What does the Astro Security plugin do?

Astro Security generates a valid, RFC 9116–compliant security.txt file at build time for Astro sites using a strictly validated configuration file.

Where is the security.txt file written?

The plugin writes security.txt to /.well-known/security.txt, /security.txt, or both, depending on configuration.

Astro Integration

Astro Security

Generate a valid, RFC 9116–compliant security.txt file for Astro sites deterministically at build time.

npm package GitHub repository

Usage snapshot

223

Downloads in the last 30 days

Latest npm version · v1.0.0

Source: npm registry

Why this plugin exists

security.txt provides a standardised way for security researchers to report vulnerabilities, but it is often missing, outdated, or incorrectly implemented.

Astro Security generates a fully RFC 9116–compliant security.txt file at build time, ensuring correctness without introducing runtime middleware or headers.

Configuration is validated and normalised strictly. If requirements are not met, the plugin fails closed and produces no output.

What it delivers

Design principles

Build-time only — zero runtime middleware or headers
Fail-closed validation — no output if config is invalid
Deterministic output on every build
Static-first and CI/CD safe
No analytics, telemetry, or outbound requests

What this plugin does

Generates an RFC 9116–compliant security.txt file
Validates and normalises configuration strictly
Automatically migrates legacy v0.x configs to v1.x
Overwrites output deterministically on each build
Supports both /.well-known and root output paths

Installation

npm install astro-security

From v1.0.0 onward, configuration is stored in config-files/security.config.json with automatic migration from legacy locations.

Project links

Source code, releases, documentation, and contribution guidelines.

npm package GitHub repository

Want the deep dive?

Read the FAQs for implementation details, design rationale, and integration guidance.

View plugin FAQs