Communication matters in cybersecurity too — a timely response can potentially save us from a disastrous data breach. This is exactly where security.txt comes in.
For anyone managing a website, an e-commerce store or a complex platform, having a clear communication channel for security reports is fundamental. We decided to make this check one of the evaluation parameters in PerSeo Insights 7.1.0-alpha.
What is the security.txt file and what does it do?
The security.txt is a recent internet standard (defined by RFC 9116) that allows website owners to clearly define their policies for responsible vulnerability disclosure.
In plain terms: if a security researcher (a "white hat hacker") or a knowledgeable user finds a flaw in your site, how do they communicate it safely and quickly before it falls into the wrong hands? Generic contact forms are often managed by marketing or customer care teams who may not understand the severity or technical nature of the report.
The security.txt file solves this problem by providing researchers with direct contact details for the security team, PGP keys for encrypting messages, and the policies to follow.
Who already uses it?
Major web players have adopted the standard for some time. A few examples:
- Google: https://www.google.com/.well-known/security.txt
- GitHub: https://github.com/.well-known/security.txt
- Facebook/Meta: https://www.facebook.com/.well-known/security.txt
The presence of security.txt on these domains signals that the standard is now considered an established best practice, not a niche for cybersecurity enthusiasts.
Is it an SEO factor? (direct vs indirect)
One of the most frequent questions at Perseo Design concerns whether implementing this file can help climb Google's rankings.
Direct SEO factor: no
Currently, Google does not use the security.txt file as a direct ranking factor. You don't get a SERP "boost" just for adding this file to your web server.
Indirect SEO factor: yes
However, its indirect impact on SEO is significant:
- Prevention of blacklisting and deindexing: a compromised site infected with malware gets penalized by Google, often with warning notices in search results. A researcher reporting the flaw before it's exploited can prevent these scenarios.
- Trust and E-E-A-T: Google places increasing importance on trustworthiness within the E-E-A-T framework. Demonstrating high security standards and transparent policies helps build a solid and reliable brand in the eyes of both algorithms and users.
- Domain reputation: a poorly handled security incident generates negative media coverage, toxic links and loss of trust. Having documented disclosure procedures reduces these risks.
Why we integrated it in PerSeo Insights 7.1.0-alpha
In our mission to provide the most advanced auditing tools, with the release of PerSeo Insights 7.1.0-alpha we separated the security section from the rest of the report, introducing a dedicated tab with scans that verify compliance with the most recent web standards. We decided to include the check for the presence and validity of the security.txt file for several reasons:
- Alignment with global standards: the biggest players on the web use it. Sites analyzed by our users should aim for excellence.
- Proactive approach: security isn't just HTTPS or firewalls — it's also having procedures to handle the unexpected. Detecting the absence of security.txt prompts webmasters to think preventively about "what to do in case of an attack".
- Audit completeness: a professional audit in 2026 cannot ignore vulnerability disclosure policies.
How to write it and what its structure looks like
The file is a simple plain text file (.txt) composed of directives and values. Here are the main fields:
- Contact (Required): the email address or link to the form for contacting the security team (e.g.
Contact: mailto:[email protected]). - Expires (Required): the date and time (in ISO 8601 format) when the file's data becomes obsolete. Forces the file to be kept up to date (e.g.
Expires: 2026-12-31T23:59:59Z). - Encryption (Recommended): link to the PGP public key to allow researchers to send encrypted communications.
- Acknowledgments: link to a "Hall of Fame" page thanking those who identified bugs in the past.
- Preferred-Languages: preferred languages for reports (e.g.
Preferred-Languages: en, it). - Canonical: the official URL where the security.txt file is located.
- Policy: a link to the vulnerability disclosure policy.
Example of a security.txt file
Contact: mailto:[email protected]
Expires: 2026-12-31T23:59:59.000Z
Encryption: https://perseodesign.com/pgp-key.txt
Preferred-Languages: en, it
Canonical: https://perseodesign.com/.well-known/security.txt
Where to place the file
According to RFC 9116, the file must be placed inside the hidden /.well-known/ directory of the domain.
The correct URL will be: https://www.example.com/.well-known/security.txt
(Note: for backwards compatibility, placing it in the root directory at /security.txt is tolerated, but the standard and recommended location remains under /.well-known/.)
How to check if the file is present and valid
There are three ways to check:
- Manual: open a browser and navigate directly to
https://domain.com/.well-known/security.txt. If the file exists, its content will be visible in plain text. - Online tool: the official site securitytxt.org includes both a generator and a validator.
- PerSeo Insights: from version 7.1.0-alpha, every scan automatically verifies the presence and reachability of the file, showing its status in the Security tab of the report.
Is there an automatic generator?
Yes. If you don't want to write the file by hand and risk formatting errors (especially for the timestamp in the Expires field), there is an official tool on the project's website: securitytxt.org.
The guided generator lets you enter the email, the desired expiry date and other optional information, automatically producing a correct text ready to upload to the server.
Adding a security.txt file takes literally five minutes, costs nothing and doesn't burden the server. It demonstrates a level of digital maturity and security awareness that makes a difference in brand perception.
FAQ
Is the security.txt file required by law? No, there is currently no regulation making it mandatory. It is a voluntary standard defined by RFC 9116. However, its adoption is strongly recommended, especially for sites handling sensitive data, e-commerce platforms and public digital services.
Does the security.txt file improve Google rankings? Not directly. Google does not use its presence as a ranking signal. The SEO impact is indirect: it reduces the risk of compromises that would lead to penalties, contributes to building a trustworthy brand, and aligns with E-E-A-T principles.
How often should it be updated?
The Expires directive imposes an expiry date. The general recommendation is to set an expiry of no more than one year and renew it periodically. An expired file is equivalent to no file: security researchers may ignore it.
What happens if a researcher finds a vulnerability and there's no security.txt? Without a dedicated channel, researchers often resort to generic contact forms, inappropriate corporate email addresses, or in the worst cases decide not to report at all (or to disclose the vulnerability publicly before it's patched). Security.txt reduces this friction and encourages responsible disclosure.
Is it enough to put just a contact email?
Technically yes, since Contact is the only required field together with Expires. However, adding Encryption (PGP key) and Policy makes the channel more credible and professional in the eyes of experienced researchers.
Does PerSeo Insights check the file's content validity or just its presence?
In the current version (7.1.0-alpha), the tool verifies the file's reachability (HTTP 200 response). Content validation, including the expiry of the Expires field, is planned for subsequent releases.
Useful resources:
- RFC 9116 — Security.txt standard
- Official generator and validator
- PerSeo Insights to automatically verify the file's presence on your site