Verify (curl cookbook)

This page contains copy/paste commands to verify the public-profile contract from the outside.

Assumptions:

  • Replace USER with a real username.
  • Replace ORIGIN with your domain (e.g., https://static.bio or a custom domain).
  • Commands are written for macOS/Linux shells.

0) Fetch the page

curl -s https://static.bio/USER > page.html

1) No JavaScript (0 <script> tags)

curl -s https://static.bio/USER | grep -o "<script" | wc -l

Expected:

  • 0

2) Stylesheets are budgeted (≤ 2)

Profiles should load only:

  • base CSS
  • selected theme CSS
curl -s https://static.bio/USER \
  | grep -o '<link[^>]*rel="stylesheet"[^>]*>' \
  | wc -l

Expected:

  • 1 or 2 (depending on whether you inline in a given environment)
  • In production/preview: typically 2

To see the actual stylesheet URLs:

curl -s https://static.bio/USER \
  | grep -o '<link[^>]*rel="stylesheet"[^>]*>'

3) No third-party resources (same-origin only)

The important guarantee is not "no stylesheets," it's no third-party hosts.

A simple check is to list all absolute https:// URLs in the HTML and confirm they match the expected origin(s).

curl -s https://static.bio/USER \
  | grep -Eo 'https://[^"\x27 ]+' \
  | sort -u

Expected:

  • Either empty (if you use only relative URLs), or
  • Only your own origin(s)

If you want a stricter check for static.bio pages:

curl -s https://static.bio/USER \
  | grep -Eo 'https://[^"\x27 ]+' \
  | grep -v '^https://static\.bio' \
  | wc -l

Expected:

  • 0

Note:

  • If avatars are user-provided and may point to external hosts, you must exclude the avatar URL from this test or proxy avatars to same-origin.

4) Measure HTML bytes (over the wire)

Raw bytes (uncompressed response body)

curl -s https://static.bio/USER \
  | wc -c \
  | awk '{printf "Bytes: %.2fKB\n", $1/1024}'

Compressed transfer size (more representative)

This reports the downloaded size when gzip is used:

curl -s -H "Accept-Encoding: gzip" -D /tmp/headers.txt -o /tmp/body.gz https://static.bio/USER
wc -c /tmp/body.gz | awk '{printf "Gzip transfer: %.2fKB\n", $1/1024}'

5) Measure CSS bytes (base + theme)

First, extract CSS hrefs:

curl -s https://static.bio/USER \
  | grep -o 'href="[^"]*\.css[^"]*"' \
  | sed 's/^href="//;s/"$//' \
  | sort -u

Then fetch and measure each one (compressed transfer):

for css in $(curl -s https://static.bio/USER | grep -o 'href="[^"]*\.css[^"]*"' | sed 's/^href="//;s/"$//' | sort -u); do
  url="https://static.bio${css}"
  curl -s -H "Accept-Encoding: gzip" -o /tmp/css.gz "$url"
  bytes=$(wc -c /tmp/css.gz | awk '{print $1}')
  echo "$url -> $(awk -v b=$bytes 'BEGIN{printf "%.2fKB", b/1024}') (gzip transfer)"
done

Expected:

  • Small base CSS
  • Small theme CSS
  • Stable across profiles using the same theme

If you use custom domains, adjust the url prefix accordingly.

6) Caching headers (CSS)

Fingerprinted CSS files should be immutable-cacheable.

Pick one of the CSS URLs from the page and inspect headers:

curl -sI https://static.bio/css/base.SOMEHASH.css

Expected:

  • Cache-Control: public, max-age=31536000, immutable (or equivalent)
  • Content-Type: text/css

If analytics is disabled, link hrefs should be the stored destination URLs (not a redirect endpoint).

List the hrefs:

curl -s https://static.bio/USER \
  | grep -o 'class="sb-button"[^>]*href="[^"]*"' \
  | sed 's/.*href="//;s/"$//'

Expected:

  • Destination URLs (e.g., https://github.com/...)

If analytics is enabled for a profile, you should instead see same-origin redirect URLs (e.g., /r/<id>).

Known tradeoffs

  • These checks are HTML-only. They don't prove what your server logs store.
  • External avatars complicate host purity. If you allow them, document and test accordingly.
  • Compression varies. Gzip size will differ by content; test representative profiles.

Contract tests (verify-level)

These are the invariants this page helps you confirm:

  • 0 script tags on public pages
  • ≤ 2 stylesheet links (base + theme)
  • no third-party hosts in resources (same-origin only)
  • immutable caching headers on fingerprinted CSS
  • direct links when analytics is disabled