Developers use free online tools every day — JSON formatters, Base64 decoders, regex testers, password generators. We paste data into them without thinking twice.
I decided to actually check what these tools do with our input. I opened DevTools on 10 popular online developer tools, monitored the Network tab, and documented every outbound request while using them.
The results were worse than I expected.
The Test Setup
For each tool, I:
- Opened a fresh incognito window
- Navigated to the tool
- Opened DevTools → Network tab
- Cleared the log after initial page load
- Pasted test data and used the tool
- Recorded every outbound request
I used dummy data (not production data), but the point is: the tools don't know that.
What I Found
Category 1: Tools that process everything server-side
Several popular tools send your input to their own backend for processing. When you paste JSON into their formatter, it goes to their server, gets formatted, and comes back. This means:
- Your data passes through their infrastructure
- It could be logged, cached, or stored
- If they're breached, your data is exposed
This was true for formatters, encoders, and even some password generators. Yes — tools that generate passwords by sending a request to a server. The server knows every password it generates for you.
Category 2: Tools that are client-side but load third-party scripts
Some tools genuinely process your input in the browser. Good. But they also load Google Analytics, Facebook Pixel, ad network scripts, Hotjar session recording, and various other third-party JavaScript.
These scripts can:
- Record your keystrokes (session replay tools literally do this)
- Track which tools you use and when
- Fingerprint your browser
- In the worst case, read DOM content — including your input
A tool being "client-side" doesn't mean it's private if it loads 15 third-party scripts.
Category 3: Tools that are genuinely local
A few tools load once and make zero outbound requests afterward. No analytics, no tracking, no server-side processing. Your input stays in your browser tab and nowhere else.
These are rare, but they exist.
How to Check Any Tool in 30 Seconds
You don't need to trust anyone's claims. Here's the process:
- Open the tool in an incognito window
- Open DevTools (F12 or Cmd+Shift+I)
- Go to the Network tab
- Let the page finish loading
- Click Clear (the circle icon) to remove initial load requests
- Use the tool — paste data, click buttons
- Watch for new requests
If you see outbound requests after you interact with the tool, your data is being sent somewhere.
You can also check the Sources tab to see what third-party scripts are loaded. Look for:
-
google-analytics.comorgoogletagmanager.com -
facebook.netorconnect.facebook.net hotjar.com-
segment.comormixpanel.com - Any domain you don't recognize
What I Use Instead
After this audit, I switched my daily-use tools to Anytools.io. I verified the claims myself:
- After initial page load: zero outbound requests while using any tool
- No Google Analytics, no Meta Pixel, no session recording
- Fonts are self-hosted (no Google Fonts requests)
- No cookies beyond theme preference
I'm not saying it's the only option. I'm saying: check your tools. Whatever you use, spend 30 seconds verifying it actually does what it claims. The tools you paste production data into should earn that trust.
The Practical Takeaway
- Never paste production tokens, API keys, or PII into an online tool without checking the Network tab first.
- "Client-side" doesn't mean "private" if the tool loads third-party tracking scripts.
- Password generators that make server requests are a contradiction. The server knows your password.
- JSON formatters that POST your JSON to a backend are sending your API responses, config files, and debug output to a third party.
The audit took 20 minutes. The habit of checking takes 30 seconds. Worth it.
Top comments (0)