diff --git a/hideout/hideout-activitypub/src/main/kotlin/dev/usbharu/hideout/activitypub/config/ActivityPubSecurityConfig.kt b/hideout/hideout-activitypub/src/main/kotlin/dev/usbharu/hideout/activitypub/config/ActivityPubSecurityConfig.kt
index 9676aa01..6890b0b0 100644
--- a/hideout/hideout-activitypub/src/main/kotlin/dev/usbharu/hideout/activitypub/config/ActivityPubSecurityConfig.kt
+++ b/hideout/hideout-activitypub/src/main/kotlin/dev/usbharu/hideout/activitypub/config/ActivityPubSecurityConfig.kt
@@ -8,6 +8,8 @@ import org.springframework.http.HttpMethod.POST
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.invoke
 import org.springframework.security.web.SecurityFilterChain
+import org.springframework.security.web.util.matcher.AnyRequestMatcher
+import org.springframework.security.web.util.matcher.RequestMatcher
 
 @Configuration
 class ActivityPubSecurityConfig {
@@ -15,11 +17,16 @@ class ActivityPubSecurityConfig {
     @Order(4)
     fun activityPubSecurityFilterChain(http: HttpSecurity): SecurityFilterChain {
         http {
+            securityMatcher(RequestMatcher {
+                val accept = it.getHeader("Accept") ?: ""
+                return@RequestMatcher accept == "application/json" || accept == "application/activity+json"
+            })
             authorizeHttpRequests {
                 authorize(POST, "/inbox", permitAll)
                 authorize(POST, "/users/{username}/inbox", permitAll)
                 authorize(GET, "/outbox", permitAll)
                 authorize(GET, "/users/{username}/outbox", permitAll)
+                authorize(GET, "/users/{username}", permitAll)
             }
         }
         return http.build()