Pricing

Pay per event

Security.txt Checker

This actor checks websites for a security.txt file as defined by RFC 9116. It looks in `/.well-known/security.txt` and `/security.txt`, parses contact information, encryption keys, expiration dates, and validates compliance with the standard.

Pricing

Pay per event

Rating

0.0

(0)

Developer

Stas Persiianenko

Actor stats

Bookmarked

Total users

Monthly active users

3 days ago

Last modified

What does Security.txt Checker do?

This actor checks websites for a security.txt file as defined by RFC 9116. It looks in /.well-known/security.txt and /security.txt, parses contact information, encryption keys, expiration dates, and validates compliance with the standard.

The actor reports whether the file exists, its exact location, all parsed fields (contact, encryption, acknowledgments, policy, hiring, preferred languages), PGP signature status, expiry validation, and any compliance issues found. Use it for security audits, vulnerability disclosure research, or monitoring your own domains.

Use cases

Security auditing -- verify that security.txt files exist and are valid across your organization's domains
Vulnerability disclosure -- find contact info for responsible disclosure before reporting security issues
Compliance monitoring -- check RFC 9116 compliance across domains to ensure your security contact information is standards-compliant
Bug bounty research -- discover bug bounty programs, security policies, and hiring pages from security.txt entries
Vendor assessment -- evaluate the security posture and transparency of third-party services and SaaS providers

Why use Security.txt Checker?

Batch checking -- scan hundreds of domains in a single run to audit your entire portfolio or vendor list
Structured output -- get clean JSON with all parsed fields, compliance issues, and expiry status ready for analysis
RFC 9116 validation -- automatically checks for required fields, proper formatting, and expiration dates per the specification
API access -- integrate security.txt monitoring into your security dashboard or GRC platform
Pay-per-event pricing -- only pay per domain checked with no monthly fees
Dual path support -- checks both /.well-known/security.txt (preferred) and /security.txt (legacy) locations

Input parameters

Parameter	Type	Required	Default	Description
`urls`	array	Yes	--	List of website URLs or domains to check for security.txt. URLs are automatically cleaned to extract the domain.

Example input

{
    "urls": [
        "https://www.google.com",
        "https://github.com",
        "https://www.facebook.com"
    ]
}

Output fields

Each domain produces one record with the following fields:

Field	Description
`url`	The original URL provided in the input
`domain`	The extracted domain name
`hasSecurityTxt`	Whether a security.txt file was found
`location`	The full URL where security.txt was found
`contact`	Array of contact URLs or email addresses
`expires`	The Expires field value as an ISO 8601 timestamp
`isExpired`	Whether the security.txt file has expired
`encryption`	Array of encryption key URLs
`acknowledgments`	URL to the acknowledgments page, if specified
`preferredLanguages`	Preferred language codes from the file
`canonical`	The canonical URL of the security.txt file
`policy`	URL to the security policy page
`hiring`	URL to the security hiring page
`isSigned`	Whether the file has a PGP signature
`issues`	Array of RFC 9116 compliance issues
`error`	Error message if the check failed, null otherwise
`checkedAt`	ISO 8601 timestamp of the check

Output example

{
    "url": "https://github.com",
    "domain": "github.com",
    "hasSecurityTxt": true,
    "location": "https://github.com/.well-known/security.txt",
    "contact": ["https://hackerone.com/github"],
    "expires": "2026-06-01T00:00:00.000Z",
    "isExpired": false,
    "encryption": [],
    "acknowledgments": null,
    "preferredLanguages": "en",
    "canonical": "https://github.com/.well-known/security.txt",
    "policy": "https://docs.github.com/en/site-policy/security-policies",
    "hiring": "https://github.com/about/careers",
    "isSigned": true,
    "issues": [],
    "error": null,
    "checkedAt": "2026-03-01T12:00:00.000Z"
}

How much does it cost?

Security.txt Checker uses Apify's pay-per-event pricing. You only pay for what you use.

Event	Price	Description
Start	$0.035	One-time per run
Domain checked	$0.001	Per domain checked

Cost examples:

10 domains: $0.035 + 10 x $0.001 = $0.045
100 domains: $0.035 + 100 x $0.001 = $0.135
1,000 domains: $0.035 + 1,000 x $0.001 = $1.035

Using the Apify API

You can start Security.txt Checker programmatically using the Apify API. Replace YOUR_TOKEN with your Apify API token.

