express-security-txt
raw JSON → 4.0.1 verified Sat Apr 25 auth: no javascript
Express middleware to serve a security.txt policy file at the standard /.well-known/security.txt or /security.txt endpoint. Current stable version 4.0.1. Released via semantic-release; adheres to the security.txt RFC draft (foudil-securitytxt-05). Key differentiators: supports repeating directives, inline comments (prefix, postfix, field-level), and array values for multiple contacts or policies. Lightweight—no external runtime dependencies; works with Express 4.x+. Safer alternatives exist (e.g., manual static file serving) if zero risk of misconfiguration is required.
Common errors
error Error [ERR_REQUIRE_ESM]: require() of ES Module /path/to/node_modules/express-security-txt/index.js from /path/to/app.js not supported. ↓
cause Version 4+ is ESM-only; CJS require() fails.
fix
Use dynamic import: const securityTxt = await import('express-security-txt'); or switch to ESM ("type": "module" in package.json).
error SecurityTxtOptions is not a valid type. Did you mean SecurityTxtOptions? ↓
cause TypeScript type name mismatch due to older version or incorrect import.
fix
Import type from v4: import type { SecurityTxtOptions } from 'express-security-txt';
error TypeError: Cannot read properties of undefined (reading 'contact') ↓
cause Options object passed is undefined or empty.
fix
Ensure options object is defined and contains at least 'contact' field: const options = { contact: '...' };
error Cannot find module 'express-security-txt' ↓
cause Package not installed or version mismatch.
fix
Run npm install express-security-txt@latest. Check package.json for version.
Warnings
breaking Version 4.0.0+ drops CommonJS support; package is ESM-only. ↓
fix Use dynamic import() or convert project to ESM. CJS projects should stay on v3.x (3.1.1).
deprecated The 'securityTxt' default export is deprecated in favor of named 'setup' export as of v4.0.0. ↓
fix Use import { setup } from 'express-security-txt' instead of default import.
gotcha Options object keys are camelCase, not snake_case (e.g., 'preferredLanguages', not 'preferred_languages'). ↓
fix Use camelCase keys as documented.
gotcha The package does not validate that at least one 'contact' field is provided; omitting it produces invalid security.txt per RFC. ↓
fix Always include a 'contact' option (string or array).
breaking Removed support for Node.js versions <18 in v4.0.0. ↓
fix Upgrade Node.js to >=18 or use v3.x.
gotcha The middleware does not automatically handle GET /security.txt (only /.well-known/security.txt). Users may need to add a redirect. ↓
fix Add a separate route for /security.txt that redirects to /.well-known/security.txt.
Install
npm install express-security-txt yarn add express-security-txt pnpm add express-security-txt Imports
- securityTxt wrong
const securityTxt = require('express-security-txt')correctimport securityTxt from 'express-security-txt' - setup wrong
import securityTxt, { setup } from 'express-security-txt'correctimport { setup } from 'express-security-txt' - SecurityTxtOptions
import type { SecurityTxtOptions } from 'express-security-txt'
Quickstart
import express from 'express';
import securityTxt from 'express-security-txt';
const app = express();
const options = {
contact: 'mailto:security@example.com',
preferredLanguages: 'en',
encryption: 'https://example.com/pgp-key.txt',
acknowledgments: 'https://example.com/hall_of_fame',
policy: 'https://example.com/policy',
hiring: 'https://example.com/jobs'
};
app.use(securityTxt.setup(options));
app.listen(3000, () => console.log('Server running on port 3000'));