RFC 35140: The Do-Not-Stab flag in the HTTP Header

Date: Message-Id:
Tags: #rant(3)

Date: March 7, 2111


This document defines the syntax and semantics of the Do-Not-Stab header, a proposed HTTP header that allows users to indicate to a website their preferences about being stabbed. It also provides a standard for how services should comply with such user preferences, if they wish to.



Over the last 50 years, advancements in peripherals have allowed websites to stab users. A number of industries have popped up to provide SaaS (Stabbings as a Service). Some users have expressed discomfort when a knife is plunged into their chest, and this header allows those users to express their personal preferences.

A user preference can, of course, be ignored by bad actors. However, most stabbings are not done by malicious actors, they are simply law-abiding companies which will gladly stop stabbing you if you ask. This standard provides a method for a user to easily opt-out of all stabbings, except those mandated by law, and ones that the company wants to do anyways.


The header has only one form, Do-Not-Stab: 1. This is because the lack of a header indicates a clear preference that the user wants to be stabbed.


A user-agent MUST NOT adopt Do-Not-Stab: 1 as the default preference. If a user-agent were to do this, web services SHOULD ignore the preference and stab the user anyways.

This is because user-agents are in no position to determine if a user wants to be stabbed or not, this must be an explicit choice that the user makes.


Microsoft has committed to supporting the Do-Not-Stab header inside the EEA (European Economic Area). Outside of the EEA, support for the header is still in-progress, and you may get stabbed, even with the header set. If you are in a country that leaves the EEA, you may get stabbed.


Exceptions to the Do-Not-Stab header are accepted when commercial interests outweigh safety concerns. These include, but are not limited to


seriously, what the fuck is with companies nowadays demanding that they be told to not do the things they know they shouldn’t be doing anyways? why is microsoft respecting the user’s choice only in the EEA? because they only have to there. extremely funny how they were also the ones to set Do-Not-Track by default in IE, thereby getting everyone to ignore it for IE. because companies are god damn children and must be told no explicitly by every person individually. it’s a fucking wonder that DNT even got in as a general option and wasn’t mandated to be set per-origin, making it even more fucking useless than it is.

it’s fucking depressing when even the fucking bare minimum form of regulation is followed to the letter and no more, because every company out there fucking hates you and would sell you out to make a bit more money if they legally could. and even if they couldn’t, who’s going to stop them?

“We and our 756 partners process personal data[…]” wow big polycule this website is in, there’s no fucking way they actually need to work with that many fucking companies, what the shit? adtech is a scourge on humanity and serves zero fucking purpose.