security
How to fix: /.well-known/security.txt
NIS2 Art. 21(2)(j)
RFC 9116
Why this matters
When a security researcher finds a bug on your site, the first thing they look for is a way to report it. /.well-known/security.txt is the standard (RFC 9116) — a small text file with a contact address. Without it, bugs go unreported or public.
Background
A /.well-known/security.txt file gives security researchers + automated scanners a published contact for vulnerability reports. Required-ish under NIS2 for vulnerability handling; trivial to add; massively improves the odds that someone who finds an issue tells you instead of disclosing publicly.
References
RFC 9116 · NIS2 Art. 21 (vulnerability disclosure)
How to fix
Code snippet for each stack we cover. Pick the one matching your server / framework.
nginx
Serve at /.well-known/security.txt: Contact: mailto:[email protected] Expires: 2027-01-01T00:00:00Z Preferred-Languages: en
apache
Same file at /.well-known/security.txt.
cloudflare
Workers can serve this from a static blob; easier to upload as a static file via your origin.
wordpress
Add the file to /.well-known/security.txt at the web root (not as a WP page).
flask
@app.route('/.well-known/security.txt')
def sec_txt(): return Response(SECURITY_TXT_BODY, mimetype='text/plain')
express
app.get('/.well-known/security.txt', (req,res) => res.type('text/plain').send(SECURITY_TXT_BODY))
rails
Add a route + send_data; or just drop a static file under public/.well-known/security.txt.
Verify it's working
curl https://your-site/.well-known/security.txt — should return text/plain with at least Contact + Expires.
Want to know if your site has this issue?
Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.
Audit my site →