Written by Sam Taylor — Full-Stack Developer. I build tools that process data in your browser. More about me →Last month I was debugging a Stripe integration and pasted a webhook response into the first JSON formatter that came up on Google. The response contained a customer's email, subscription details, and a partial payment token. I formatted it, copied it, and closed the tab. Then I wondered: where did that data just go?
I opened DevTools and checked the Network tab on six popular JSON formatting tools. Four of them sent my JSON to a server. Two stored formatted output in a publicly accessible URL pattern. One included my formatted JSON in its analytics payload. Here's what I learned about keeping your data safe while formatting JSON.
The test is simple. Open Chrome DevTools (F12) → Network tab. Paste some JSON into the formatter. Click Format. Watch the Network panel. If you see any new requests appear, your JSON is being sent somewhere. A truly local tool generates zero network requests after the initial page load.
I tested jsonformatter.org, jsonformatter.curiousconcept.com, and four others. Two showed immediate POST requests with my JSON payload. jsonformatter.org saved formatted results to a URL path that was sequential — meaning someone could increment the URL and see other people's formatted JSON. This isn't malicious; it's just the default behavior of a server-side tool. But it means your data is stored somewhere you don't control.
Developers paste all kinds of sensitive data into JSON formatters without thinking. API responses from Stripe, Twilio, or AWS often contain API keys, user PII, or internal endpoints. A customer support JSON export has names, emails, and purchase history. A database dump has everything.
Even if you're "just testing," that data now lives on someone else's server. Their logs, their backups, their analytics. If they get hacked, your data is in the breach.
Before pasting sensitive JSON anywhere, check: (1) Open Network tab — any requests after page load? (2) Does the URL change when you format? (3) Is there a privacy policy that says what happens to your data? (4) Does the tool work when you disconnect from the internet?
The only JSON formatter I trust now is Formly's JSON formatter — it runs entirely in the browser using JavaScript's native JSON.parse() and JSON.stringify(). Nothing leaves your device. You can verify this in the Network tab. Disconnect your internet and it still works perfectly.
Written by Sam Taylor — Full-Stack Developer. I build tools that process data in your browser. More about me →