Security

0io.io takes security seriously. Since it redirects users to arbitrary URI schemes, multiple layers of protection are in place.

Dangerous Scheme Blocking

Three URI schemes are classified as dangerous:

• javascript: — Can execute arbitrary JavaScript in the browser
• data: — Can render arbitrary HTML/content (phishing vector)
• vbscript: — Can execute arbitrary code in legacy browsers

When a dangerous scheme is detected:

1. ❌ Auto-redirect is disabled — no window.location.replace() fires
2. ⚠️ Security warnings are displayed prominently on the page
3. 🖱️ Manual click required — the user must explicitly choose to proceed

Transparency

Every redirect page clearly shows:

• The full target URI the user is about to open
• The scheme type (Email, Phone Call, VS Code, etc.)
• A human-readable description of what will happen
• Warning messages for risky schemes

Users always know exactly where they're going before the redirect happens.

Input Handling

All user-supplied content (the URI path) is:

• HTML-escaped before insertion into HTML attributes and text content
• JS-escaped before insertion into JavaScript strings
• JSON-escaped before insertion into JSON-LD structured data

This prevents XSS attacks even if a malicious URI is crafted.

No Data Storage

0io.io does not:

• Store any user data
• Set any cookies (beyond optional analytics)
• Log request URIs server-side
• Require authentication

Each request is stateless and processed entirely at the edge.