How to implement security.txt under .well-known in IIS

Focused on security? aren’t we all? security.txt is a file that inform where you can report vulnerabilities on your site.

Warning: A non-numeric value encountered in /storage/content/29/141529/ on line 27

Published 14th of June 2018

When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. Security.txt defines a standard to help organizations describe the process for security researchers to disclose security vulnerabilities securely. *

Security.txt is a proposed standard which allows website owners to define how to report security vulnerabilities. Security.txt is the equivalent of robots.txt, but for security issues.

.well-known directory under IIS

Security.txt is supposed to be under path /.well-known/security.txt

It is acceptable to have it in the root dir but it should redirect to well-known path.

Folder paths with “.” (dot) is not allowed in IIS. The reasoning behind it is that it might give away sensitive information, like a .git or .svn directory (which probably shouldn’t even be on your webserver in the first place).

ONE way around this is to make a handler:

Register the handler in web.config:

Simple implementation in Episerver

Make it editable from the CMS. Things change and editors may want to change content without changing a file on the server.

Just make a textarea property on your startpage called “SecurityText” and then use this handler:

Code is multisite proof

Content of the security.txt

Minimum example:

With encryption key


Contact can be an email or a link to a form
Encryption is public key that can be used to encrypt the report
Policy is link to your security policy and/or disclosure policy
Acknowledgment is for owners to give kudos to security reporters
Hiring is for security professional hiring openings
Signature is for path to .sig file, so you can sign the security.txt file

Who uses security.txt?


SEO terms

  • What is security.txt
  • How implement security.txt on IIS windows server
  • How to make a .well-known directory in IIS
  • examples of security.txt

About the author

Luc Gosso
– Independent Senior Web Developer
working with Azure and Episerver

Twitter: @LucGosso

Like it? please up vote

Leave a Reply

Your email address will not be published. Required fields are marked *