Every time you paste sensitive data into an online tool, you're trusting that server with your information. What if you didn't have to?
The Trust Problem
Developer tools handle sensitive data constantly. Base64-encoded JWT tokens contain user sessions. IBAN numbers are real bank accounts. Credit card test numbers can look suspiciously like real ones if you squint.
Most online tools send your input to a server, process it, and send back the result. That means:
- Your data travels over the network
- It exists on someone else's server (even briefly)
- You're trusting their security practices, logging config, and data retention policies
- You have zero visibility into what happens to your input
For a developer debugging a production JWT token at 2 AM, that's a real risk.
Our Approach: Everything Runs in Your Browser
When we built our suite of developer tools, we made a deliberate architectural decision: all data processing happens client-side.
Here's what that means in practice:
Base64 Encoding/Decoding
// This runs in YOUR browser. Nothing leaves your machine.
function decode(input) {
return atob(input);
}
base64decode.co uses the browser's native atob() and btoa() functions. Your encoded string never hits our server. Open DevTools, check the Network tab — zero API calls during encoding/decoding.
Credit Card Number Generation
namso.io generates test credit card numbers using the Luhn algorithm entirely in JavaScript. The BIN prefixes, the checksum calculation, the formatting — all client-side.
Why this matters: developers testing payment integrations often work with BINs that could be associated with real issuers. By generating everything locally, there's no log of which BINs you're testing with.
IBAN Generation
randomiban.co generates valid IBANs with correct country formats and check digits. The generation algorithm runs in the browser — we don't even know which countries you're generating IBANs for.
IMEI Generation
randomimei.com generates Luhn-valid IMEI numbers client-side. No TAC database lookups to a server. No logging of generated numbers.
How to Verify This Yourself
Don't take our word for it. Here's how to confirm:
- Open DevTools (F12) → Network tab
- Use any tool on our sites
- Watch the network requests — you'll see the initial page load and static assets. Zero requests during tool usage.
- Better yet: disconnect from the internet after the page loads. The tools still work.
That last point is the ultimate proof. If a tool works offline, your data never left your machine.
The Technical Trade-offs
Client-side processing isn't free. Here's what we gave up:
No server-side analytics on usage patterns. We can't see which BINs are popular or which countries generate the most IBANs. We chose privacy over data.
Limited complexity. Some operations (like large-scale batch generation) would be faster server-side. We cap client-side generation at reasonable limits.
No server-side validation caching. Each generation is computed fresh in the browser. For our use case, this is fine — these operations are milliseconds.
What About the Page Itself?
Fair question. The HTML, CSS, and JavaScript are served from our server (via Cloudflare CDN). You're trusting that we're not injecting malicious code into the JavaScript.
Mitigations:
- Minimal dependencies. Most tools use vanilla JavaScript. Fewer dependencies = smaller attack surface.
- Subresource Integrity (SRI) on external resources
- Content Security Policy headers to prevent injection
- Open to inspection. The JavaScript is readable (not obfuscated). View source and audit it.
Why This Matters for Compliance
If you work in a regulated environment (fintech, healthcare, enterprise), using online tools that process data server-side can violate:
- GDPR — data processing without consent
- PCI-DSS — cardholder data transmitted to unauthorized systems
- HIPAA — protected health information exposure
- SOC 2 — data handling outside approved systems
Client-side tools sidestep all of this. If the data never leaves the browser, there's no third-party processing to worry about.
TL;DR
| Concern | Server-side tools | Our client-side tools |
|---|---|---|
| Data leaves your machine | ✅ Yes | ❌ No |
| Works offline | ❌ No | ✅ Yes |
| Server logs your input | ⚠️ Maybe | ❌ Impossible |
| Compliance-friendly | ⚠️ Depends | ✅ Yes |
| Verify-able | ❌ Hard | ✅ Check Network tab |
Try It
- base64decode.co — Base64 encode/decode
- namso.io — Test credit card numbers
- randomiban.co — Random IBAN generator
- randomimei.com — Random IMEI generator
All free. All client-side. All verifiable.
Building developer tools? I'd love to hear how you handle the client-side vs. server-side decision. Drop a comment.
Top comments (0)