Exposure · Check
security.txt Canonical invalid — fixing the field syntax
An invalid `Canonical:` value (missing scheme, wrong host, malformed URL) causes RFC 9116 parsers to reject the field. Use the full `https://yourdomain/.well-known/security.txt` URL.
Real-world risk
Invalid Canonical values break automation that follows the field to the authoritative disclosure document.
Fix steps (in order)
- Use an absolute https:// URL for Canonical: that returns 200 for security.txt.
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (security_txt_canonical_invalid) clears once the externally-observable signal is in place.