Disclosure: I work on Opennomos.
I lost count of how many sketchy "JSON beautifier" sites I pasted production API responses into before it hit me: I was sending user data to servers I knew nothing about, multiple times a day, for years.
This is a short post about why I stopped, what I use now, and the one design principle that made the switch stick.
The habit was invisible
When you're debugging an API integration, the flow goes like this:
- Copy the response body
- Open a new tab, type "json format" in the address bar
- Click the first result
- Paste, format, find the field you need
- Close the tab, forget it ever happened
I did this maybe 8 times a day. Across 5 years. That's roughly 10,000 times I pasted structured data — sometimes with PII, sometimes with tokens, sometimes with production database records — into a text box on a random domain.
I never thought about it until a colleague asked: "Where exactly does that JSON go when you hit format?"
I didn't have an answer.
The obvious risk, quantified
Most JSON tools work client-side. The formatting happens in your browser, and the data never leaves your machine.
The problem is you can't tell. A site that says "client-side only" today can ship an update tomorrow that sends your payload to a logging endpoint. You wouldn't notice unless you had DevTools open on every request — which nobody does while debugging an unrelated bug at 11pm.
The risk compounds if you work with:
- Healthcare or financial data
- Authentication tokens or session cookies
- User PII that your GDPR compliance posture assumes stays in your controlled environment
One copy-paste into the wrong tool, and you've created an incident you don't even know about.
What I use now: three constraints
I switched to json.opennomos.com, an open-source developer toolset. The thing that made me switch wasn't the feature list — it was three constraints I could verify myself:
One page, three functions. Format, validate, and convert timestamps. No account needed, no registration funnel, no upsell.
Open source, inspectable. I can read the source. If I'm paranoid, I can fork it and run it locally. That's a much stronger guarantee than a privacy policy.
No data exfiltration path I can see. No analytics SDKs, no third-party scripts, no form submissions on paste events. I checked. (An hour of paranoia that paid for itself.)
The conversion from "trust me" to "go check" is the entire value proposition.
The deeper insight: convenience tools are a supply chain
Every online tool you paste data into is a dependency in your security posture, whether you acknowledge it or not. A JSON formatter feels harmless — it's not running in production, it's not in your CI pipeline, it's not even installed — but if you've pasted a production JWT into one, it was effectively in your threat model the entire time.
I don't think most developers need to run everything locally. But I do think we should be able to answer the question "where does this data go?" for every tool in our daily workflow.
For me, that list now includes a JSON formatter. Took years to notice, took an hour to fix.
Top comments (1)
How does Opennomos handle large JSON payloads locally, I've had issues with other tools crashing on big files. Would love to hear more about your approach.