Why I wrote this: When I built the first version of aijsons.com, I considered a server-side API: POST the JSON, get formatted output back. Faster to ship, easier to add features. Then a user emailed asking whether our formatter was SOC 2 compliant before pasting a Stripe webhook payload containing live API keys. I realized I could not honestly answer that question for any server-side design — because the moment JSON hits your server, you become a data processor. I rebuilt everything client-side. This article explains why that decision was not paranoia, and how you can verify any JSON tool's privacy claims in 60 seconds.
What "Client-Side Only" Actually Means
Client-side processing means the sensitive payload is handled exclusively by the JavaScript engine in the user's browser tab. Specifically:
- No
fetch(),XMLHttpRequest, ornavigator.sendBeacon()transmits user JSON to any origin - No WebSocket sends paste content to a backend
- No Service Worker intercepts and forwards tool input (our
sw.jscaches static assets only) - Parsing, formatting, validation, and diffing run against in-memory strings and objects
What still leaves the browser: page loads (HTML/CSS/JS), analytics pageviews (GA4), ad requests (AdSense), and font CDN requests. None of these carry your JSON content — but a honest privacy story must disclose them. Our Privacy Policy and Editorial Policy spell this out explicitly.
Three Real Scenarios Where Server-Side Tools Fail Compliance Reviews
1. Fintech: Live API Keys in Webhook Payloads
Stripe, Plaid, and internal payment APIs return JSON containing secret, client_id, and account identifiers. Developers paste these into formatters daily during integration debugging. A server-side tool that logs request bodies — even accidentally in error logs — creates credential exposure. Client-side tools never create that log line.
2. Healthcare-Adjacent: FHIR and Patient Identifiers
We are not a HIPAA-covered entity, and I do not claim HIPAA certification. But developers working with FHIR bundles (patient names, MRNs, dates of birth embedded in JSON) routinely ask whether data transits third-party servers. For regulated environments, "we don't store it" is insufficient if the data was transmitted at all. Client-side architecture lets security teams approve the tool with a Network-tab audit instead of a vendor questionnaire.
3. Internal Corporate: Unreleased Product Configs
Feature flags, pricing tables, and unreleased API schemas often live in JSON config files. Pasting them into a popular online formatter sends them to an unknown operator's infrastructure — potentially in a jurisdiction your company does not permit. Self-hosted or client-side tools are the only options that pass many enterprise vendor reviews without legal review.
GDPR and Data Minimization
Under GDPR, processing personal data requires a lawful basis. A free JSON formatter that uploads payloads to a server processes personal data if the JSON contains emails, names, or identifiers — even if the operator never reads it. That triggers obligations: privacy notices, data processing agreements, retention policies, breach notification procedures.
Client-side tools sidestep this for the JSON content itself because no personal data is transferred to the operator during processing. You still collect analytics (page URL, device type) — that is disclosed in our privacy policy and is not the user's JSON payload.
The 60-Second Network Tab Audit
Do not trust marketing copy. Verify:
- Open Chrome DevTools → Network tab → check "Preserve log"
- Load the JSON tool page — note static asset requests (expected)
- Paste a unique canary string into the tool:
{"audit_token":"CANARY-7f3a9b2e"} - Click Format / Validate / Compare
- Filter Network by "Fetch/XHR" — search for
CANARY
If the canary appears in any request body, the tool is not client-side for that operation. On aijsons.com tools, the canary never appears outside the DOM. You can also disconnect Wi-Fi after page load — tools continue working because processing requires no network.
Open Source as Proof, Not Promise
Our entire site is MIT-licensed on GitHub. Security reviewers can trace JSON.parse calls in js/app.js and confirm no outbound data paths. Closed-source "client-side" tools require trust; open-source client-side tools require verification — a lower bar for enterprise approval.
What to grep for in any tool's source:
fetch(
XMLHttpRequest
sendBeacon
axios.post
navigator.clipboard.readText // OK — reads clipboard locally
api.format
/api/What Client-Side Does NOT Guarantee
Honesty matters for AdSense E-E-A-T and user trust. Client-side architecture does not protect against:
- Malicious browser extensions reading DOM content
- Shoulder surfing or screen recording on shared machines
- Clipboard history tools retaining pasted secrets after you leave the page
- XSS vulnerabilities in the tool site itself — if an attacker injects script, they can read the textarea. We sanitize outputs and use CSP headers (see our deployment guide for
_headersconfig). - Memory forensics — parsed objects live in heap until garbage-collected; close the tab when done with sensitive data.
We document these limits on our About page rather than overclaiming "military-grade encryption."
Server-Side vs Client-Side: Decision Table
| Factor | Server-side API | Client-side (aijsons.com) |
|---|---|---|
| Sensitive JSON paste | Data processor liability | Stays on device |
| 50MB file handling | Easier (more RAM) | Harder — see our 50MB guide |
| Hosting cost at scale | Bandwidth + compute | Static files only (GitHub Pages) |
| Security audit | Server infra + app + logs | Public JS audit + headers |
| Offline use | No | Yes (after first load + PWA cache) |
Why This Matters for Building Developer Tools
If you are building JSON utilities, the privacy architecture decision comes before the first line of format logic. Switching from server to client later means rewriting every feature. We chose client-side in 2024 and accepted the performance constraints — Web Workers, file size caps, degraded diff on large files — as the cost of a defensible privacy story.
Users in regulated industries do not need faster formatting. They need a tool their security team will not block. That is the market aijsons.com serves alongside general developers.
Key Takeaways
- Server-side JSON tools become data processors the moment they receive user payloads — "we don't store it" is not enough for many compliance reviews.
- Client-side architecture keeps JSON on the device; disclose analytics and ads separately.
- Verify with DevTools Network tab and a canary string — do not trust badges alone.
- Open-source code lets reviewers grep for outbound requests.
- Client-side has real limits (XSS, extensions, memory) — state them honestly.