Contract

static.bio is a public profile page renderer with a narrow scope:

  • Public profiles are static HTML + CSS.
  • No JavaScript executes on public profile pages.
  • No third-party resources are loaded.
  • The system is built to be auditable with curl and predictable under load.

This page is the source of truth for what the platform guarantees and what it explicitly does not do.

Guarantees

1) No-JS public profiles

Public profile pages ship no <script> tags and execute no client-side JavaScript.

  • This is a product constraint, not an optimization.
  • Any interactive behavior on public pages must be achieved via HTML/CSS only.

2) No third-party resources

Public profiles do not load resources from third-party origins:

  • No third-party fonts
  • No third-party analytics scripts
  • No third-party CDNs

All assets required to render a profile (HTML/CSS/images) are served from static.bio (or the user's custom domain pointing to static.bio).

3) CSS delivery is deterministic and cacheable

Profiles are styled using:

  • a small shared base CSS file, plus
  • a single theme CSS file for the selected theme

Both are fingerprinted and served with long-lived immutable caching. This keeps pages small while allowing many themes without bloating every response.

4) Minimal request surface

A public profile request does not require a client runtime. Rendering is:

  • server-side,
  • deterministic for the same inputs,
  • and produces the same HTML structure across themes (theme changes are primarily CSS).

5) Performance budget as an invariant

Public profiles target a strict performance envelope:

  • Small HTML payload
  • Small CSS payload (base + theme only)
  • Fast time-to-first-byte in typical conditions

Exact numbers and methodology live in Performance and Verify.

6) Clear separation of public vs dashboard

  • The dashboard may use JavaScript (it is not part of the "No-JS public profile" contract).
  • The public profile is the constrained surface and is held to the guarantees above.

7) Safe-by-default HTML

User-supplied content (name, bio, link labels/URLs) is rendered as plain text (escaped), not raw HTML.

Known tradeoffs

  • No client runtime means fewer UI affordances. Some interactions (inline search, dynamic filtering, embeds) are intentionally unavailable on public profiles.
  • Same-origin assets still cost requests. We optimize for cacheability and byte size rather than "single-request pages."
  • Performance varies by geography and cache state. Cold caches and long-distance requests can increase TTFB; budgets are targets, not physics.
  • Strict HTML escaping limits formatting. This reduces flexibility but improves auditability and safety.

Non-goals

These are intentionally out of scope for the public profile surface:

  • Rich client interactivity (menus, animations requiring JS, dynamic widgets)
  • Third-party embeds (tweets, YouTube embeds that require JS, etc.)
  • Per-view personalization
  • A/B testing or experimentation on public pages
  • "Marketing site" behaviors (pixels, retargeting scripts, etc.)

If a feature conflicts with No-JS or no third-party resources, it does not ship on public profiles.

Definitions

Public profile
The page at https://static.bio/<username> or a custom domain mapped to a profile. This is the "contract surface."

Theme
A CSS layer that changes presentation while keeping the public profile structure stable.

Premium theme
A theme visible to everyone and previewable by all accounts, but only persistable (save & publish) by Lifetime accounts.

What you can verify

Everything important is verifiable from the outside:

  • No JS on public pages
  • No third-party hosts
  • Exact bytes over the wire
  • Response headers and caching behavior

See: Verify (curl cookbook) (linked in the sidebar).

Contract tests

These are the invariants we treat as "must never regress" for public profiles:

  • No JS: public HTML contains 0 <script> tags.
  • No third-party resources: all resource URLs are same-origin (static.bio or the user's custom domain).
  • CSS budgeted: public pages load ≤ 2 CSS files (base + theme).
  • Deterministic renderer: identical inputs produce identical HTML output.
  • Safe-by-default HTML: user content is escaped (no raw HTML injection).

(Exact commands and expected outputs live in Verify (curl cookbook).)

Versioning and changes

  • Guarantees on this page are treated as invariants.
  • When implementation changes (e.g., CSS delivery strategy), this contract is updated to remain accurate.
  • Any change that would violate a guarantee requires either:
    • not shipping, or
    • redefining the guarantee explicitly here (rare, and treated as a breaking change in spirit).