Skip to content
Free tool

security.txt generator

Generate an RFC 9116 security.txt file so security researchers know how to report vulnerabilities in your app. Host it at /.well-known/security.txt.

Configuration

Preview

# Security disclosure file for <your-domain>
# Generated with Vezraa — https://vezraa.com/tools/security-txt

Expires: 2027-07-04T19:12:38.644Z
Preferred-Languages: en

# RFC 9116 — https://datatracker.ietf.org/doc/html/rfc9116
# This file should be served at /.well-known/security.txt

2 issues to address

  • · At least one Contact (email or URL) is required by RFC 9116.
  • · Canonical URL is recommended; provide your domain to populate it.

How to deploy

Static / Vercel / Netlify

Place the file at /public/.well-known/security.txt and ship it with your next deploy.

public/.well-known/security.txt

Next.js (route handler)

Or serve it dynamically. Create app/.well-known/security.txt/route.ts and return the body with Content-Type: text/plain.

app/.well-known/security.txt/route.ts

nginx

Add a location block that serves a static file with the correct content type.

location = /.well-known/security.txt {
  add_header Content-Type "text/plain";
  return 200 "$contents";
}

Once deployed, you can verify your file is reachable and well-formed by running a Vezraa scan, which automatically picks it up. Or test the URL directly: curl https://your-domain/.well-known/security.txt.

Free security.txt Generator — RFC 9116 | Vezraa