Common security.txt issues

Expires field missing

RFC 9116 requires it. Fix: Add Expires: with a date 6–12 months ahead.

Expires date has passed

Fix: Update to a future date.

Wrong location

Should be at /.well-known/security.txt, not /security.txt.

Canonical not set

Fix: Add Canonical: https://yoursite.com/.well-known/security.txt