Astro Integration
Astro Security
Generate a valid, RFC 9116–compliant security.txt file for Astro sites deterministically at build time.
Last Updated: 01 April 2026
Usage Snapshot
86
Downloads in Last 30 Days
v1.0.0
Latest npm Version
Source: npm registry
Why This Plugin Exists
security.txt provides a standardised way for security researchers to report vulnerabilities, but it is often missing, outdated, or incorrectly implemented.
Astro Security generates a fully RFC 9116–compliant security.txt file at build time, ensuring correctness without introducing runtime middleware or headers.
Configuration is validated and normalised strictly. If requirements are not met, the plugin fails closed and produces no output.
Design Principles
- Build-time only — zero runtime middleware or headers
- Fail-closed validation — no output if config is invalid
- Deterministic output on every build
- Static-first and CI/CD safe
- No analytics, telemetry, or outbound requests
What This Plugin Delivers
- Generates an RFC 9116–compliant security.txt file
- Validates and normalises configuration strictly
- Automatically migrates legacy v0.x configs to v1.x
- Overwrites output deterministically on each build
- Supports both /.well-known and root output paths
Installation
npm install astro-security
From v1.0.0 onward, configuration is stored in config-files/security.config.json with automatic migration from legacy locations.
FAQs
What does the Astro Security plugin do?
Astro Security generates a valid, RFC 9116–compliant security.txt file at build time for Astro sites using a strictly validated configuration file.
Where is the security.txt file written?
The plugin writes security.txt to /.well-known/security.txt, /security.txt, or both, depending on configuration.
Implementation FAQs
What does the Astro Security plugin do?
Astro Security generates a valid, RFC 9116–compliant security.txt file at build time for Astro sites using a strictly validated configuration file.
Does Astro Security run at runtime?
No. Astro Security runs exclusively at build time and adds no runtime middleware, headers, or client-side logic.
Where is the configuration file stored?
From v1.0.0 onward, configuration lives at config-files/security.config.json.
Does Astro Security migrate older configurations?
Yes. Legacy v0.x configurations in the project root are automatically migrated once to the new location without overwriting existing files.
What happens if the configuration is invalid?
Astro Security fails closed. No security.txt file is generated, and the build continues safely.
Which fields are required by RFC 9116?
At minimum, Contact and Expires directives are required. Missing required fields prevent output generation.
Project Links
Source code, package distribution, releases, and documentation.
Need Implementation Details?
Read the FAQs for usage patterns, integration caveats, and rollout guidance.