+11

README.md

reviewed

··· 1 1 + # HTTP/Minimal 2 2 + 3 3 + A constrained version of HTTP designed for serving human-readable documents without tracking, scripting, or behavioral manipulation. 4 4 + 5 5 + ## Specification 6 6 + 7 7 + See [spec.md](spec.md) for the full specification. 8 8 + 9 9 + ## License 10 10 + 11 11 + Released under [CC0 1.0 Universal](https://creativecommons.org/publicdomain/zero/1.0/) - no rights reserved.

+537

spec.md

reviewed

··· 1 1 + # HTTP/Minimal 2 2 + 3 3 + **Version:** 0.1.0-draft 4 4 + **Status:** Proposal 5 5 + 6 6 + ## Abstract 7 7 + 8 8 + HTTP/Minimal is a constrained version of HTTP designed for serving human-readable documents without tracking, scripting, or behavioral manipulation. It is not a new protocol - it is a voluntary restriction on how HTTP is used, enforceable by clients and verifiable by automated tools. 9 9 + 10 10 + ## Goals 11 11 + 12 12 + 1. **Radical simplicity.** A document is text and links. Maybe images. 13 13 + 2. **Privacy by architecture.** No cookies, no auth headers, no state. 14 14 + 3. **Zero JavaScript.** Not "minimal scripts" - none. 15 15 + 4. **Works today.** Any static file server can serve compliant content. 16 16 + 5. **Human-writable source.** Content is authored in Markdown, not markup soup. 17 17 + 18 18 + ## Non-Goals 19 19 + 20 20 + - Replacing HTTP for applications, APIs, or dynamic content 21 21 + - Defining a new transport protocol 22 22 + - Competing with Gemini (this is HTTP; use Gemini if you want Gemini) 23 23 + 24 24 + --- 25 25 + 26 26 + ## 1. Transport Requirements 27 27 + 28 28 + ### 1.1 TLS Required 29 29 + 30 30 + All HTTP/Minimal content MUST be served over HTTPS (TLS 1.2+, TLS 1.3 RECOMMENDED). 31 31 + 32 32 + Plain HTTP requests SHOULD receive a 301 redirect to the HTTPS equivalent and nothing else. 33 33 + 34 34 + ### 1.2 HTTP Version 35 35 + 36 36 + HTTP/1.1, HTTP/2, and HTTP/3 are all acceptable. Servers SHOULD support HTTP/2 at minimum. 37 37 + 38 38 + --- 39 39 + 40 40 + ## 2. Request Constraints 41 41 + 42 42 + Compliant clients MUST NOT send the following headers: 43 43 + 44 44 + | Header | Reason | 45 45 + |--------|--------| 46 46 + | `Cookie` | State tracking | 47 47 + | `Authorization` | Implies authenticated content | 48 48 + | `DNT` | Unnecessary - tracking is minimized by design | 49 49 + | `X-Requested-With` | AJAX patterns not applicable | 50 50 + | Any `X-` header | Custom headers are a slippery slope | 51 51 + 52 52 + Compliant clients MUST use only these methods: 53 53 + 54 54 + - `GET` - Retrieve a document 55 55 + - `HEAD` - Check if a document exists or has changed 56 56 + 57 57 + All other methods (`POST`, `PUT`, `DELETE`, etc.) are non-compliant. 58 58 + 59 59 + ### 2.1 Query Strings 60 60 + 61 61 + Query strings are PERMITTED but SHOULD be limited to: 62 62 + 63 63 + - Pagination (`?page=2`) 64 64 + 65 65 + Query strings MUST NOT be used for: 66 66 + 67 67 + - Session tracking 68 68 + - User identification 69 69 + - Analytics parameters (utm_*, fbclid, etc.) 70 70 + 71 71 + Compliant servers SHOULD ignore or strip unrecognized query parameters. 