security.txt Generator

How to use

1. 1Pick a preset (Minimal, Recommended, Detailed, or Blank slate) to load a starting template, or edit the defaults in place.
2. 2Add at least one Contact value using a mailto:, https:, or tel: URI so researchers know where to report a finding.
3. 3Set the Expires date. Use the date picker for one-click selection, or paste in a full ISO 8601 UTC timestamp like 2027-06-16T00:00:00Z. The 1 year from today button writes the maximum value the spec recommends.
4. 4Fill in any optional fields you want to publish: Encryption (PGP key URL), Acknowledgments (hall of fame), Canonical (the URL of this file), Policy (your VDP), Preferred-Languages (RFC 5646 tags), Hiring, and CSAF.
5. 5Watch the Validation panel for errors, warnings, and tips. Fix anything in red, then copy or download the file.
6. 6Host the file at https://yourdomain.example/.well-known/security.txt with Content-Type text/plain; charset=utf-8. Optionally publish a copy at /security.txt as well.

About this tool

security.txt Generator builds a standards-compliant /.well-known/security.txt file following RFC 9116, the IETF standard for telling security researchers where to report a vulnerability and how your team handles disclosure. Pick a preset (Minimal, Recommended, Detailed, or Blank slate) or start from scratch and fill in the fields you need. Every required field is validated as you type. Contact accepts the three URI schemes the spec allows (https:, mailto:, tel:) and rejects plain http:, javascript:, or anything else. Expires is parsed against ISO 8601 with a UTC Z suffix, rejected if it is in the past, and flagged with a warning if it is more than a year in the future (the maximum the spec recommends). A handy 1-year-from-today button writes a safe default. Optional URL fields (Encryption, Acknowledgments, Canonical, Policy, Hiring, CSAF) are all checked to be HTTPS, and the CSAF URL is nudged toward the provider-metadata.json suffix that CSAF aggregators look for. Preferred-Languages accepts a single line of comma-separated RFC 5646 language tags and rejects multi-line input or malformed tags. Every multi-value field (Contact, Encryption, Acknowledgments, Canonical, Policy, Hiring, CSAF) supports as many entries as you need, with Add and Remove controls. The live preview shows the exact UTF-8 text file you should serve, including the canonical header comment, ordered fields, and a trailing newline. Copy puts the file on the clipboard ready to commit to your repo, and Download saves a security.txt file you can drop straight into the /.well-known/ directory of your site. Validation reports errors, warnings, and tips: a missing Canonical or Policy URL is flagged as a tip so you can decide whether to add them, while issues that would break trust (past Expires date, invalid URI scheme, http:// in an HTTPS-only field) are flagged as errors. Useful for security engineers setting up a vulnerability disclosure program, indie maintainers complying with the CISA Binding Operational Directive 20-01 style guidance, agencies or contractors that need a clean security.txt for compliance, and any site operator who wants researchers to know where to send a finding instead of guessing at info@. All parsing, validation, and downloads happen locally in your browser, so the contact addresses, internal URLs, and policy links you draft here never leave your device.

Free to use. Works in your browser. No signup, no login.