17
205
Fork
You've already forked human.json
6

Provide better explanations about hosting human.json #27

Open
opened 2026年03月19日 08:21:53 +01:00 by khinsen · 2 comments

The instructions say:

The file should be served with:
 Content-Type: application/json
 CORS: Access-Control-Allow-Origin: *

I have no idea how to ensure these conditions, nor even how to verify them, not being a Web developer. From my point of view, my Web site is a directory on some server, into which I copy files via scp. I have a human.json there, but no control over how it is served.

Are there simple recipes for known-to-work setups? If so, it would be helpful to mention them.

The instructions say: ``` The file should be served with: Content-Type: application/json CORS: Access-Control-Allow-Origin: * ``` I have no idea how to ensure these conditions, nor even how to verify them, not being a Web developer. From my point of view, my Web site is a directory on some server, into which I copy files via `scp`. I have a `human.json` there, but no control over how it is served. Are there simple recipes for known-to-work setups? If so, it would be helpful to mention them.

@khinsen I'm happy to help you set it up, and we can start adding documentation for different web hosting providers. Would you be OK with sharing what service you're using for your website?

Checking your file

First, you can use this website to check your headers: https://securityheaders.com/?q=https%3A%2F%2Frobida.net%2Fhuman.json&followRedirects=on

For my human.json file, under "Raw Headers", I see:

  • Content-Type: application/json; charset=utf-8
  • access-control-allow-origin: *

Screenshot 2026年03月19日 at 10.32.41 AM

When you check your file, it's likely that the first one will be there, but not the second.

BTW, since you mentioned scp, you can also use the command line tool curl to check the headers:

% curl -v https://robida.net/human.json 2>&1 | grep -E 'Content-Type|access-control-allow-origin'
< Content-Type: application/json; charset=utf-8
< access-control-allow-origin: *

What do they mean?

The Content-Type header just indicates the type of the file being served. Most web sites will return the application/json content type header for files that have the .json extension. And even if they don't, it's not a dealbreaker. The browser extensions are able to fetch and analyze the file even if they have an incorrect content type header.

The second header, access-control-allow-origin: *, is more important, but also not required. The header allows Javascript applications to fetch the file, which opens up the possibility of people writing web apps that interact with human.json files. Without it, a Javascript application running on a site in https://alice.example.com/ will not be able to fetch https://bob.example.com/ -- this is a browser limitation for security reasons.

The extensions still work fine when the header is missing; even though they're written in Javascript, browser extensions can have elevated privileges.

So to summarize, the headers are a recommendation for best practices, but definitely not needed.

@khinsen I'm happy to help you set it up, and we can start adding documentation for different web hosting providers. Would you be OK with sharing what service you're using for your website? # Checking your file First, you can use this website to check your headers: https://securityheaders.com/?q=https%3A%2F%2Frobida.net%2Fhuman.json&followRedirects=on For my `human.json` file, under "Raw Headers", I see: - **Content-Type**: application/json; charset=utf-8 - **access-control-allow-origin**: * ![Screenshot 2026年03月19日 at 10.32.41 AM](/attachments/dc364f29-edb0-434d-a4dd-b86152c75a55) When you check your file, it's likely that the first one will be there, but not the second. BTW, since you mentioned `scp`, you can also use the command line tool `curl` to check the headers: ```bash % curl -v https://robida.net/human.json 2>&1 | grep -E 'Content-Type|access-control-allow-origin' < Content-Type: application/json; charset=utf-8 < access-control-allow-origin: * ``` # What do they mean? The `Content-Type` header just indicates the type of the file being served. Most web sites will return the `application/json` content type header for files that have the `.json` extension. And even if they don't, it's not a dealbreaker. The browser extensions are able to fetch and analyze the file even if they have an incorrect content type header. The second header, `access-control-allow-origin: *`, is more important, but also not required. The header allows Javascript applications to fetch the file, which opens up the possibility of people writing web apps that interact with `human.json` files. Without it, a Javascript application running on a site in https://alice.example.com/ will not be able to fetch https://bob.example.com/ -- this is a browser limitation for security reasons. The extensions still work fine when the header is missing; even though they're written in Javascript, browser extensions can have elevated privileges. So to summarize, the headers are a recommendation for best practices, but definitely not needed.
Author
Copy link

Thanks for all those details!

My hosting service is https://www.nearlyfreespeech.net/.

It does serve my human.json as application/json, but for some weird reason the encoding is gzip! No access-control-allow-origin at all.

https://securityheaders.com/ screams at me that my site has security issues, and says I should work on that immediately. Time for a good night's sleep I guess ;-)

Thanks for all those details! My hosting service is https://www.nearlyfreespeech.net/. It does serve my `human.json` as `application/json`, but for some weird reason the encoding is `gzip`! No `access-control-allow-origin` at all. `https://securityheaders.com/` screams at me that my site has security issues, and says I should work on that immediately. Time for a good night's sleep I guess ;-)
robida added this to the v0.2.0 milestone 2026年03月26日 00:09:41 +01:00
Sign in to join this conversation.
No Branch/Tag specified
main
spec-0.2.0
crawler
No results found.
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
robida/human.json#27
Reference in a new issue
robida/human.json
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?