72 72 + 73 73 + --- 74 74 + 75 75 + ## 3. Response Constraints 76 76 + 77 77 + ### 3.1 Forbidden Response Headers 78 78 + 79 79 + Compliant servers MUST NOT send: 80 80 + 81 81 + | Header | Reason | 82 82 + |--------|--------| 83 83 + | `Set-Cookie` | State tracking | 84 84 + | `WWW-Authenticate` | Implies auth-gated content | 85 85 + | `Content-Security-Policy` | Implies executable content to policy | 86 86 + | `X-Frame-Options` | Embedding restrictions suggest app behavior | 87 87 + | `Refresh` | Client-side redirects enable tracking | 88 88 + 89 89 + ### 3.2 Permitted Response Headers 90 90 + 91 91 + Servers SHOULD send: 92 92 + 93 93 + | Header | Purpose | 94 94 + |--------|---------| 95 95 + | `Content-Type` | Required (`text/markdown; charset=utf-8`) | 96 96 + | `Content-Length` | Required for HTTP/1.1 | 97 97 + | `Last-Modified` | Caching | 98 98 + | `ETag` | Caching | 99 99 + | `Cache-Control` | Caching (SHOULD be generous; `max-age=3600` or higher) | 100 100 + | `Link` | Discovery (see Section 6) | 101 101 + 102 102 + ### 3.3 Status Codes 103 103 + 104 104 + Compliant servers SHOULD limit responses to: 105 105 + 106 106 + | Code | Meaning | 107 107 + |------|---------| 108 108 + | `200` | OK | 109 109 + | `301` | Moved Permanently | 110 110 + | `304` | Not Modified | 111 111 + | `400` | Bad Request | 112 112 + | `404` | Not Found | 113 113 + | `410` | Gone (content deliberately removed) | 114 114 + | `500` | Server Error | 115 115 + 116 116 + Codes `302`, `303`, and `307` are NOT RECOMMENDED as they enable tracking redirects. 117 117 + 118 118 + --- 119 119 + 120 120 + ## 4. Content Format 121 121 + 122 122 + HTTP/Minimal uses **Markdown** as its content format, served with Content-Type `text/markdown; charset=utf-8`. 123 123 + 124 124 + ### 4.1 Markdown Variant 125 125 + 126 126 + HTTP/Minimal uses [CommonMark](https://commonmark.org/) as the base specification, with the following extensions PERMITTED: 127 127 + 128 128 + - **Tables** - GitHub Flavored Markdown (GFM) pipe tables 129 129 + - **Strikethrough** - `~~text~~` 130 130 + - **Autolinks** - GFM automatic URL linking 131 131 + - **Footnotes** - `[^1]` reference-style footnotes 132 132 + 133 133 + ### 4.2 Permitted Syntax 134 134 + 135 135 + All standard CommonMark elements: 136 136 + 137 137 + - Headings (`#`, `##`, etc.) 138 138 + - Paragraphs 139 139 + - Emphasis (`*italic*`, `**bold**`) 140 140 + - Links (`[text](url)` or `[text][ref]`) 141 141 + - Images (``) 142 142 + - Blockquotes (`>`) 143 143 + - Code spans (`` `code` ``) 144 144 + - Code blocks (fenced or indented) 145 145 + - Lists (ordered and unordered) 146 146 + - Horizontal rules (`---`) 147 147 + - Hard line breaks 148 148 + 149 149 + ### 4.3 Forbidden Syntax 150 150 + 151 151 + The following MUST NOT appear in HTTP/Minimal documents: 152 152 + 153 153 + | Syntax | Reason | 154 154 + |--------|--------| 155 155 + | Raw HTML blocks | Enables script injection, tracking pixels, forms | 156 156 + | Raw HTML inline | Same | 157 157 + | `<script>` | No JavaScript | 158 158 + | `<iframe>` | Embedded third-party content | 159 159 + | `<form>` | Data collection | 160 160 + | `<img>` with tracking URLs | Use Markdown image syntax with compliant URLs | 161 161 + 162 162 + Clients MUST strip or ignore any raw HTML encountered in Markdown source. 163 163 + 164 164 + ### 4.4 Image Requirements 165 165 + 166 166 + Images referenced via `` syntax: 167 167 + 168 168 + - MUST include alt text (the `[alt]` portion MUST NOT be empty) 169 169 + - SHOULD be same-origin or from trusted, non-tracking sources 170 170 + - MUST NOT be 1x1 tracking pixels 171 171 + 172 172 + ### 4.5 Link Requirements 173 173 + 174 174 + Links are unrestricted in destination -HTTP/Minimal documents MAY link to any URL. 175 175 + 176 176 + Clients MAY warn users when following links to non-compliant origins. 