(TO THE GOD OF ABRAHAM, ISAAC AND JACOB. I DEDICATE THIS WORK TO YOU MAY YOU BLESS IT AND MAY IT BLESS THOSE YOU USE IT, MORESO MAY THEY KNOW YOU BY NAME, REPENT AND BE LED TO YOUR WILL AND KINGDOM.) Our Father who is in the heavens, let Your Name be set-apart,let Your reign come, let Your desire be done on earth as it is in heaven. Give us today our daily bread. And forgive us our debts, as we for- give our debtors. And do not lead us into trial, but deliver us from the wicked one because Yours is the reign and the power and the esteem, forever. Amen.
The privacy cost of online dev tools: why we built ours to leak nothing | devformat.tools Blog
privacysecuritytools

The privacy cost of online dev tools: why we built ours to leak nothing

Most "free" online formatters send your data to a server. Here is what that costs you, and how to verify a tool runs entirely in your browser.

By devformat.tools · · 6 min read

The privacy cost of online dev tools: why we built ours to leak nothing

When you paste a JSON document into a "free online formatter," it travels to someone else's server. They parse it, beautify it, and send the result back. Somewhere along the way — in their logs, in their cache, in the "Recent pastes" feed they show on the homepage — your data exists outside the machine you typed it on.

For most people this never matters. For developers, "most JSON I touch" includes API responses with auth tokens, database dumps with PII, webhook bodies with customer addresses, and config files with cloud credentials. The math doesn't work in your favor.

I've written about the 2025 CodeBeautify and JSONFormatter incident in detail. Short version: roughly five years of user-pasted content was browsable through predictable URLs; an investigation found AWS keys, database creds, AD passwords, CI/CD tokens. Canary tokens were exploited within 48 hours of being pasted. That post is the receipts; this one is the design argument.

What "in the browser" actually means

There are three places a piece of input can be processed:

  1. Server-side. Your bytes leave your machine. You're trusting the operator with everything you paste, every time. Logs, backups, breach exposure, court orders, employee misuse — all in scope.
  2. Client-side, JavaScript bundle. The page loads the formatter code into your browser; the formatting happens in your tab; nothing leaves. You're trusting the page hasn't been compromised or made to silently exfiltrate, but the data does not transit by design.
  3. Hybrid. Some operations local, others sent to a server for "premium features" or "AI assistance." The risk surface is whichever path your specific input takes.

devformat.tools is option 2 for the deterministic tools (formatters, validators, decoders) and a careful version of option 2 for the AI tools — small models run in-browser via WASM and ONNX, so even the AI tools don't transmit your code anywhere.

How to verify any tool yourself

You shouldn't trust me on this. Verify the tool you're using right now. Open DevTools, switch to the Network tab, clear it, paste your input, hit "format." If the only requests are to load the page assets, the tool is local. If there's a POST carrying your input, it's not.

Specifically, look for:

  • A request to /api/format or /api/process with your text in the body. That's server-side processing.
  • WebSocket frames going out after you type. That's streaming server-side.
  • fetch calls to third-party domains (analytics or "AI providers") immediately after submit. Possible exfiltration.

Run this experiment on the JSON Formatter: paste a 200KB document, hit format, watch the network tab. There's no request. The CPU spikes on your machine, not ours.

You can also block all network I/O from the page and check the tool still works. In Chrome DevTools:

Network tab > Throttling dropdown > Offline

Try formatting. If it works offline, the processing is local. If it fails, your input was being sent somewhere.

The five things a local tool can't do

Being honest about tradeoffs:

  1. Can't store your work across devices. Paste history is in localStorage on the current browser. Move to a new machine, you start fresh. We consider this a feature.
  2. Can't share by URL. Server-stored "share links" require a server. We have export-to-file and copy-to-clipboard instead. The "share link" feature is exactly what leaked at CodeBeautify.
  3. Can't process inputs larger than your browser can hold. Around 200MB on a modern laptop, less on mobile. For genuinely large files, you want a local CLI (jq, prettier, sqlfluff) anyway.
  4. Can't do server-only operations like sending an actual HTTP request to a third-party API. A "JWT verifier" that fetches a JWKS endpoint must hit the network — but it should hit the issuer directly from your browser, not via a backend. Check the network tab to confirm.
  5. Can't offer "your team's shared regex library" cloud-style. That requires storage. You can export/import JSON, but the persistence problem is yours.

For most workflows, these limitations don't bind. For the ones that do, that's what a self-hosted backend or a paid SaaS with proper data handling exists for.

What we ship

All deterministic tools — JSON Formatter, JWT Decoder, Hash Generator, regex tester, base64, the SQL formatter, the diff checker, everything in the registry — run entirely in your browser. Open the Network tab and confirm.

For the AI-assisted tools (commit message generator, code explainer, regex generator, SQL generator), we use ONNX Runtime Web to load a quantized small language model into your browser at first use (~150-300MB, cached). After that, inference happens via WebAssembly on your CPU. Slower than calling a cloud API, but your code stays on your machine. The model file itself is the only network I/O, and it's a static asset like a JS bundle.

A representative example you can verify: open the JWT Decoder, open DevTools' Network tab, paste a token. The request count after page load: zero.

The threshold question

The rule I follow personally: if the input could contain a secret, even by accident, it doesn't go to a third-party server. JSON from a real API response might contain a session cookie. A JWT for "let me decode this" is, by definition, an auth credential. A SQL query might mention a customer email in a WHERE clause. A diff might contain a .env line.

The convenience cost of "I'll just paste it into the first tool I find on Google" is invisible until the day it isn't. The CodeBeautify researchers found canaries exploited in 48 hours. The teams whose AWS keys were in that dump didn't intentionally paste their AWS keys — they pasted JSON that happened to contain them.

Privacy isn't a feature you add at the end. It's the data flow you decide on at the start. Ours starts and ends on your machine, by design.

Try it

  • JSON Formatter — paste a 10MB payload, no request leaves your browser
  • JWT Decoder — inspect tokens locally, including production ones
  • Hash Generator — SHA-256 and friends, computed in your tab

Sources:

Try our free developer tools

51+ tools that run in your browser. No data sent anywhere.

Browse Tools