WebBotAuth.net

Directory media type

The directory should be served as application/http-message-signatures-directory+json; a generic JWKS type warns, anything else fails.

What this check verifies

This check reads the Content-Type header on the directory response and sorts it into three outcomes:

  • application/http-message-signatures-directory+json is the web-bot-auth media type. This passes.
  • application/jwk-set+json or generic application/json is a valid JWKS media type but not the web-bot-auth one. This is a warning: a real but minor conformance gap, not garbage.
  • Anything else (for example text/html) or a missing Content-Type fails.

The media type is matched as a substring, so charset parameters such as application/http-message-signatures-directory+json; charset=utf-8 still pass.

Why it matters

The web-bot-auth directory draft (section 3) defines application/http-message-signatures-directory+json as the media type for this document. Declaring it tells a verifier that the body is specifically a web-bot-auth key directory, not just some JWKS that happens to live at the path. Serving a generic JWKS type still parses, which is why it warns rather than fails, but it is a conformance gap an operator should close.

A text/html content type usually means the response is not a directory at all: an error page, a redirect landing page, or a misrouted request returning the site’s HTML. That is why it fails. A missing content type leaves the verifier guessing and is treated the same way.

The media type affects the grade but does not change the verdict. A directory with the wrong content type but otherwise valid keys is still a real directory.

How to fix it

Set the response header to the web-bot-auth media type:

Content-Type: application/http-message-signatures-directory+json

Avoid the generic alternatives that only warn:

Content-Type: application/jwk-set+json
Content-Type: application/json

The usual cause is serving the file through a static file server or framework that infers application/json from the .json extension, or returns text/html for an unmatched route. Set the header explicitly on the well-known path.

References

  • The web-bot-auth directory draft (draft-meunier-http-message-signatures-directory), section 3, defines the application/http-message-signatures-directory+json media type.
  • RFC 7517 defines application/jwk-set+json for a JSON Web Key Set.
  • How grading works explains how a media-type warning moves the grade without changing the verdict.

How the checker scores this

Tier
JWKS directory
Role
Advisory. Failing this never caps the grade or changes the verdict.
Point deduction
A failure deducts 25 points; a warning deducts 6.

How grading works