1 files changed, 7 insertions, 0 deletions
diff --git a/05.md b/05.md
index 6c5fe6f..0de810b 100644
--- a/05.md
+++ b/05.md
@@ -71,3 +71,10 @@ Access-Control-Allow-Origin: *
 Users should ensure that their `/.well-known/nostr.json` is served with the HTTP header `Access-Control-Allow-Origin: *` to ensure it can be validated by pure JS apps running in modern browsers.
 [CORS]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
+### Security Constraints
+The `/.well-known/nostr.json` endpoint MUST NOT return any HTTP redirects. 
+Fetchers MUST ignore any HTTP redirects given by the `/.well-known/nostr.json` endpoint.

diff --git a/05.md b/05.md index 6c5fe6f..0de810b 100644 --- a/05.md +++ b/05.md
@@ -71,3 +71,10 @@ Access-Control-Allow-Origin: *
71	Users should ensure that their `/.well-known/nostr.json` is served with the HTTP header `Access-Control-Allow-Origin: *` to ensure it can be validated by pure JS apps running in modern browsers.	71	Users should ensure that their `/.well-known/nostr.json` is served with the HTTP header `Access-Control-Allow-Origin: *` to ensure it can be validated by pure JS apps running in modern browsers.
72		72
73	[CORS]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS	73	[CORS]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
		74
		75	### Security Constraints
		76
		77	The `/.well-known/nostr.json` endpoint MUST NOT return any HTTP redirects.
		78
		79	Fetchers MUST ignore any HTTP redirects given by the `/.well-known/nostr.json` endpoint.
		80