Part 5 of the series "EU Web Security: 10 Steps to a Better Rating"
Why security.txt
A security researcher finds a vulnerability on your website. Who do they contact?
Without security.txt: They search your site, find info@, send an email. It lands with marketing, gets deleted as spam or ignored. The vulnerability remains open.
With security.txt: They visit /.well-known/security.txt, find the security contact, the PGP key, and the disclosure policy. The report reaches the right team immediately.
Adoption rate in the EU: 2.8%. And yet: websites with security.txt score 31% higher on average than those without.
The Correlation
| Metric | WITH security.txt | WITHOUT | Factor |
|---|---|---|---|
| Composite Score | 55 | 42 | +31% |
| HSTS | 72% | 26% | 2.8x |
| CSP | 47% | 10% | 4.7x |
| Grade F | 6% | 44% | 7x fewer |
security.txt is not a silver bullet. But those who take the time to set it up have usually taken care of everything else too.
How to Set Up security.txt
Step 1: Create the File
Create /.well-known/security.txt on your web server:
Contact: mailto:security@your-domain.com
Expires: 2027-04-13T00:00:00.000Z
Preferred-Languages: en
Required fields (RFC 9116):
- Contact: — email address or URL for security reports
- Expires: — expiry date (max 1 year in the future)
Optional fields:
- Encryption: — PGP key for encrypted reports
- Acknowledgments: — hall of fame for responsible reporters
- Canonical: — canonical URL of the file
- Policy: — link to your Vulnerability Disclosure Policy
- Hiring: — link to security job openings
Step 2: Make It Accessible
The file must be reachable at https://your-domain.com/.well-known/security.txt. For most setups:
Nginx:
location = /.well-known/security.txt {
alias /var/www/your-domain.com/security.txt;
}
Apache: Simply place the file in /.well-known/ in your document root.
WordPress: Use the "WP Security.txt" plugin or manually place it in .well-known/ in the webroot.
Step 3: Provide a PGP Key (recommended)
Contact: mailto:security@your-domain.com
Encryption: https://your-domain.com/.well-known/pgp-key.txt
Expires: 2027-04-13T00:00:00.000Z
ENISA recommends the encryption option so that security reporters can submit sensitive details in a protected manner.
Industry Adoption
| Industry | Adoption | Avg Score with | Avg Score without |
|---|---|---|---|
| Banking | 23.9% | 69 | 55 |
| E-Commerce | 15.6% | 64 | 53 |
| Education | 8.1% | 53 | 42 |
| Tech | 5.3% | 63 | 45 |
| Healthcare | 2.0% | 58 | 42 |
| Hospitality | 1.1% | 51 | 40 |
Banking leads — nearly one in four banks has security.txt. Hospitality (hotels, restaurants) sits at 1.1%.
Regulatory Context
- NIS2 Art. 21(2)(e) explicitly requires "vulnerability handling and disclosure" — security.txt is the standardised mechanism for this
- CRA Art. 14 — coordinated vulnerability disclosure becomes mandatory from December 2027 for manufacturers of digital products
- ENISA lists security.txt as a best practice for vulnerability disclosure
- National CERTs across Europe (NCSC-NL, ANSSI, BSI) recommend or use security.txt on their own domains
Common Mistakes
1. Forgetting Expires. Without Expires, the file is invalid per RFC 9116. Set it to 1 year in the future and set a reminder to update it.
2. HTTP instead of HTTPS. The file must be served over HTTPS — an unencrypted security.txt could be tampered with.
3. info@ as the contact. Contact: mailto:info@... lands with marketing. Set up a dedicated security@ address that reaches a security-responsible person.
Check Your security.txt
Next week in Part 6: DKIM — why only 31% of EU domains sign their emails.