You have a JWT that isn't decoding the way you expect. Or a Base64 string you need to inspect. Or a JSON blob from a production API response that you want to format.
The fastest thing to do is paste it into an online tool.
Most of the time this is fine. But sometimes it isn't -- and the difference matters, especially when the data you're pasting contains API keys, PII, internal infrastructure details, or anything you wouldn't want showing up in a server log somewhere.
Here's a checklist I go through before I paste anything remotely sensitive into an online tool.
1. Open the Network Tab First
Before you paste anything, open DevTools (F12) and go to the Network tab. Clear it, then paste your data into the tool and trigger the processing.
Watch what happens.
If the tool is genuinely client-side, you should see nothing -- or at most static asset requests. If you see an XHR or fetch request go out the moment you paste, your data just left your browser. That's not necessarily malicious, but it means you've handed your input to a server you know nothing about.
This one step catches a surprising number of tools that market themselves as "private" or "instant" but are quietly sending data back to a backend.
2. Check for HTTPS -- But Don't Stop There
HTTPS means the connection is encrypted in transit. It does not mean the server isn't logging your input. These are completely separate concerns.
A tool running over HTTPS can still store every paste in a database. Encryption in transit protects you from eavesdroppers on the network. It says nothing about what happens to your data once it arrives at the destination.
HTTPS is a baseline requirement, not a privacy guarantee.
3. Look at the Source or Check Their Privacy Policy
If a tool claims to be client-side, you can verify it. Right-click the page, view source, and look for any external API calls or server endpoints referenced in the JavaScript. If the tool is truly running in your browser, the processing logic will be right there in the JS -- readable, auditable, not hidden behind a server call.
For open-source tools, check the repo. For commercial tools, read the privacy policy and specifically look for language about logging, analytics, or data retention. Vague language like "we may collect usage data" is worth paying attention to.
4. Classify Your Data Before You Paste
Not everything deserves the same level of scrutiny. Build a quick mental model:
- Low sensitivity: Random strings, dummy data, public documentation you're trying to format -- paste freely.
- Medium sensitivity: Internal API responses with non-critical metadata, configuration files without credentials -- worth a quick check.
- High sensitivity: JWTs with embedded user data, API keys, database connection strings, anything from a production environment -- treat these like passwords. Either use a local tool or sanitize the data before pasting.
The goal isn't paranoia. It's proportionality. Most of the time you're pasting something harmless. The problem is when habit overrides judgment on the one paste that actually matters.
5. Ask: Would This Tool Work Offline?
This is a useful heuristic. If a tool genuinely processes everything in the browser, it should work without an internet connection once the page has loaded.
Try disconnecting from the network (or throttling to offline in DevTools) and using the tool. If it breaks, it's talking to a server. If it still works, you have strong evidence that your data isn't leaving the browser.
This doesn't catch everything -- some tools work offline but still phone home when connected -- but combined with the Network tab check, it gives you a good picture.
The Defaults Aren't Always Safe
The broader issue is that developers are trained to reach for the fastest tool available, and the fastest tool available is usually whatever ranks highest in a Google search. Most of those tools are fine. But "fine" is doing a lot of work there.
A JSON formatter that logs every paste won't announce that fact. A Base64 decoder that sells usage data won't put it in the UI. The defaults favor convenience, not privacy.
None of this requires you to stop using online tools. It just requires thirty seconds of conscious evaluation before you paste anything you'd regret seeing in a breach notification.
The Network tab is always open. Use it.
Top comments (0)