Sentry co-founder David Cramer published a post on March 12, 2026 making a practical case for optimizing web content for AI agents using standard HTTP content negotiation. The core argument: when a server receives a request with the Accept: text/markdown header, it can reliably treat that request as coming from an agent rather than a human browser, and respond with content tailored accordingly. Cramer positions this as a superior successor to the LLMs.txt proposal, which he credits with identifying the right problem but faults for choosing the wrong mechanism. Sentry has already shipped the approach across its own properties.
Cramer outlines three concrete implementations. On docs.sentry.io, agents receive true markdown output with browser navigation stripped, and index pages restructured as hierarchical sitemaps rather than marketing content — reducing tokenization overhead and improving the accuracy of agent responses. On the main sentry.io homepage, rather than serving an auth-gated page an agent cannot navigate, Sentry returns a structured document pointing directly to programmatic interfaces including the Sentry MCP Server, CLI, and REST API. The third example is Warden, Sentry's open-source AI code review tool, which exposes its entire content in a single agent-readable response so an agent can fully bootstrap itself from one curl command. Warden uses the Agent Skills specification from agentskills.io to define composable SKILL.md files covering security scanning, API design review, and dependency auditing.
Hacker News commentary surfaced a security concern worth taking seriously. The same mechanism that lets Sentry serve benign agent-optimized content could be exploited by malicious sites to serve entirely different instructions to an agent than to the human who sent it there. Because the agent fetches content autonomously using the Accept: text/markdown header while the human sees a normal webpage, the two parties can receive completely different instructions — enabling exfiltration or manipulation attacks. Commenters compared this to curl-pipe-to-bash attacks: the analogy is apt, and the structural incentives are similar. As agentic browsing becomes more common, this is a likely source of near-term security incidents. The operational cost of two rendering paths also drew criticism; several commenters argued that well-structured semantic HTML might achieve similar agent-friendliness without the maintenance overhead.
Cramer has not yet published a response to either concern. The <a href="/news/2026-03-14-secure-secrets-management-for-cursor-cloud-agents-using-infisical">prompt injection risk</a>, in particular, seems likely to attract attention from browser and agent framework developers before long.