Security Notes

N0X uses browser isolation, Web Workers, sandboxed iframes, Pyodide WASM, COOP/COEP headers, and API route rate limits. These reduce risk, but they are not a replacement for reviewing generated code before running it.

HTML and JavaScript previews run in sandboxed iframes. Python runs in Pyodide, but CPU and memory-heavy code can still slow or crash the browser tab.

Deep Search and image generation are rate limited server-side. The limits are best-effort for serverless deployments and should be backed by edge or hosted rate limiting before serious scale.

Cloud API requests go directly from the browser to your configured OpenAI-compatible endpoint. Only use providers you trust with the text you send.