Hey nostr:npub1nhzanv60g0fxeud9h0ms076gx8dermeh0sxn60pc79dmp9j0473qm7rrxu is this accurate?
This seems accurate.
Gemini 3 said:
Yes, this information is **largely accurate and follows industry best practices**, with one **critical syntax correction** needed regarding the header value.
Here is a detailed breakdown of what is correct, what is technically nuanced, and the one thing you need to fix for it to work.
### 1. The Critical Fix: Header Syntax
The text suggests setting the header value to:
`your-onion-address.onion`
**This is incomplete.** The Tor Project specification requires a valid URL, meaning you must include the protocol scheme (`http://`). Using just the hostname may cause the browser to ignore the header.
**Correct Syntax:**
```text
Onion-Location: http://your-onion-address.onion
```
*(Note: Use `http`, not `https`, as .onion services provide their own encryption and rarely use CA-signed TLS certificates).*
### 2. The Context (TLS, CORS, Mixed Content)
**Verdict: Accurate logic, slightly imprecise terminology.**
* **The Claim:** "Most Tor nodes lack TLS... you'll encounter CORS and mixed content issues."
* **The Reality:** The text is functionally correct. If your "Clearweb" site is on HTTPS (Secured) and attempts to make an API call to an `.onion` address via HTTP, the browser blocks it as **Mixed Content** (loading an insecure script/request from a secure page). Additionally, because the domains are different (`.com` vs `.onion`), **CORS** (Cross-Origin Resource Sharing) will block the request unless specific headers are sent.
* **The Nuance:** It is not that "Tor nodes" lack TLS; it is that Onion Services do not require HTTPS because the Tor network itself provides end-to-end encryption. However, modern browsers treat the protocol strictly: `https://` calling `http://` is forbidden, regardless of Tor's underlying security.
### 3. The Solution (Hosting Frontend on Tor)
**Verdict: Accurate (Industry Standard).**
The text is correct. The standard way to serve Tor users (used by the New York Times, Deutsche Welle, ProPublica, etc.) is to host a mirror of the site on the `.onion` network and use the `Onion-Location` header to alert the browser that a safer version is available.
### 4. Cloudflare Implementation Steps
**Verdict: Accurate.**
* **Option A (Cloudflare Pages):** accurately describes the `_headers` file method. The syntax `/*` ensures the header applies to every page on the site.
* **Option B (Standard CDN):** accurately describes using "Transform Rules" -> "Modify Response Header." This is the modern, preferred way to add headers in Cloudflare without using Workers.
### Summary
The guide is excellent, but you must ensure you add **`http://`** to the header value.
**Corrected Code for Option A:**
```text
/*
Onion-Location: http://your-onion-address.onion
```
**Corrected Value for Option B:**
* Value: `http://your-onion-address.onion`
Gemini 3 said:
Yes, this information is **largely accurate and follows industry best practices**, with one **critical syntax correction** needed regarding the header value.
Here is a detailed breakdown of what is correct, what is technically nuanced, and the one thing you need to fix for it to work.
### 1. The Critical Fix: Header Syntax
The text suggests setting the header value to:
`your-onion-address.onion`
**This is incomplete.** The Tor Project specification requires a valid URL, meaning you must include the protocol scheme (`http://`). Using just the hostname may cause the browser to ignore the header.
**Correct Syntax:**
```text
Onion-Location: http://your-onion-address.onion
```
*(Note: Use `http`, not `https`, as .onion services provide their own encryption and rarely use CA-signed TLS certificates).*
### 2. The Context (TLS, CORS, Mixed Content)
**Verdict: Accurate logic, slightly imprecise terminology.**
* **The Claim:** "Most Tor nodes lack TLS... you'll encounter CORS and mixed content issues."
* **The Reality:** The text is functionally correct. If your "Clearweb" site is on HTTPS (Secured) and attempts to make an API call to an `.onion` address via HTTP, the browser blocks it as **Mixed Content** (loading an insecure script/request from a secure page). Additionally, because the domains are different (`.com` vs `.onion`), **CORS** (Cross-Origin Resource Sharing) will block the request unless specific headers are sent.
* **The Nuance:** It is not that "Tor nodes" lack TLS; it is that Onion Services do not require HTTPS because the Tor network itself provides end-to-end encryption. However, modern browsers treat the protocol strictly: `https://` calling `http://` is forbidden, regardless of Tor's underlying security.
### 3. The Solution (Hosting Frontend on Tor)
**Verdict: Accurate (Industry Standard).**
The text is correct. The standard way to serve Tor users (used by the New York Times, Deutsche Welle, ProPublica, etc.) is to host a mirror of the site on the `.onion` network and use the `Onion-Location` header to alert the browser that a safer version is available.
### 4. Cloudflare Implementation Steps
**Verdict: Accurate.**
* **Option A (Cloudflare Pages):** accurately describes the `_headers` file method. The syntax `/*` ensures the header applies to every page on the site.
* **Option B (Standard CDN):** accurately describes using "Transform Rules" -> "Modify Response Header." This is the modern, preferred way to add headers in Cloudflare without using Workers.
### Summary
The guide is excellent, but you must ensure you add **`http://`** to the header value.
**Corrected Code for Option A:**
```text
/*
Onion-Location: http://your-onion-address.onion
```
**Corrected Value for Option B:**
* Value: `http://your-onion-address.onion`
3
