TL;DR – Always ask “Does my JSON ever leave this tab?”
A truly private editor/formatter/diff tool runs 100 % client-side; the rest send your payload to a server (sometimes without saying so).
1 Why we paste secrets into random websites 🤦♂️
We’ve all done it:
- ❌ Huge cloud-watch log in red
- ❌ API response with an unreadable wall of text
- ❌
curldump you just need to see
A quick Google for “JSON formatter” and—boom—your sensitive payload is sitting in some anonymous textbox on the internet.
Easy … but potentially risky.
Solution✅: Fully Client side JSON Tools JSONReader
2 The invisible hop: how some tools “prettify”
Most online formatters take your blob → POST it to their backend → prettify → respond with HTML.
That round-trip leaves a copy on someone else’s machine. Sometimes it’s logged for “analytics”, sometimes it’s saved for public URLs.
Above: DevTools network tab exposing a formatter that silently uploads every keystroke.
Common red flags
- XHR / fetch calls as you type
- “Share link” that works even after you refresh (server is storing it)
- Heavy first-load JS but tiny subsequent CPU usage (means server did the work)
3 What “100 % client-side” really means
- All parsing, validation, diffing, conversion runs in Web Workers or the main thread.
- The only external calls are for static assets (JS/CSS/fonts).
- Offline mode still works if the page is cached (try toggling DevTools ➜ Network ➜ Offline).
Quick DIY test
js
// drop this in DevTools > Console, then start using the tool
const spy = new Set();
XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;
XMLHttpRequest.prototype.open = function () {
spy.add(arguments[1]); // log URL
this._open.apply(this, arguments);
};
window.addEventListener('beforeunload', () => console.table([...spy]));
Top comments (0)