Node.js

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: 'YOUR_TOKEN' });
const run = await client.actor('automation-lab/security-txt-checker').call({
    urls: ['https://github.com', 'https://www.google.com'],
});
const { items } = await client.dataset(run.defaultDatasetId).listItems();
console.log(items);

Python

from apify_client import ApifyClient

client = ApifyClient('YOUR_TOKEN')
run = client.actor('automation-lab/security-txt-checker').call(run_input={
    'urls': ['https://github.com', 'https://www.google.com'],
})
items = client.dataset(run['defaultDatasetId']).list_items().items
print(items)

Integrations

Connect Security.txt Checker with other tools using Apify integrations. Export results to Google Sheets for security posture tracking, send Slack alerts when a security.txt file expires or goes missing, trigger Make or Zapier workflows for automated vendor security assessments, push data to n8n, or configure webhooks for real-time monitoring.

Tips and best practices

Monitor expiry dates by scheduling regular runs -- RFC 9116 requires an Expires field, and expired files indicate unmaintained security contacts.
Check the isSigned field to verify whether the security.txt has a PGP signature, which adds authenticity to the contact information.
Review the issues array for RFC compliance problems such as missing required Contact or Expires fields.
Use for vendor onboarding by checking if new vendors have a security.txt as a baseline indicator of security maturity.
Combine with SSL Certificate Checker to build a comprehensive security posture overview for each domain.

FAQ

What is security.txt? Security.txt is a proposed standard (RFC 9116) that allows websites to define security policies and contact information in a machine-readable format at /.well-known/security.txt. It helps security researchers find the right contact for vulnerability reports.

What does the isExpired field mean? RFC 9116 requires a mandatory Expires field. If the current date is past the expiry date, isExpired is true, meaning the file is stale and the contact information may be outdated.

Does this actor validate PGP signatures? The actor detects whether the security.txt file is PGP-signed (the isSigned field) but does not cryptographically verify the signature against a public key.

Robots.txt Checker - CMS-Aware Analysis with AI Recommendations

alizarin_refrigerator-owner/robots-txt-checker

The Robots.txt Checker provides comprehensive analysis of your robots.txt file: Syntax Validation CMS Detection - Identify WordPress, Shopify, Drupal,& 6+ other CMS platforms Best Practice Check Companion File Checks - sitemap.xml, llms.txt, security.txt AI Recommendations - CMS-specific suggestions

The Howlers

Content Checker

jakubbalada/content-checker

Monitor a website or web page for content changes. Automatically saves before and after screenshots and sends an email notification when content changes are detected.

Jakub Balada

2.2K

4.9

(3)

SEO Checker

louisdeconinck/seo-checker

SEO Checker is an advanced Actor that performs comprehensive on-site SEO analysis for any website. It crawls web pages and extracts crucial SEO elements, providing detailed insights to help improve your website's search engine optimization.

Louis Deconinck

279

5.0

(3)

Email Verifier & Deliverability Checker

yasir-on-apify/email-verifier-deliverability-checker

Verify and Validate Email Addresses with Spamtrap & Disposable Detection, SMTP Connectivity, Syntax Validation, Inbox Deliverability Check, Quality Scoring, Catch-all & Role-based Filtering, Inbox Full Status and Free Email Flagging. Optimize your email list for outreach and marketing campaigns.

Yasir

702

5.0

(3)

Username Availability Checker 🔍

easyapi/username-availability-checker

Check username availability across 80+ platforms including Twitter, Instagram, YouTube, GitHub, and more! Get instant results with platform logos, URLs, and availability status. Essential tool for brand research, social media management, and digital presence optimization. 🔍

EasyApi

403

5.0

(1)

Website Speed Checker

onescales/website-speed-checker

Easily get Website Speed Data with Google Lighthouse performance metrics & Core Web Vitals Tool (Performance Score, FCP, LCP, TBT, CLS, Speed Index) from any webpage/URL, whether you're analyzing or testing a single URL or thousands in bulk. Run scraper in seconds for one time, on schedule, or API.

One Scales

114

5.0

(7)

Google Rank Checker

caprolok/google-rank-checker

Maximize your SEO impact with Google Rank Checker. Effortlessly monitor keyword rankings, analyze competitors, and tailor your strategy for peak online visibility. A must-have tool for smart, data-driven SEO optimization.

Caprolok

133

Youtube Rank Checker

karamelo/youtube-rank-checker

See how your YouTube videos rank against competition for specific keywords! or want to see where your competitors rank? YouTube Rank Checker gives you instant results, ease of use and accurate checks in seconds.

karamelo

Fast Instagram Profile Stats Checker

karamelo/fast-instagram-profile-stats-checker-free

Scrape Statistics for Instagram accounts profiles for followers count and followings and numbers of posts fast and clean data. Ideal for monitoring and data analysis of accounts changes.

karamelo

772

5.0

(2)