Astro Security Plugin FAQs

Astro Security generates a valid, RFC 9116–compliant security.txt file at build time for Astro sites using a strictly validated configuration file.

No. Astro Security runs exclusively at build time and adds no runtime middleware, headers, or client-side logic.

From v1.0.0 onward, configuration lives at config-files/security.config.json.

Yes. Legacy v0.x configurations in the project root are automatically migrated once to the new location without overwriting existing files.

Astro Security fails closed. No security.txt file is generated, and the build continues safely.

At minimum, Contact and Expires directives are required. Missing required fields prevent output generation.

The plugin can write to /.well-known/security.txt, /security.txt, or both, depending on configuration.

Yes. Output files are overwritten deterministically on each build to guarantee consistency.

No. Astro Security performs no analytics, tracking, telemetry, or outbound network requests.

Yes. Given the same configuration, Astro Security always produces identical output.

Yes. The plugin is designed to be deterministic, side-effect-free, and safe for automated build environments.

Yes. Astro Security is fully open source and released under the MIT license.