177 177 + 178 178 + #### 4.5.1 URL Fragments 179 179 + 180 180 + URL fragments (`#section-name`) are supported and SHOULD work as follows: 181 181 + 182 182 + - When rendering Markdown to HTML, headings SHOULD receive auto-generated `id` attributes based on their text (lowercase, spaces replaced with hyphens) 183 183 + - Clients receiving `text/markdown` SHOULD scroll to the heading matching the fragment 184 184 + - Fragment matching SHOULD be case-insensitive 185 185 + 186 186 + For example, `## My Section` would be reachable via `#my-section`. 187 187 + 188 188 + ### 4.6 Metadata 189 189 + 190 190 + Document metadata SHOULD be provided via a YAML front matter block: 191 191 + 192 192 + ```markdown 193 193 + --- 194 194 + title: My Document 195 195 + author: Jane Doe 196 196 + date: 2025-12-27 197 197 + lang: en 198 198 + --- 199 199 + 200 200 + # My Document 201 201 + 202 202 + Content begins here. 203 203 + ``` 204 204 + 205 205 + Recognized front matter fields: 206 206 + 207 207 + | Field | Required | Description | 208 208 + |-------|----------|-------------| 209 209 + | `title` | RECOMMENDED | Document title | 210 210 + | `author` | No | Author name or identifier | 211 211 + | `date` | No | Publication date (ISO 8601) | 212 212 + | `lang` | No | Language code (BCP 47) | 213 213 + | `license` | No | Content license (SPDX identifier or URL) | 214 214 + 215 215 + Clients SHOULD use `title` for window/tab titles and `lang` for text rendering. 216 216 + 217 217 + --- 218 218 + 219 219 + ## 5. Client Rendering 220 220 + 221 221 + ### 5.1 Dedicated Clients 222 222 + 223 223 + HTTP/Minimal clients SHOULD: 224 224 + 225 225 + 1. Parse Markdown and render to styled, readable output 226 226 + 2. Apply a legible default stylesheet (user-configurable) 227 227 + 3. Strip any raw HTML before rendering 228 228 + 4. Display images inline with alt text fallback 229 229 + 5. Make links clearly navigable 230 230 + 231 231 + ### 5.2 Browser Rendering 232 232 + 233 233 + Standard browsers receiving `text/markdown` will typically display raw source. Options for browser compatibility: 234 234 + 235 235 + **Option A: Server-side rendering** 236 236 + 237 237 + Servers MAY content-negotiate and serve pre-rendered HTML to browsers: 238 238 + 239 239 + - Request with `Accept: text/markdown` → serve Markdown 240 240 + - Request with `Accept: text/html` → serve HTML rendering 241 241 + 242 242 + The HTML rendering MUST be a direct transformation of the Markdown source with no additions (no scripts, no tracking, no analytics). 243 243 + 244 244 + **Option B: Client-side rendering via browser extension** 245 245 + 246 246 + Browser extensions may render `text/markdown` responses directly. 247 247 + 248 248 + **Option C: Raw display** 249 249 + 250 250 + Markdown is human-readable as source. No rendering required. 