A security.txt file gives security researchers, scanners, and enterprise customers a clear way to report vulnerabilities. It is commonly used during vendor assessments and automated security checks.
Place the file here:
/Files/System/wwwroot/.well-known/security.txt
Dynamicweb serves it at:
https://example.com/.well-known/security.txt
Format
The format is defined by RFC 9116.
Minimum required content:
Contact: mailto:security@example.com
Expires: 2026-12-31T23:59:00Z
More complete example:
Contact: mailto:security@example.com
Contact: https://example.com/security
Expires: 2026-12-31T23:59:00Z
Preferred-Languages: en, da
Acknowledgments: https://example.com/security/hall-of-fame
Note
The Expires field is required. Set it no more than one year ahead, and update it before it lapses. Expired security.txt files are flagged as misconfigured by security scanners.