Generate security.txt, privacy meta tags, and robots.txt rules for your site.
security.txt is a proposed standard (RFC 9116) that tells security researchers how to report vulnerabilities in your website. It's a plain text file placed at /.well-known/security.txt containing your security contact email, PGP key, and disclosure policy.
Without a security.txt, researchers who find vulnerabilities in your site have no clear way to report them. They might try generic emails like info@ or support@, post publicly on social media, or simply give up. A security.txt file takes 2 minutes to create and can prevent a public disclosure disaster.
Major companies including Google, Facebook, GitHub, and Dropbox all publish security.txt files. The Expires field ensures the contact information stays current — set it to one year from now and update annually. This tool also generates privacy-focused robots.txt rules and security-related meta tags for your HTML head.
This tool in other languages:
Français:
Générateur de security.txt
Español:
Generador de security.txt
Deutsch:
Security.txt Generator
Português:
Gerador de security.txt
日本語:
Security.txt ジェネレーター
中文:
Security.txt 生成器
한국어:
Security.txt 생성기
العربية:
مولد ملف security.txt
Fill in your security contact email, optional contact URL, PGP encryption URL, acknowledgments URL, policy expiry date, and preferred languages. The tool generates a compliant security.txt file ready to deploy at /.well-known/security.txt.
Security.txt (RFC 9116) is a standardized plain-text file that tells security researchers how to responsibly report vulnerabilities. Without it, researchers either give up or try random contact forms. With it, legitimate security reports reach you quickly — and you avoid unreported bugs becoming public exploits.
At the well-known location: https://yourdomain.com/.well-known/security.txt. Some older sites also serve it at /security.txt (the root) for compatibility with tools that check both. Serve it with Content-Type: text/plain; charset=utf-8.
It's recommended but not required. Signing with your PGP key proves the file hasn't been tampered with (an attacker could otherwise replace it with their own email to divert reports). For high-security sites, sign with PGP and publish the signature in the same location.
A date up to one year in the future. The field exists so researchers know the file is current. Set a reminder to regenerate before expiry — an expired security.txt may be ignored or treated as abandoned. Annual renewal is typical.