Audit & Tests

This page is for skeptics, security researchers, and performance engineers who want to verify our claims independently. We invite you to test us.

What We Claim

static.bio makes the following guarantees for public profile pages:

  • Zero JavaScript: No <script> tags, no client-side JavaScript, no React hydration
  • Performance: Designed for sub-100ms TTFB (typical ~20-50ms in NA/EU, higher in distant regions)
  • Size: HTML + CSS gzipped <15KB (actual ~1.88KB)
  • Privacy: No tracking cookies, no third-party analytics, no external scripts. We only store aggregate click counts when you opt in, plus standard infrastructure logs.
  • Security: Security headers (X-Frame-Options, X-Content-Type-Options), URL scheme allowlisting, HTML escaping

How We Test Ourselves

We maintain a comprehensive test suite that runs in CI and validates our guarantees:

Performance Tests

  • Cold vs Warm: Measures cold start (first request) vs warm refresh (subsequent requests) performance
  • Soak Testing: Sends steady traffic (10 req/s) for extended periods to measure tail latency and degradation
  • Size Auditing: Validates gzipped size stays under 15KB budget
  • Multi-Region: Measures TTFB from different geographic locations

Privacy & Security Tests

  • Cookie & Script Audit: Automated checks verify zero <script>tags, no external stylesheets, no Set-Cookie headers
  • Content Escaping: Tests verify user content is properly HTML-escaped to prevent XSS
  • URL Sanitization: Tests verify malicious URL schemes (javascript:, data:, etc.) are rejected
  • Analytics Schema: Tests verify only aggregate click counts are stored, no PII (IP addresses, user-agents, etc.)

CI Enforcement

All tests run automatically in CI on every push to main:

  • Performance tests validate TTFB and size budgets
  • Cookie & script audit runs on every build
  • Build fails if any guarantee is violated

How to Test Us Yourself

Here are concrete, copy-pasteable commands you can run to verify our claims:

Test: Zero JavaScript

Verify that the HTML contains no <script> tags:

curl -s https://static.bio/demo | grep -i "<script" | wc -l

Expected result: 0 (zero script tags)

Bad result: Any number greater than 0 indicates JavaScript is present

Test: No External Stylesheets

Verify that CSS is inlined (no external stylesheet links):

curl -s https://static.bio/demo | grep -i 'rel="stylesheet"' | wc -l

Expected result: 0 (no external stylesheets)

Bad result: Any number greater than 0 indicates external CSS is loaded

Test: No Cookies

Verify that no Set-Cookie headers are sent:

curl -I https://static.bio/demo 2>&1 | grep -i "set-cookie" | wc -l

Expected result: 0 (no Set-Cookie headers)

Bad result: Any number greater than 0 indicates cookies are being set

Test: TTFB (Time to First Byte)

Measure the time to first byte:

curl -w "TTFB: %{time_starttransfer}s\nBytes: %{size_download}B\n" -o /dev/null -s https://static.bio/demo

Expected result: TTFB should be <200ms in most regions (typical ~20-50ms in NA/EU, higher in distant regions)

Bad result: TTFB consistently >500ms may indicate performance issues

Test: Response Size

Check the gzipped size of the response:

curl -s -H "Accept-Encoding: gzip" https://static.bio/demo | wc -c

Expected result: Size should be <15KB (actual ~1.88KB)

Bad result: Size >15KB violates our size budget

Test: Security Headers

Verify security headers are present:

curl -I https://static.bio/demo 2>&1 | grep -i "x-frame-options|x-content-type-options"

Expected result: Should see X-Frame-Options: DENY andX-Content-Type-Options: nosniff

Bad result: Missing headers indicate security configuration issues

Test: Health Check

Check system health:

curl -s https://static.bio/debug/health | jq .

Expected result: {"status": "healthy", ...} with database and renderer checks passing

Bad result: {"status": "unhealthy", ...} indicates system issues

If You Find Something

We take security and performance seriously. If you find something that violates our guarantees:

Reporting

  • GitHub Issues: Open an issue at https://github.com/harry-david-brown/static.bio
  • Email: Contact us directly (contact information in repository)

Our Commitment

We promise to:

  • Acknowledge valid findings: We will respond to all reports within 48 hours
  • Fix issues: Critical security issues will be fixed immediately; performance issues will be addressed in the next release
  • Update docs accordingly: If our guarantees change, we will update this documentation and all public-facing claims

Hall of Respect

For meaningful findings (security vulnerabilities, performance regressions, or violations of our guarantees), we will:

  • Give you credit in our changelog and documentation
  • Thank you publicly (with your permission)
  • Add you to a "Hall of Respect" section in our docs (if you want)

We believe in transparency and giving credit where it's due. If you help us improve, we'll make sure you're recognized.

Our Test Suite

You can also run our test suite yourself:

# Performance tests
npm run test:perf

# Privacy & security tests
npm run test:privacy
npm run test:cookie-script-audit
npm run test:analytics-schema

# All tests
npm run test:all

See the tests/ directory in our repository for the full test suite.