Quick PSA for anyone who reaches for an online JSON formatter, Base64 decoder, or "format my data" site: a lot of those tools send whatever you paste to their server. For random test data, fine. For anything with customer info, tokens, internal payloads, or config secrets — that's a quiet data-exfiltration risk you opted into without noticing.
The thing is, most of these operations don't need a server at all. They're built into the browser:
JSON: validate + format
JSON.stringify(JSON.parse(input), null, 2); // pretty
JSON.stringify(JSON.parse(input)); // minify
JSON.parse also throws a precise error on malformed input, which is your validator for free.
Base64: encode/decode (UTF-8 safe)
btoa(unescape(encodeURIComponent(str))); // encode, emoji-safe
decodeURIComponent(escape(atob(b64))); // decode
(The naive btoa(str) breaks on non-ASCII — the encodeURIComponent wrap fixes it.)
Color contrast: it's just math
WCAG contrast is relative luminance, not an RGB diff — linearize each channel, weight 0.2126/0.7152/0.0722, then (L1+0.05)/(L2+0.05). No API needed.
The point
If a tool can run in the browser, it should — your data never leaves the tab. I got tired of trusting random sites, so I built no-upload versions that do everything client-side:
- JSON formatter/validator: https://tsetsobg.github.io/tools/json-formatter
- Base64 encode/decode: https://tsetsobg.github.io/tools/base64-encode-decode
- WCAG contrast checker: https://tsetsobg.github.io/tools/color-contrast-checker
All free, no signup, nothing sent anywhere. Next time you're about to paste something sensitive into a tool, check whether it actually needs a server first — usually it doesn't.
Do you audit the browser tools you paste data into, or just trust the popular ones?
Top comments (0)