{"id":18357,"library":"express-security-txt","title":"express-security-txt","description":"Express middleware to serve a security.txt policy file at the standard /.well-known/security.txt or /security.txt endpoint. Current stable version 4.0.1. Released via semantic-release; adheres to the security.txt RFC draft (foudil-securitytxt-05). Key differentiators: supports repeating directives, inline comments (prefix, postfix, field-level), and array values for multiple contacts or policies. Lightweight—no external runtime dependencies; works with Express 4.x+. Safer alternatives exist (e.g., manual static file serving) if zero risk of misconfiguration is required.","status":"active","version":"4.0.1","language":"javascript","source_language":"en","source_url":null,"tags":["javascript"],"install":[{"cmd":"npm install express-security-txt","lang":"bash","label":"npm"},{"cmd":"yarn add express-security-txt","lang":"bash","label":"yarn"},{"cmd":"pnpm add express-security-txt","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"Package only ships ESM from v4; CJS require() will fail in Node (ERR_REQUIRE_ESM). Use dynamic import() in CommonJS contexts.","wrong":"const securityTxt = require('express-security-txt')","symbol":"securityTxt","correct":"import securityTxt from 'express-security-txt'"},{"note":"setup is a named export; default export is also the setup function itself—both are identical.","wrong":"import securityTxt, { setup } from 'express-security-txt'","symbol":"setup","correct":"import { setup } from 'express-security-txt'"},{"note":"TypeScript users: import the type for options validation. No CJS type export available.","wrong":null,"symbol":"SecurityTxtOptions","correct":"import type { SecurityTxtOptions } from 'express-security-txt'"}],"quickstart":{"code":"import express from 'express';\nimport securityTxt from 'express-security-txt';\n\nconst app = express();\n\nconst options = {\n  contact: 'mailto:security@example.com',\n  preferredLanguages: 'en',\n  encryption: 'https://example.com/pgp-key.txt',\n  acknowledgments: 'https://example.com/hall_of_fame',\n  policy: 'https://example.com/policy',\n  hiring: 'https://example.com/jobs'\n};\n\napp.use(securityTxt.setup(options));\n\napp.listen(3000, () => console.log('Server running on port 3000'));","lang":"typescript","description":"Sets up Express middleware to serve a security.txt policy at /.well-known/security.txt using the setup function with required contact and optional fields."},"warnings":[{"fix":"Use dynamic import() or convert project to ESM. CJS projects should stay on v3.x (3.1.1).","message":"Version 4.0.0+ drops CommonJS support; package is ESM-only.","severity":"breaking","affected_versions":">=4.0.0"},{"fix":"Use import { setup } from 'express-security-txt' instead of default import.","message":"The 'securityTxt' default export is deprecated in favor of named 'setup' export as of v4.0.0.","severity":"deprecated","affected_versions":">=4.0.0"},{"fix":"Use camelCase keys as documented.","message":"Options object keys are camelCase, not snake_case (e.g., 'preferredLanguages', not 'preferred_languages').","severity":"gotcha","affected_versions":"all"},{"fix":"Always include a 'contact' option (string or array).","message":"The package does not validate that at least one 'contact' field is provided; omitting it produces invalid security.txt per RFC.","severity":"gotcha","affected_versions":"all"},{"fix":"Upgrade Node.js to >=18 or use v3.x.","message":"Removed support for Node.js versions <18 in v4.0.0.","severity":"breaking","affected_versions":">=4.0.0"},{"fix":"Add a separate route for /security.txt that redirects to /.well-known/security.txt.","message":"The middleware does not automatically handle GET /security.txt (only /.well-known/security.txt). Users may need to add a redirect.","severity":"gotcha","affected_versions":"all"}],"env_vars":null,"last_verified":"2026-04-25T00:00:00.000Z","next_check":"2026-07-24T00:00:00.000Z","problems":[{"fix":"Use dynamic import: const securityTxt = await import('express-security-txt'); or switch to ESM (\"type\": \"module\" in package.json).","cause":"Version 4+ is ESM-only; CJS require() fails.","error":"Error [ERR_REQUIRE_ESM]: require() of ES Module /path/to/node_modules/express-security-txt/index.js from /path/to/app.js not supported."},{"fix":"Import type from v4: import type { SecurityTxtOptions } from 'express-security-txt';","cause":"TypeScript type name mismatch due to older version or incorrect import.","error":"SecurityTxtOptions is not a valid type. Did you mean SecurityTxtOptions?"},{"fix":"Ensure options object is defined and contains at least 'contact' field: const options = { contact: '...' };","cause":"Options object passed is undefined or empty.","error":"TypeError: Cannot read properties of undefined (reading 'contact')"},{"fix":"Run npm install express-security-txt@latest. Check package.json for version.","cause":"Package not installed or version mismatch.","error":"Cannot find module 'express-security-txt'"}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}