Security.txt generation and implementing in Apache2

Having a security.txt files allows security researchers to help ensure a stronger security footprint for our digital assets.

First, create a security.txt file at .

Create a gpg key on Linux with the following command:

Now create the PGP signature for the security.txt file:

# gpg --full-generate-key
  1. Specify the type of encryption or press enter to apply the default encryption method (RSA and RSA).
  2. Specify the size of the key or press enter to apply the default value (3072 bits).
  3. Specify the validity period of the key, where the default value is that the key has no expiration period. Use 364d for 364 days. Security.txt files can be valid no longer than 365 days.
  4. For the name, use the website address. In our case here, intecore.com.
  5. Enter the email address of who will be receiving your security requests and issues.
  6. Confirm the specified settings by typing the capital letter Y.
  7. Enter a passphrase to protect the new key.

Now create the PGP signature for the security.txt file:

# gpg -u infosec@intecore.com --output security.txt.sig --armor --detach-sig security.txt

There will now be a security.txt.sig file in the same directory. Let’s verify the file:

# gpg --verify security.txt.sig security.txt

You should see on the last line returned: gpg: Good signature from “your email” [ultimate]

Export the public key to a file we call security.txt.asc and save it in the webroot of the website.

# gpg --export -a --output ./security.txt.asc infosec@intecore.com
# mv security.txt.asc /your-website-directory/

Finally, generate a signed security.txt file:

# gpg -u infosec@intecore.com --clear-sign security.txt

This will generate a security.txt.asc file. Let’s put that into the .well-known directory of the website and rename it to security.txt:

# mkdir -p /website-directory/.well-known
# mv security.txt.asc /your-website-directory/.well-known/security.txt

Now test your security.txt file by going to the UriPorts website: https://www.uriports.com/tools?method=securitytxt&domain=intecore.com. Be sure to change intecore.com with your website’s domain.

Thank you for visiting and enjoy your new security.txt compliance!

Scroll to Top