Skip to content
The worker that serves Cloudflare's security.txt!
JavaScript Makefile
Branch: master
Clone or download

security.txt as a service -- Built on Cloudflare Workers

This is the worker that serves security.txt on



When security risks in web services are discovered by independent security researchers who
understand the severity of the risk, they often lack the channels to disclose them properly.
As a result, security issues may be left unreported. security.txt defines a standard to help
organizations define the process for security researchers to disclose security vulnerabilities

Many reporters have difficulty finding our disclosure page ( and often submit tickets to our support staff who then inform them about our HackerOne program. The security.txt standard was submitted to the IETF to address this problem:

We wanted to open source this code to allow anyone to easily deploy security.txt onto their Cloudflare zone.

Steps for deployment

Deploying should take about 5 minutes or less.

The Expires field introduced in Draft-9 is appended to the template automatically at a default value of 1 year after deployment.


Debian based systems

sudo apt-get install build-essential gnupg -y


Please have homebrew installed.

brew install gnupg

⚠️ Additionally, this project requires wrangler to be installed for builds/deploys. In turn, this means that you'll need Node installed.

Publishing on your zone

1. Setup wrangler

You will need to configure wrangler.toml:

mv wrangler.toml.template wrangler.toml

and fill in the following values (account_id and zone_id are found on your Cloudflare zone dashboard):

  • account_id
  • zone_id
  • routes

You will need to obtain a scoped API token to publish the worker.
You can do this at (, and choose the "Edit Cloudflare Workers" template. We will later call the obtained token: ${TOKEN}.

2. Setup GPG

You will need to have a pre-existing GPG key in your keyring that's additionally uploaded to some public key server (tutorial here:

  1. Export the public key and replace the one in this repo:
mv src/txt/security-cloudflare-public-06A67236.txt src/txt/my-pub-key.txt
gpg --export --armor > src/txt/my-pub-key.txt
  1. Then, update the path within the workers script to the new name of the public key file:
import pubKey from './txt/my-pub-key.txt'

// and later ...

} else if (url.includes('/gpg/my-pub-key.txt')) {
  1. Finally, update the email within the Makefile:
sign: clean
	gpg --local-user -o src/txt/security.txt --clearsign src/txt/security.txt.template

3. Deploy

To deploy with the token, you can choose one of the following options:

a. Execute: wrangler config. Enter token: ${TOKEN}. Run: make deploy

b. Run: CF_API_TOKEN=${token} make deploy

You can’t perform that action at this time.