251 251 + 252 252 + ### 5.3 Suggested Default Styles 253 253 + 254 254 + Clients SHOULD apply sensible typographic defaults: 255 255 + 256 256 + - Readable font (system serif or sans-serif) 257 257 + - Comfortable line length (45-75 characters) 258 258 + - Adequate line height (1.4-1.6) 259 259 + - Responsive viewport handling 260 260 + - Respect user preferences (dark mode, font size) 261 261 + 262 262 + --- 263 263 + 264 264 + ## 6. Discovery and Verification 265 265 + 266 266 + ### 6.1 Well-Known Endpoint 267 267 + 268 268 + Compliant servers SHOULD serve a policy document at: 269 269 + 270 270 + ``` 271 271 + /.well-known/http-minimal 272 272 + ``` 273 273 + 274 274 + This document is a JSON object: 275 275 + 276 276 + ```json 277 277 + { 278 278 + "http_minimal": "0.1", 279 279 + "compliant": true, 280 280 + "scope": "/", 281 281 + "contact": "mailto:admin@example.com", 282 282 + "validator": "https://example.com/validation-report.json" 283 283 + } 284 284 + ``` 285 285 + 286 286 + | Field | Required | Description | 287 287 + |-------|----------|-------------| 288 288 + | `http_minimal` | Yes | Spec version | 289 289 + | `compliant` | Yes | Self-attestation | 290 290 + | `scope` | No | Path prefix this policy applies to (default: entire origin) | 291 291 + | `contact` | No | Maintainer contact | 292 292 + | `validator` | No | URL to a third-party validation report | 293 293 + 294 294 + ### 6.2 Link Header 295 295 + 296 296 + Responses MAY include: 297 297 + 298 298 + ``` 299 299 + Link: </.well-known/http-minimal>; rel="profile" 300 300 + ``` 301 301 + 302 302 + ### 6.3 Compliance Badge (Optional) 303 303 + 304 304 + Documents MAY include a compliance indicator: 305 305 + 306 306 + ```markdown 307 307 + --- 308 308 + [HTTP/Minimal Compliant](/.well-known/http-minimal) 309 309 + ``` 310 310 + 311 311 + --- 312 312 + 313 313 + ## 7. Example Document 314 314 + 315 315 + ```markdown 316 316 + --- 317 317 + title: Welcome to HTTP/Minimal 318 318 + author: Jane Doe 319 319 + date: 2025-12-27 320 320 + lang: en 321 321 + --- 322 322 + 323 323 + # Welcome to HTTP/Minimal 324 324 + 325 325 + This is a document served over **HTTP/Minimal** - a constrained version of 326 326 + HTTPS for human-readable content without tracking, scripts, or manipulation. 327 327 + 328 328 + ## What is this? 329 329 + 330 330 + HTTP/Minimal is not a new protocol. It's a voluntary restriction on how 331 331 + HTTP is used: 332 332 + 333 333 + - HTTPS only, no exceptions 334 334 + - No cookies or authentication headers 335 335 + - No JavaScript, ever 336 336 + - Content is Markdown, not HTML 337 337 + 338 338 + ## Why Markdown? 339 339 + 340 340 + Markdown is: 341 341 + 342 342 + 1. Human-readable as source 343 343 + 2. Human-writable without tooling 344 344 + 3. Transparent - tracking pixels are visible in source and enforceable by clients 345 345 + 4. Universally supported 346 346 + 347 347 + ## Learn More 348 348 + 349 349 + Read the full [specification](/spec) or view the 350 350 + [source for this page](/source/index.md). 351 351 + 352 352 + --- 353 353 + 354 354 + *[HTTP/Minimal Compliant](/.well-known/http-minimal)* 355 355 + ``` 356 356 + 357 357 + --- 358 358 + 359 359 + ## 8. Relationship to Other Specifications 360 360 + 361 361 + ### Gemini Protocol 362 362 + 363 363 + HTTP/Minimal shares philosophical goals with Gemini (simplicity, anti-tracking, anti-JavaScript) but differs in approach: 364 364 + 365 365 + | Aspect | Gemini | HTTP/Minimal | 366 366 + |--------|--------|--------------| 367 367 + | Transport | New protocol (gemini://) | HTTPS | 368 368 + | Content format | text/gemini | text/markdown | 369 369 + | Browser support | Requires dedicated client | Works with extensions or server-side rendering | 370 370 + | Port | 1965 | 443 | 371 371 + 372 372 + ### Gemtext vs Markdown 373 373 + 374 374 + Gemini's text/gemini format is simpler than Markdown (one link per line, no inline formatting). HTTP/Minimal accepts the tradeoff of a slightly more complex format for broader tooling support. 