Security.txt Auditor avatar

Security.txt Auditor

Pricing

from $0.005 / actor start

Go to Apify Store
Security.txt Auditor

Security.txt Auditor

Audit a public website's security.txt vulnerability disclosure metadata. Checks discovery paths, required fields, expiration, contact methods, and returns a readiness score with recommendations.

Pricing

from $0.005 / actor start

Rating

0.0

(0)

Developer

Sanskar Jaiswal

Sanskar Jaiswal

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

a day ago

Last modified

Share

Security.txt Auditor checks whether a public website publishes vulnerability disclosure metadata using the security.txt convention. It tests the preferred /.well-known/security.txt path first, falls back to /security.txt, parses recognized fields, and returns a readiness score with specific recommendations.

Use cases

  • Security teams checking disclosure readiness across owned domains.
  • Devops teams validating launch and migration checklists.
  • Compliance teams collecting evidence for vulnerability reporting processes.
  • Agencies auditing client websites for basic security contact hygiene.
  • Developer-tool builders adding security.txt checks to monitoring workflows.

Input

FieldTypeRequiredDescription
startUrlstringYesPublic website URL to audit. HTTP and HTTPS are supported. Private IP ranges and URL credentials are blocked.
timeoutSecondsintegerNoTimeout for each HTTP request. Default: 10. Minimum: 3. Maximum: 30.

Output

Each run pushes one dataset item.

FieldTypeDescription
inputUrlstringThe URL provided as input.
siteOriginstringNormalized website origin checked by the actor.
foundbooleanWhether a security.txt file was found and parsed.
fileUrlstringSecurity.txt URL that returned a parseable file. Empty when not found.
statusinteger or nullHTTP status of the selected response, or first attempted response when not found.
contentTypestringResponse content type for the selected file.
scoreintegerReadiness score from 0 to 100.
gradestringLetter grade: A, B, C, D, or F.
checkedAtstringISO timestamp for the audit.
fieldsobjectParsed security.txt fields keyed by lowercase field name. Values are arrays because fields may repeat.
unknownFieldsarrayField names not recognized by this auditor.
findingsarrayStructured checks with name, status, points, and recommendation.
recommendationsarrayPlain-language fixes for missing or weak items.
attemptsarrayFetch attempts for /.well-known/security.txt and /security.txt.

Example input

{
"startUrl": "https://example.com",
"timeoutSeconds": 10
}

Example output

{
"inputUrl": "https://example.com",
"siteOrigin": "https://example.com",
"found": true,
"fileUrl": "https://example.com/.well-known/security.txt",
"status": 200,
"contentType": "text/plain",
"score": 95,
"grade": "A",
"checkedAt": "2026-07-08T00:00:00.000Z",
"fields": {
"contact": ["mailto:security@example.com"],
"expires": ["2099-01-01T00:00:00Z"],
"canonical": ["https://example.com/.well-known/security.txt"],
"policy": ["https://example.com/security-policy"]
},
"unknownFields": [],
"findings": [
{ "name": "File found", "status": "pass", "points": 20, "recommendation": null },
{ "name": "Preferred path", "status": "pass", "points": 15, "recommendation": null }
],
"recommendations": [],
"attempts": [
{ "url": "https://example.com/.well-known/security.txt", "status": 200, "ok": true, "error": null }
]
}

Security

The actor only fetches public HTTP and HTTPS URLs. It rejects URL credentials, private IPv4 literals, private IPv6 literals, and hostnames that resolve to private IP ranges. Redirects are followed manually and revalidated before each follow-up request. Response bodies are capped before parsing.

Pricing

Suggested pay-per-event pricing:

EventPrice
Actor start$0.005
Website audited$0.01

This keeps one-domain checks inexpensive while charging proportionally for successful dataset results.

FAQ

Does this actor verify that an email inbox works?

No. It parses the published security.txt file and checks whether Contact values are present and use common forms such as mailto: or HTTPS URLs. It does not send emails or submit forms.

Which paths are checked?

The actor checks /.well-known/security.txt first, then /security.txt as a fallback.

Does it require login or credentials?

No. It only audits public unauthenticated website paths.

What keep metric should be used?

Keep or improve this actor if it receives organic Store impressions, runs, revenue, or inbound questions within 60 to 90 days. Archive it if there is no discovery and no usage.