Verify (curl cookbook)
This page contains copy/paste commands to verify the public-profile contract from the outside.
Assumptions:
- Replace
USERwith a real username. - Replace
ORIGINwith your domain (e.g.,https://static.bioor a custom domain). - Commands are written for macOS/Linux shells.
0) Fetch the page
curl -s https://static.bio/USER > page.html1) No JavaScript (0 <script> tags)
curl -s https://static.bio/USER | grep -o "<script" | wc -lExpected:
0
2) Stylesheets are budgeted (≤ 2)
Profiles should load only:
- base CSS
- selected theme CSS
curl -s https://static.bio/USER \
| grep -o '<link[^>]*rel="stylesheet"[^>]*>' \
| wc -lExpected:
1or2(depending on whether you inline in a given environment)- In production/preview: typically
2
To see the actual stylesheet URLs:
curl -s https://static.bio/USER \
| grep -o '<link[^>]*rel="stylesheet"[^>]*>'3) No third-party resources (same-origin only)
The important guarantee is not "no stylesheets," it's no third-party hosts.
A simple check is to list all absolute https:// URLs in the HTML and confirm they match the expected origin(s).
curl -s https://static.bio/USER \
| grep -Eo 'https://[^"\x27 ]+' \
| sort -uExpected:
- Either empty (if you use only relative URLs), or
- Only your own origin(s)
If you want a stricter check for static.bio pages:
curl -s https://static.bio/USER \
| grep -Eo 'https://[^"\x27 ]+' \
| grep -v '^https://static\.bio' \
| wc -lExpected:
0
Note:
- If avatars are user-provided and may point to external hosts, you must exclude the avatar URL from this test or proxy avatars to same-origin.
4) Measure HTML bytes (over the wire)
Raw bytes (uncompressed response body)
curl -s https://static.bio/USER \
| wc -c \
| awk '{printf "Bytes: %.2fKB\n", $1/1024}'Compressed transfer size (more representative)
This reports the downloaded size when gzip is used:
curl -s -H "Accept-Encoding: gzip" -D /tmp/headers.txt -o /tmp/body.gz https://static.bio/USER
wc -c /tmp/body.gz | awk '{printf "Gzip transfer: %.2fKB\n", $1/1024}'5) Measure CSS bytes (base + theme)
First, extract CSS hrefs:
curl -s https://static.bio/USER \
| grep -o 'href="[^"]*\.css[^"]*"' \
| sed 's/^href="//;s/"$//' \
| sort -uThen fetch and measure each one (compressed transfer):
for css in $(curl -s https://static.bio/USER | grep -o 'href="[^"]*\.css[^"]*"' | sed 's/^href="//;s/"$//' | sort -u); do
url="https://static.bio${css}"
curl -s -H "Accept-Encoding: gzip" -o /tmp/css.gz "$url"
bytes=$(wc -c /tmp/css.gz | awk '{print $1}')
echo "$url -> $(awk -v b=$bytes 'BEGIN{printf "%.2fKB", b/1024}') (gzip transfer)"
doneExpected:
- Small base CSS
- Small theme CSS
- Stable across profiles using the same theme
If you use custom domains, adjust the url prefix accordingly.
6) Caching headers (CSS)
Fingerprinted CSS files should be immutable-cacheable.
Pick one of the CSS URLs from the page and inspect headers:
curl -sI https://static.bio/css/base.SOMEHASH.cssExpected:
Cache-Control: public, max-age=31536000, immutable(or equivalent)Content-Type: text/css
7) Analytics off means direct link URLs
If analytics is disabled, link hrefs should be the stored destination URLs (not a redirect endpoint).
List the hrefs:
curl -s https://static.bio/USER \
| grep -o 'class="sb-button"[^>]*href="[^"]*"' \
| sed 's/.*href="//;s/"$//'Expected:
- Destination URLs (e.g.,
https://github.com/...)
If analytics is enabled for a profile, you should instead see same-origin redirect URLs (e.g., /r/<id>).
Known tradeoffs
- These checks are HTML-only. They don't prove what your server logs store.
- External avatars complicate host purity. If you allow them, document and test accordingly.
- Compression varies. Gzip size will differ by content; test representative profiles.
Contract tests (verify-level)
These are the invariants this page helps you confirm:
0script tags on public pages- ≤ 2 stylesheet links (base + theme)
- no third-party hosts in resources (same-origin only)
- immutable caching headers on fingerprinted CSS
- direct links when analytics is disabled