How to Check If an Online JSON Formatter Uploads Your Data
Developers paste API responses, JWTs, logs, and config files into online JSON tools every day. Before pasting sensitive data, take 30 seconds to check whether the tool sends your content to a remote server.
What not to paste into tools you have not verified
Before you know how a tool handles your data, be cautious with:
- Production JWTs or access tokens
- API responses containing user data or PII
- Server logs with internal endpoints or IPs
- Config files with cloud keys or database URLs
- Webhook payloads with customer information
This is not about paranoia. In November 2025, security researchers discovered that popular online JSON tools had leaked over 80,000 code snippets — including AWS keys, GitHub tokens, and banking details — through unprotected server-side features. A quick DevTools check would have surfaced the risk.
How to verify with DevTools Network
- Open the tool in your browser.
- Open DevTools (F12) and switch to the Network tab.
- Clear existing requests so you start with a clean log.
- Paste a harmless test JSON first. Something small and fake. Check whether any new network request appears that contains your pasted content.
- Run the formatter, validator, or diff tool. Watch the Network tab for POST or PUT requests. Expand any suspicious request and check the payload tab.
- Only after the tool passes this check with test data should you consider using it with real payloads.
What to look for
POST or PUT requests after paste. If the tool sends your JSON in a POST body, it is processing server-side.
Request payloads containing your JSON. Open the request, check the Payload tab. If your pasted data is there, it left your browser.
Share or save features. If a tool generates a shareable link or saves your snippet, your data is stored on a server.
Analytics events that include pasted content. Some analytics implementations send page content alongside page metadata. Check whether analytics requests contain your JSON.
Extension background requests. Browser extensions can make background network requests unrelated to the page you are viewing. Check the Network tab after installing any extension that interacts with page content.
Browser extensions also need verification
JSON formatter extensions have the same access as the web tools they interact with — sometimes more. Check what permissions an extension requests, whether it loads remote code, and whether its source is auditable. How the SafeJSON extension works
How SafeJSON handles this
SafeJSON processes JSON in your browser. No pasted content is uploaded during formatting, validation, diff comparison, JWT decoding, JSONPath querying, or schema validation.
SafeJSON uses Google Analytics for aggregate product analytics — page views and non-sensitive events like checkout clicks. Pasted JSON, JWT tokens, schemas, query expressions, formatted output, license keys, and clipboard content are never sent to analytics.
You can verify all of this yourself. Step-by-step verification guide
FAQ
- Are all online JSON formatters unsafe?
- No. Some tools process JSON entirely in the browser. Others send your data to a remote server. Neither is inherently unsafe — but you should know which one you are using, especially when pasting sensitive data. The DevTools Network check tells you what category a tool falls into.
- Is browser-local processing the same as zero network requests?
- No. A website can load analytics, fonts, or page assets while still processing pasted JSON locally. The relevant question is: does the request contain your pasted content? Analytics requests that carry only page metadata are different from a POST that sends your JSON payload to a server.
- Can analytics be present without uploading pasted JSON?
- Yes. Many sites use analytics to measure page views and feature usage. The privacy-relevant distinction is whether the analytics payload includes pasted JSON, JWT tokens, schemas, query expressions, formatted output, license keys, or clipboard content. A site should be able to tell you what it sends to analytics and what it does not.
- How can I verify SafeJSON myself?
- Open safejson.dev, then open DevTools (F12) and go to the Network tab. Paste any JSON and run the formatter, diff, JWT decoder, JSONPath query, or Schema validator. Confirm that no request contains your pasted content. For a stronger test, switch the Network tab to Offline mode — the tools still work because all processing is local.