Exposure · Check

security.txt incomplete — adding required fields per RFC 9116

A security.txt file without a valid `Contact:` line, or missing the `Expires:` field, fails automated parsing and may not be honored by researcher tooling. Adding the required fields per RFC 9116 takes a minute and unlocks the rest of the spec (`Policy:`, `Acknowledgments:`, `Preferred-Languages:`).

Real-world risk

Incomplete security.txt reduces trust and may fail automation that expects a valid Contact field.

Fix steps (in order)

Add Contact: (mailto: or https://) and optionally Expires:, Policy:, and Acknowledgments: per RFC 9116.

Verify the fix in 30 seconds

Run a Scorifya scan on the affected host after deploy. The same finding id (security_txt_incomplete) clears once the externally-observable signal is in place.

Run a free scan Methodology

Loading…

Cookies and privacy

We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.

security.txt incomplete — adding required fields per RFC 9116 · Scorifya