DEV Community

crypto plato
crypto plato

Posted on

I built a JSON formatter that physically cannot see your data

#webdev #javascript #opensource #security

In November 2025, watchTowr disclosed that two of the most-used online JSON tools — jsonformatter.org and codebeautify.org — had been quietly exposing 80,000+ pasted JSON blobs through their "Save" feature for roughly five years. The leaked data included AWS keys, GitHub personal access tokens, Active Directory credentials, and database connection strings.

If you've ever pasted a config or an API response into one of those sites to pretty-print it, that data may have been publicly retrievable.

Both sites have since re-enabled "Save" with a "public by default" warning. That's a disclosure, not a fix.

So I built the version that removes the entire class of problem: a JSON formatter with no server.

The core idea: there's nowhere for your data to go

json.platotools.com is a single, self-contained HTML file. All formatting, validation, diffing, and redaction happen in your browser's JavaScript engine. There is no backend, no API call, no telemetry on what you paste.

You don't have to take my word for it:

  1. Open the page.
  2. Open DevTools → Network tab.
  3. Paste a giant JSON blob and format it.
  4. Watch the Network tab stay empty.

No requests fire when you paste. The tool can't leak your data because it never receives it. View Source shows the entire program.

What it does beyond pretty-printing

  • Validator with a collapsible type-tree and JSON Schema inference
  • Diff — line-level and semantic (ignore key order)
  • Secret redactor — detects ~18 credential patterns (AWS, GitHub PATs, Stripe, OpenAI/Anthropic keys, JWTs, etc.) and replaces them with [REDACTED:TYPE] markers, locally
  • JSON ↔ YAML toggle
  • Dark mode, mobile down to 360px, keyboard shortcuts

The engineering constraints

  • 12 KB gzipped. No frameworks, no build step, no external requests.
  • One HTML file you can save and run offline.
  • The redactor's regex bank is in the page source — if you find a secret pattern it misses, you can inspect exactly what it checks for (and I'd genuinely like the bug report).

Why "no server" is the whole point

The convenient online dev tools we all paste into are an under-appreciated supply-chain risk. The fix isn't "trust us, we added a warning" — it's architecture: if the tool runs entirely on your machine, there's no breach to have.

That principle is the wedge for the rest of the platotools.com tools too (hash, JWT decode, encode/decode, regex, diff) — all browser-side, all single-purpose.

Try it: json.platotools.com

If you spot an edge case the validator or redactor mishandles, I'd love to hear it.

Top comments (0)