You need to format some JSON. You Google "JSON formatter," click the first result, paste your API response, and click "Format." The JSON looks beautiful. You copy it and move on.
But what just happened to that data you pasted? If the tool sends it to a server, it could be logged, stored, analyzed, or breached. And you just gave it your user data, API keys, internal endpoints, or whatever else was in that payload.
This isn't hypothetical.
The real risks
Server-side tools log your data
In 2022, security researchers found that several popular online JSON and YAML formatters were sending all pasted content to their servers for processing. The server-side code formatted the text and returned it -- but also wrote every request to access logs.
Those logs contained API keys, database connection strings, authentication tokens, internal API responses with user PII, and configuration files with secrets. All indexed, all stored.
The site operators may not have had malicious intent. Standard web server access logging captures POST bodies by default in many configurations. But the data was there, on disk, accessible to anyone who gained access to that server.
Common data people paste into online tools
Think about what you routinely paste into web-based tools:
- JSON formatters: API responses containing user data, tokens, internal URLs
- JWT decoders: Authentication tokens with user IDs, emails, permissions
- Base64 decoders: Encoded credentials, certificates, configuration data
- Regex testers: Log lines, email addresses, phone numbers
- Diff checkers: Source code, configuration files, environment variables
- URL decoders: URLs with API keys as query parameters
- Markdown previewers: Internal documentation, unreleased feature specs
Any of these could contain sensitive information. And unless you've verified how the tool processes your input, you're trusting a stranger's server with that data.
The Google cache problem
Even if a tool doesn't intentionally log data, search engine crawlers can sometimes index URL parameters. If you paste data into a tool that puts it in the URL (some do this for "share" functionality), that data could end up in Google's cache.
How to verify a tool is client-side
A client-side tool processes everything in your browser. Your data never leaves your machine. Here's how to verify:
Method 1: Check the Network tab
- Open the tool in your browser
- Open Developer Tools (F12 or Cmd+Option+I)
- Go to the Network tab
- Clear existing requests
- Paste your data and click the tool's action button
- Look for POST/PUT requests. If you see any requests to the tool's server (especially with your data in the payload), it's server-side.
A properly client-side tool will show zero network requests when you use it. All processing happens in JavaScript on your machine.
Method 2: Disconnect from the internet
The simplest test: turn off WiFi, then try the tool. If it still works, it's client-side. If it breaks, it's sending your data somewhere.
Method 3: Check the source code
For open-source tools, inspect the code. Look for fetch(), XMLHttpRequest, axios, or any other HTTP client in the JavaScript. If the tool's core functionality doesn't make any outbound requests, it's client-side.
Red flags
- The tool requires you to create an account
- The tool shows ads that are suspiciously relevant to what you pasted
- The tool has a "share" button that creates a URL
- The tool takes noticeably longer than it should (network roundtrip)
- The privacy policy mentions "anonymized data collection" or "improving our services"
Client-side alternatives for common tasks
Here are tools that process everything in the browser, verified by inspecting their network behavior:
JSON formatting and validation:
- jsonshield.com -- client-side JSON formatter, validator, and fixer
- Firefox/Chrome DevTools Console:
JSON.stringify(JSON.parse(json), null, 2)
JWT decoding:
- devdash.io/tools/jwt-decoder -- visual JWT decoder, runs in browser
- Command line:
echo 'header.payload.sig' | cut -d. -f2 | base64 -d
Base64 encoding/decoding:
- textshifter.com/tools/base64 -- client-side Base64 encoder/decoder
- Command line:
echo -n 'data' | base64
Text manipulation (case conversion, line sorting, etc.):
- VS Code's built-in commands (Ctrl+Shift+P > "Transform to...")
- textshifter.com -- various text tools, client-side
QR code generation:
- freeqr.org -- client-side QR generator
- Command line:
qrencode -o output.png 'data'
Regex testing:
- regex101.com (sends data to server for some features -- be aware)
- Your code editor's built-in find/replace with regex
Diff checking:
- VS Code's built-in diff viewer
- Command line:
diff file1.txt file2.txt
The command-line advantage
The most secure "online tool" is the one that runs on your machine. For most developer utility tasks, there's a command-line equivalent:
# Format JSON
cat data.json | python3 -m json.toolDecode Base64
echo 'SGVsbG8=' | base64 -dDecode JWT payload
echo 'eyJhbGciOi...' | cut -d. -f2 | base64 -d | python3 -m json.toolGenerate UUID
uuidgenURL decode
python3 -c "import urllib.parse; print(urllib.parse.unquote('hello%20world'))"Epoch to date
date -d @1700000000 # Linux
date -r 1700000000 # macOS
Zero network requests. Zero trust required.
Browser extensions: a middle ground
Some browser extensions provide developer utilities that run entirely locally:
- JSON Viewer extensions format JSON responses directly in the browser
- ModHeader lets you modify HTTP headers without an external tool
- Wappalyzer identifies tech stacks client-side
Be selective, though. Browser extensions have access to all your browsing data. Only install extensions from trusted sources with open-source code you can verify.
What to do if you already pasted sensitive data
If you realize you pasted sensitive data into a server-side tool:
- Rotate any exposed credentials immediately. API keys, tokens, passwords -- regenerate them.
- Check for unauthorized access. Review your service logs for any activity from unknown IPs.
- Assume the data is compromised. Even if the tool operator is trustworthy, you don't control their security posture.
The bottom line
Convenience has a cost. Before you paste anything into an online tool, take three seconds to ask: "Would I be comfortable if this data were public?" If the answer is no, either verify the tool is client-side or use a local alternative.
The best security habit isn't avoiding online tools entirely -- it's developing the reflex to check before you paste.