DEV Community

Leo Zhang
Leo Zhang

Posted on

A JSON tool that doesn't send your payload to a stranger's server

Disclosure: I work on Opennomos.

I lost count of how many sketchy "JSON beautifier" sites I pasted production API responses into before it hit me: I was sending user data to servers I knew nothing about, multiple times a day, for years.

This is a short post about why I stopped, what I use now, and the one design principle that made the switch stick.

The habit was invisible

When you're debugging an API integration, the flow goes like this:

  1. Copy the response body
  2. Open a new tab, type "json format" in the address bar
  3. Click the first result
  4. Paste, format, find the field you need
  5. Close the tab, forget it ever happened

I did this maybe 8 times a day. Across 5 years. That's roughly 10,000 times I pasted structured data — sometimes with PII, sometimes with tokens, sometimes with production database records — into a text box on a random domain.

I never thought about it until a colleague asked: "Where exactly does that JSON go when you hit format?"

I didn't have an answer.

The obvious risk, quantified

Most JSON tools work client-side. The formatting happens in your browser, and the data never leaves your machine.

The problem is you can't tell. A site that says "client-side only" today can ship an update tomorrow that sends your payload to a logging endpoint. You wouldn't notice unless you had DevTools open on every request — which nobody does while debugging an unrelated bug at 11pm.

The risk compounds if you work with:

  • Healthcare or financial data
  • Authentication tokens or session cookies
  • User PII that your GDPR compliance posture assumes stays in your controlled environment

One copy-paste into the wrong tool, and you've created an incident you don't even know about.

What I use now: three constraints

I switched to json.opennomos.com, an open-source developer toolset. The thing that made me switch wasn't the feature list — it was three constraints I could verify myself:

  1. One page, three functions. Format, validate, and convert timestamps. No account needed, no registration funnel, no upsell.

  2. Open source, inspectable. I can read the source. If I'm paranoid, I can fork it and run it locally. That's a much stronger guarantee than a privacy policy.

  3. No data exfiltration path I can see. No analytics SDKs, no third-party scripts, no form submissions on paste events. I checked. (An hour of paranoia that paid for itself.)

The conversion from "trust me" to "go check" is the entire value proposition.

The deeper insight: convenience tools are a supply chain

Every online tool you paste data into is a dependency in your security posture, whether you acknowledge it or not. A JSON formatter feels harmless — it's not running in production, it's not in your CI pipeline, it's not even installed — but if you've pasted a production JWT into one, it was effectively in your threat model the entire time.

I don't think most developers need to run everything locally. But I do think we should be able to answer the question "where does this data go?" for every tool in our daily workflow.

For me, that list now includes a JSON formatter. Took years to notice, took an hour to fix.

Top comments (1)

Collapse
 
frank_signorini profile image
Frank

How does Opennomos handle large JSON payloads locally, I've had issues with other tools crashing on big files. Would love to hear more about your approach.