Developer
RFC-9116 security.txt parser API
Fetches a domain's security.txt (checking the RFC-9116 /.well-known/ location first, then the legacy root path) and parses it into structured fields: contact channels, encryption keys, disclosure policy, acknowledgments, preferred languages, canonical URLs, hiring links, an expiry date with an EXPIRED flag, a PGP-signed flag, and an rfc9116Compliant verdict. Answers 'how do I report a vulnerability to this org', 'does this domain publish a security.txt', 'is its security.txt expired/compliant'.
Price$0.01per request
MethodPOST
Route/v1/dev/security-txt
StatusLive
MIME typeapplication/json
Rate limit60/minute
Cache86400s public
devsecuritysecurity-txtrfc9116well-knownvulnerability-disclosurecontactcompliance
API URL
Integration docshttps://x402.hexl.dev/v1/dev/security-txtExample request
{
"domain": "cloudflare.com"
}Example response
{
"domain": "cloudflare.com",
"present": true,
"location": "https://cloudflare.com/.well-known/security.txt",
"contact": [
"https://hackerone.com/cloudflare",
"https://www.cloudflare.com/abuse/"
],
"encryption": [],
"policy": [
"https://www.cloudflare.com/disclosure/"
],
"acknowledgments": [],
"preferredLanguages": [
"en"
],
"canonical": [
"https://www.cloudflare.com/.well-known/security.txt"
],
"hiring": [
"https://www.cloudflare.com/careers/jobs/"
],
"expires": null,
"expired": null,
"signed": false,
"rfc9116Compliant": false,
"fields": [
"contact",
"policy",
"hiring",
"preferred-languages",
"canonical"
]
}Input schema
{
"type": "object",
"required": [
"domain"
],
"properties": {
"domain": {
"type": "string",
"description": "Bare domain, e.g. 'example.com'."
}
}
}Output schema
{
"type": "object",
"additionalProperties": true
}