Security.txt: The File Every Professional Website Needs in 2026
RFC 9116 defines a standard for security contact information on websites. Here's why security.txt matters for credibility, compliance, and trust — and how to deploy it in five minutes.
When I audited the 52 websites in our network last quarter, one file was missing from every single one of them. Not a sitemap — those were there. Not robots.txt — deployed years ago. The missing file was security.txt, and its absence was the kind of gap that separates amateur web operations from professional ones.
RFC 9116, published by the Internet Engineering Task Force, defines a standard for security contact information on websites. The file lives at /.well-known/security.txt and tells security researchers how to report vulnerabilities in your site. If that sounds like something only enterprise companies need, you are thinking about it wrong.
What security.txt Actually Is
The format is disarmingly simple. A plain-text file with a handful of fields:
Contact: mailto:security@thecondotrap.com
Expires: 2027-04-22T00:00:00.000Z
Preferred-Languages: en
Canonical: https://thecondotrap.com/.well-known/security.txt
Policy: https://thecondotrap.com/security-policy/
That is it. Five lines. The file tells anyone who finds a vulnerability in your site — a broken form that leaks data, an exposed API key, a misconfigured redirect — exactly who to contact and how.
Without this file, a security researcher who finds a problem on your site has no standardized way to report it. They might email info@yourdomain.com and hope someone reads it. They might post it publicly on Twitter. They might do nothing. None of these outcomes are good for you.
Why This Matters for Non-Enterprise Sites
The objection I hear most often: "I run a static site on Netlify. What security vulnerability could it possibly have?"
More than you think. Static sites still have:
- Exposed environment variables baked into JavaScript bundles during build time
- Third-party script vulnerabilities from analytics, chat widgets, or ad networks
- Misconfigured headers that allow clickjacking or content injection
- Form endpoints that can be abused for spam or phishing
- Subdomain takeover risks from dangling DNS records pointing to deprovisioned services
A security.txt file does not prevent these issues. It ensures that when someone discovers one, there is a clear, standardized path to tell you about it before it becomes a problem.
The Trust Signal You Are Missing
Here is the part that matters for real estate sites specifically: security.txt is increasingly used as a credibility signal by both humans and automated systems.
Browser extensions like SecurityHeaders.com grade websites on their security posture. Enterprise procurement teams check for security.txt when evaluating vendors. And AI models — the same ones deciding whether to cite your content — can parse security.txt as an indicator of site professionalism and maintenance.
When a potential buyer lands on your real estate analysis site and their browser extension shows a B+ security grade instead of a D, that is not a conversion event they consciously notice. But the accumulated effect of professional signals — fast load times, proper SSL, security headers, security.txt — creates the credibility environment that makes someone trust your data enough to buy your book or share your analysis.
Deploying security.txt on a Static Site
For Eleventy, Astro, Hugo, or any static site generator, the deployment is trivial.
Step 1: Create the file. In your source directory, create a .well-known folder and add security.txt inside it.
Step 2: Configure the fields.
Contact: Use a dedicated email address. Do not use your personal email. Create security@yourdomain.com or use a contact form URLExpires: Set this 12 months out. RFC 9116 requires this field — it ensures stale security contacts do not persist indefinitelyPreferred-Languages: Set toenor your primary languageCanonical: The full URL where this file lives, to prevent spoofingPolicy: Optional but recommended — link to a page describing your security disclosure policy
Step 3: Ensure your build pipeline copies the .well-known directory. In Eleventy, add it to your passthrough copy configuration:
eleventyConfig.addPassthroughCopy({ "src/.well-known": ".well-known" });
Step 4: Sign it (optional but professional). RFC 9116 recommends signing the file with a PGP key. For static site publishers, this is optional. For sites handling user data, it is worth the effort.
Step 5: Validate. Use securitytxt.org to check your file against the RFC specification. Fix any warnings.
I deployed security.txt across all 52 sites in under 90 minutes. The template was identical except for the contact address and canonical URL. In a monoclone architecture where every site shares a build pipeline, it was a single template change deployed once.
The Security Headers Stack
While you are deploying security.txt, there are four HTTP headers that belong in the same deployment:
- Content-Security-Policy: Controls which scripts, styles, and resources can load on your pages. Prevents XSS attacks
- X-Content-Type-Options: nosniff: Prevents browsers from MIME-type sniffing, reducing drive-by download risks
- X-Frame-Options: DENY: Prevents your site from being embedded in iframes, blocking clickjacking attacks
- Referrer-Policy: strict-origin-when-cross-origin: Controls how much referrer information is sent with outbound links
On Cloudflare, these headers can be set via _headers file or Cloudflare Workers. On Netlify, use the _headers file in your publish directory. The configuration takes ten minutes and moves your SecurityHeaders.com grade from a D or F to an A or A+.
Combined with security.txt, these headers create a security posture that signals professionalism to every system that evaluates your site — from browser extensions to AI crawlers to human security researchers.
What the Audit Revealed
When I checked the top 50 real estate blogs by domain authority, exactly three had security.txt deployed. Three out of fifty. The rest — including sites with millions of monthly visitors — had no standardized security contact.
This is an industry-wide gap. And like most infrastructure gaps, the sites that close it first accumulate a credibility advantage that compounds over time. Google has not confirmed that security.txt affects ranking, but the security headers that accompany it do affect Core Web Vitals scoring, and the overall professionalism signal affects user behavior metrics that Google absolutely measures.
The five-minute deployment has no downside and multiple upside scenarios. That is as close to a free optimization as web infrastructure offers.
The Condo Trap covers the complete site infrastructure stack — from security headers to structured data to performance optimization — that separates professional real estate analysis from amateur blogging. Get it on Amazon. For the full technical deployment guide across multiple sites, see The $100 Network.