFix guides → security.txt Expires field fresh

nis2

How to fix: security.txt Expires field fresh

NIS2 Art. 21(2)(j) RFC 9116

Why this matters

RFC 9116 requires an Expires: date on security.txt so reporters know it's current. An expired file signals abandonment and reporters skip it — defeating the point of publishing it.

Background

RFC 9116 requires security.txt to include an Expires field with a future date. Missing or expired = the file is stale + ignored by responsible disclosure tools. Refresh annually.

References

RFC 9116 §2.5.5 (Expires field) · NIS2 Art. 21(2)(j)

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
No server config — file edit.
apache
Same.
cloudflare
Same.
wordpress
Edit /.well-known/security.txt. Add: Expires: 2027-01-01T00:00:00Z (one year out).
flask
If serving security.txt from a static file, update the Expires line + redeploy.
express
Same.
rails
Same.

Verify it's working

curl -s https://your-site/.well-known/security.txt | grep -i expires — should show a date in the future.

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →