Generate an RFC 9116 security.txt file so security researchers know how to report vulnerabilities in your app. Host it at /.well-known/security.txt.
Configuration
Preview
# Security disclosure file for <your-domain> # Generated with Vezraa — https://vezraa.com/tools/security-txt Expires: 2027-07-04T19:12:38.644Z Preferred-Languages: en # RFC 9116 — https://datatracker.ietf.org/doc/html/rfc9116 # This file should be served at /.well-known/security.txt
2 issues to address
How to deploy
Static / Vercel / Netlify
Place the file at /public/.well-known/security.txt and ship it with your next deploy.
public/.well-known/security.txt
Next.js (route handler)
Or serve it dynamically. Create app/.well-known/security.txt/route.ts and return the body with Content-Type: text/plain.
app/.well-known/security.txt/route.ts
nginx
Add a location block that serves a static file with the correct content type.
location = /.well-known/security.txt {
add_header Content-Type "text/plain";
return 200 "$contents";
}Once deployed, you can verify your file is reachable and well-formed by running a Vezraa scan, which automatically picks it up. Or test the URL directly: curl https://your-domain/.well-known/security.txt.