How it works: privacy by design

The short version: when you paste data into a DevToolsHub tool, it is processed by JavaScript running in your own browser. For almost every tool on this site, your input is never transmitted, logged, or stored anywhere. Close the tab and it is gone. This page explains exactly what that means — and lists the small number of tools where a network call is unavoidable.

Client-side processing, concretely

When you format JSON, decode a JWT, generate a password, test a regex, or convert a timestamp, the work happens in your browser's JavaScript engine — the page you downloaded contains all the code needed. You can verify this yourself: open your browser's developer tools, watch the Network tab, and use any client-side tool. No request carries your input. The tools even keep working if you disconnect from the internet after the page loads — and the site is installable as an app: pages you have visited are cached by a service worker, so your everyday tools work fully offline.

Heavy operations (formatting multi-megabyte JSON, running regex over large text) execute in Web Workers — background threads that keep the page responsive. Security-sensitive operations (SHA hashing, HMAC, random generation for passwords and UUIDs) use the browser's built-in Web Crypto API, the same primitives your bank's website uses, rather than hand-rolled implementations.

The exceptions: tools that need a server

A few tools cannot work purely in a browser, for technical reasons listed below. For these, we send the minimum required input to our API, process it in memory, and return the result. We do not store your input or build profiles from it.

  • DNS Lookup

    Browsers cannot perform raw DNS queries, so the domain you enter is resolved by our API route. Only the domain name is sent — nothing else.

  • HTTP Headers Viewer

    Fetching another site's response headers from your browser is blocked by CORS, so our server makes the request for the URL you enter.

  • IP Lookup

    Looking up your public IP requires, by definition, a request that leaves your machine. The lookup returns public routing information only.

  • Code Minifier (HTML/CSS/JS)

    Minification uses build-grade libraries (terser, clean-css, html-minifier-terser) that run server-side. Your code is processed in memory for the request and not stored.

What we do measure

Like most websites, we use analytics to understand aggregate behavior — which tools get used, which pages people arrive on — and we show ads, which involve the third-party cookies described in our privacy policy. The line we hold: measurement is about pages and features, never about the content you paste into a tool. Tool input is not analytics data.

Practical guidance for sensitive data

  • Client-side tools (JSON, encoding, JWT decoding, hashing, regex, time) are safe for tokens, keys, and customer data — the input stays on your machine.
  • Treat any token you have pasted anywhere — including here — according to your organization's security policy. Rotating a credential costs little; assuming it is still secret costs more.
  • For the four server-assisted tools above, send only what you would send to any third-party service (domains, public URLs, code you are comfortable transmitting over TLS).