# Fix: /.well-known/security.txt present (RFC 9116)

> Web-audit fix skill for the `security-txt` check (Bot & crawl policy, MAY).

## Goal

Publish security.txt with a Contact and Expires field.

## Fix

Publish `/.well-known/security.txt` (RFC 9116) with a `Contact` and an `Expires` field so a
researcher or agent can find how to report a problem. It is a small, standard trust signal.

## Resources

- [RFC 9116](https://www.rfc-editor.org/rfc/rfc9116)

## Copy-paste prompt

Paste this into your coding agent, replacing the Issue line with the Result line from [your audit](https://anc.dev/web-audit):

```text
Goal: Publish security.txt with a Contact and Expires field
Issue: <the audit's finding for this check>
Fix: Publish `/.well-known/security.txt` (RFC 9116) with a `Contact` and an `Expires` field so a researcher or agent can find how to report a problem. It is a small, standard trust signal.
Skill: https://anc.dev/web-audit/skill/security-txt
Docs: https://www.rfc-editor.org/rfc/rfc9116
```

## Verify

Re-run the audit at [https://anc.dev/web-audit](https://anc.dev/web-audit) or call the `audit_website` MCP tool; the `security-txt` check should report `pass`.