375 375 + 376 376 + ### Semantic Web / Microformats 377 377 + 378 378 + HTTP/Minimal Markdown documents can include semantic meaning via: 379 379 + 380 380 + - Structured YAML front matter 381 381 + - Consistent heading hierarchies 382 382 + - Machine-parseable date/author metadata 383 383 + 384 384 + --- 385 385 + 386 386 + ## 9. Security Considerations 387 387 + 388 388 + - **No cookies** eliminates CSRF and session hijacking vectors 389 389 + - **No JavaScript** eliminates XSS entirely 390 390 + - **No forms** eliminates CSRF for data submission 391 391 + - **No raw HTML** prevents injection attacks 392 392 + - **HTTPS required** ensures transport security 393 393 + 394 394 + Remaining vectors: 395 395 + 396 396 + - **Malicious links** - users may still be linked to harmful external sites 397 397 + - **Image-based tracking** - external images can still leak requests; clients MAY block third-party images 398 398 + - **Cache timing** - sophisticated attackers may infer browsing history via cache timing; out of scope 399 399 + 400 400 + --- 401 401 + 402 402 + ## 10. Future Considerations 403 403 + 404 404 + Items explicitly deferred for future versions: 405 405 + 406 406 + - **Signed content** - integration with Signed HTTP Exchanges or content-addressed storage 407 407 + - **Content addressing** - integration with IPFS, AT Protocol, or content-hash URLs 408 408 + - **Client certificates** - Gemini-style TOFU identity without cookies 409 409 + - **Extended metadata** - richer front matter schemas (JSON-LD, etc.) 410 410 + - **Media embedding** - whether/how to handle audio and video 411 411 + 412 412 + --- 413 413 + 414 414 + ## Appendix A: Validator Pseudocode 415 415 + 416 416 + ```python 417 417 + def validate_response(response): 418 418 + errors = [] 419 419 + 420 420 + # Check forbidden response headers 421 421 + forbidden = ['set-cookie', 'www-authenticate', 'refresh'] 422 422 + for header in forbidden: 423 423 + if header in response.headers: 424 424 + errors.append(f"Forbidden header: {header}") 425 425 + 426 426 + # Check content type 427 427 + content_type = response.headers.get('content-type', '') 428 428 + if not content_type.startswith('text/markdown'): 429 429 + errors.append("Content-Type must be text/markdown") 430 430 + 431 431 + # Parse Markdown 432 432 + doc = parse_markdown(response.body) 433 433 + 434 434 + # Check for raw HTML 435 435 + if contains_raw_html(doc): 436 436 + errors.append("Raw HTML is forbidden") 437 437 + 438 438 + # Check images have alt text 439 439 + for image in doc.images: 440 440 + if not image.alt: 441 441 + errors.append(f"Image missing alt text: {image.url}") 442 442 + 443 443 + return errors 444 444 + ``` 445 445 + 446 446 + --- 447 447 + 448 448 + ## Appendix B: Content-Type Registration 449 449 + 450 450 + This specification uses `text/markdown` as defined in [RFC 7763](https://datatracker.ietf.org/doc/html/rfc7763). 