What is security.txt?

Well basically when someone (security researcher) found a bug or vulnerability on your web application, this piece of text helps where to contact your security team, or proper way to report to.

Here you can find everything about what I am talking about if I don't make sense. Please check out and generate your security.txt, come back here and follow steps below to put on your web server.

Note: For non Nginx user

Steps I shown here are to apply to Nginx webserver since I like Nginx and use Nginx a lot. If you're using other than Nginx, (such as Apache) your configuration might liking and similar. Try looking at your web server documentation for syntax and configuration.

Lets get started!

I assume you already have your security.txt by make one or generate from the website. Edit the information to your liking and policies. Security.txt is placed on your web root.

Place security.txt in web root, such /var/www/myweb/.security.txt. In your /etc/nginx/sites-enabled/{your-site}.conf, add this in server block. The code itself self explanatory, which redirect a request URI '/security.txt' to '/.well-known/security.txt'. The content of security.txt itself given as alias to security.txt in your web root.

    ## security.txt implementation ##
    location /security.txt {
        return 301 http://$host/.well-known/security.txt;
    location = /.well-known/security.txt {
        alias /var/www/ghost/.security.txt;

When user navigate to https://myweb.com/security.txt it will be redirected 301 to https://myweb.com/.well-known/security.txt while the file itself is actualy in your web root. And of course, the user can also look for security.txt in uri /.well-known/security.txt.

If you have other better solutions or suggestion, please comment below!

Security Txt: