hacker.txt Specification
The hacker.txt file is a standardized way to communicate security testing boundaries to ethical hackers and automated tools.
File Location
- Primary:
https://example.com/hacker.txt - Alternative:
/.well-known/hacker.txt
Format Rules
- Plain text file (UTF-8 encoded)
- Each directive follows the format:
Directive: Value - Comments start with
#
Core Directives
Allow-Pentesting
Specifies whether security testing is permitted.
Allow-Pentesting: yesTesting-Scope
Defines which domains and subdomains are in scope.
Testing-Scope: example.com, *.example.comTesting-Types
Lists allowed and disallowed testing types.
Testing-Types: SQLi, XSS, CSRF, -DDoS, -Bruteforcehacker.txt Specification
The hacker.txt file is a standardized way to communicate security testing boundaries to ethical hackers and automated tools.
File Location
- Primary:
https://example.com/hacker.txt - Alternative:
/.well-known/hacker.txt
Format Rules
- Plain text file (UTF-8 encoded)
- Each directive follows the format:
Directive: Value - Comments start with
#
Core Directives
Allow-Pentesting
Specifies whether security testing is permitted.
Allow-Pentesting: yesTesting-Scope
Defines which domains and subdomains are in scope.
Testing-Scope: example.com, *.example.comTesting-Types
Lists allowed and disallowed testing types.
Testing-Types: SQLi, XSS, CSRF, -DDoS, -Bruteforce