451 451 + 452 452 + Recommended Content-Type header: 453 453 + 454 454 + ``` 455 455 + Content-Type: text/markdown; charset=utf-8; variant=CommonMark 456 456 + ``` 457 457 + 458 458 + --- 459 459 + 460 460 + ## Appendix C: Migration Checklist 461 461 + 462 462 + For existing sites adopting HTTP/Minimal: 463 463 + 464 464 + - [ ] Enable HTTPS if not already 465 465 + - [ ] Convert content to Markdown (or add Markdown alongside HTML) 466 466 + - [ ] Configure server to serve `.md` files as `text/markdown` 467 467 + - [ ] Remove all analytics (Google Analytics, Plausible, etc.) 468 468 + - [ ] Remove comment systems or link to external discussion 469 469 + - [ ] Ensure all images have alt text 470 470 + - [ ] Ensure no raw HTML in Markdown source 471 471 + - [ ] Add `/.well-known/http-minimal` endpoint 472 472 + - [ ] Run validator against all documents 473 473 + - [ ] Optional: implement content negotiation for HTML clients 474 474 + 475 475 + --- 476 476 + 477 477 + ## Appendix D: Server Configuration Examples 478 478 + 479 479 + ### Nginx 480 480 + 481 481 + ```nginx 482 482 + location ~ \.md$ { 483 483 + types { text/markdown md; } 484 484 + charset utf-8; 485 485 + add_header Link '</.well-known/http-minimal>; rel="profile"'; 486 486 + 487 487 + # Remove forbidden headers (shouldn't exist, but defensive) 488 488 + proxy_hide_header Set-Cookie; 489 489 + proxy_hide_header WWW-Authenticate; 490 490 + } 491 491 + ``` 492 492 + 493 493 + ### Caddy 494 494 + 495 495 + ```caddyfile 496 496 + @markdown path *.md 497 497 + header @markdown Content-Type "text/markdown; charset=utf-8" 498 498 + header @markdown Link "</.well-known/http-minimal>; rel=\"profile\"" 499 499 + header @markdown -Set-Cookie 500 500 + ``` 501 501 + 502 502 + ### Static file server (Go) 503 503 + 504 504 + ```go 505 505 + http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { 506 506 + if r.Method != "GET" && r.Method != "HEAD" { 507 507 + http.Error(w, "Method not allowed", 405) 508 508 + return 509 509 + } 510 510 + 511 511 + if strings.HasSuffix(r.URL.Path, ".md") { 512 512 + w.Header().Set("Content-Type", "text/markdown; charset=utf-8") 513 513 + w.Header().Set("Link", "</.well-known/http-minimal>; rel=\"profile\"") 514 514 + } 515 515 + 516 516 + http.FileServer(http.Dir("./public")).ServeHTTP(w, r) 517 517 + }) 518 518 + ``` 519 519 + 520 520 + --- 521 521 + 522 522 + ## Acknowledgments 523 523 + 524 524 + This specification draws inspiration from: 525 525 + 526 526 + - **[Gemini Protocol](https://geminiprotocol.net/)** - for proving that radical simplicity has an audience 527 527 + - **["Gemini is Solutionism at its Worst"](https://xn--gckvb8fzb.com/gemini-is-solutionism-at-its-worst/)** - マリウス's critique arguing Gemini's goals could be achieved via HTTP with constraints, not a new protocol 528 528 + - **[CommonMark](https://commonmark.org/)** - for standardizing Markdown 529 529 + - **[The Web We Lost](https://www.anildash.com/2012/12/13/the-web-we-lost/)** - Anil Dash's 2012 essay on web degradation 530 530 + - **[Motherfucking Website](https://motherfuckingwebsite.com/)** - satirical proof that content needs nothing else 531 531 + - **[IndieWeb](https://indieweb.org/)** - for keeping personal publishing alive 532 532 + 533 533 + --- 534 534 + 535 535 + ## License 536 536 + 537 537 + This specification is released under [CC0 1.0 Universal](https://creativecommons.org/publicdomain/zero/1.0/) - no rights reserved. Use it, fork it, improve it.