npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

astro-security

v1.0.0

Published

RFC 9116 security.txt generation for Astro sites at build time

Downloads

25

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

hatfieldaaronhatfieldaaron

Keywords

withastroastro-integrationsecuritysecurity.txtrfc9116well-knownstatic-site

Readme

astro-security

RFC 9116–compliant security.txt generation for Astro sites

astro-security is a static-first Astro integration that deterministically generates a valid security.txt file at build time.

From v1.0.0 onward, configuration is stored in a dedicated project directory with automatic migration from legacy locations.

What this plugin does

On astro build, the plugin:

  • Ensures a security configuration file exists (first run only)
  • Automatically migrates legacy configs (v0.x → v1.x)
  • Validates and normalises configuration (fail-closed)
  • Generates an RFC 9116–compliant security.txt
  • Writes the file to:
    • /.well-known/security.txt
    • /security.txt
  • Overwrites existing output files deterministically on each build

What this plugin does NOT do

  • ❌ No runtime middleware
  • ❌ No signing or cryptography
  • ❌ No HTTP headers
  • ❌ No analytics or telemetry
  • ❌ No hidden defaults

If configuration is invalid or incomplete, no file is generated.

Installation

npm install astro-security

Usage

Add the integration to your Astro config:

import { defineConfig } from "astro/config";
import astroSecurity from "astro-security";

export default defineConfig({
  integrations: [astroSecurity()]
});

Configuration (v1.0.0)

Canonical location

From v1.0.0, the configuration file lives at:

config-files/security.config.json

Automatic migration

If you already have:

security.config.json

in your project root (v0.x), the plugin will automatically move it to:

config-files/security.config.json

This migration:

  • Happens once
  • Never overwrites an existing new config
  • Never blocks build or dev

Example configuration

{
  "enabled": true,
  "output": {
    "wellKnown": true,
    "root": true
  },
  "policy": {
    "contact": ["mailto:[email protected]"],
    "expires": "2026-12-31T18:37:07.000Z",
    "preferredLanguages": ["en"],
    "canonical": [
      "https://example.com/.well-known/security.txt",
      "https://example.com/security.txt"
    ],
    "hiring": "https://example.com/careers/security"
  }
}

Supported RFC 9116 directives

| Directive | Required | Notes | |---------|---------|------| | Contact | ✅ | One or more entries | | Expires | ✅ | ISO 8601 timestamp | | Encryption | ❌ | HTTPS only | | Acknowledgments | ❌ | HTTPS only | | Preferred-Languages | ❌ | RFC 5646 | | Canonical | ❌ | May appear multiple times | | Policy | ❌ | HTTPS only | | Hiring | ❌ | HTTPS only | | CSAF | ❌ | HTTPS only |

Output example

Contact: mailto:[email protected]
Expires: 2026-12-31T18:37:07.000Z
Preferred-Languages: en
Canonical: https://example.com/.well-known/security.txt
Canonical: https://example.com/security.txt
Hiring: https://example.com/careers/security

Failure behaviour (important)

This plugin is fail-closed.

If:

  • required fields are missing
  • JSON is invalid
  • config is disabled

➡️ No security.txt is written

Your build continues safely.

Versioning policy

  • v1.0.0 establishes:
    • Stable config schema
    • Stable file locations
    • Automatic migration
  • Breaking changes will only occur in major versions

License

MIT © Velohost

Author

Built and maintained by Velohost
https://velohost.co.uk/

Plugin page:
https://velohost.co.uk/plugins/astro-security/