Security.txt files are an informational resource that follow the conventions proposed by securitytxt.org. They exist primarily to help bug bounty hunters submit reports about vulnerabilities, and typically include details like links to a company’s security policy page and contact information.
The securitytxt.org convention advises that users place their security.txt file under the /.well-known path of their root (domain.com/.well-known/security.txt), or in the root directory of their domain (domain.com/security.txt).
However, neither of these placement options are currently supported in Webflow — we do not provide customers with direct access to our servers, and files uploaded to the Assets Panel are not hosted on customers' root domains.
Webflow customers that strongly prefer to follow this convention may consider any of the alternative options below.
Webflow’s Asset Panel supports TXT file types, so a customer may still create a TXT file with its content formatted according to the securitytxt.org convention and then upload it to Webflow. Although their TXT file will have a different file path than the convention, they can set up a 301 redirect in their site settings to redirect the expected URL to the actual TXT file URL:
This redirect method will not work with the primary /.well-known/security.txt convention as Webflow will return an error for any unsupported .well-known/* paths.
However, the /security.txt path is still an acceptable fallback in the convention standards.
In lieu of an unformatted TXT file, customers may consider creating a dedicated and clearly navigable page about their security policies and contact information. For example, Webflow’s own website does not follow the securitytxt.org convention, and we instead opted for a Security page (webflow.com/security) to accomplish the same goal.
Similarly, a customer can create a static page with the /security slug (and optionally create a 301 redirect from /security.txt → /security).
Although this static page will have a different file path than the convention, it still reflects the customer’s root domain and is intuitive for security researchers and site visitors.
This option is the only method that truly adheres to the securitytxt.org convention, including the suggested file path in the /.well-known directory, but it is the largest technical lift (and therefore generally not recommended).
For this, a customer must maintain an external server for their primary domain, where they can create their own subdirectories and place their own files. However, that would require that their Webflow site be hosted on a subdomain and that their reverse proxy serves it under their primary domain, which introduces additional complexities with SEO and infrastructure.