JSON Toolbox is a client-side only developer utility. All data processing occurs exclusively in your web browser. This document outlines our security model.
┌─────────────────────────────────────────────────────┐
│ Your Browser │
│ ┌───────────────────────────────────────────────┐ │
│ │ JSON Toolbox │ │
│ │ │ │
│ │ Input → JavaScript Processing → Output │ │
│ │ │ │
│ │ • All operations in-memory │ │
│ │ • No data transmitted │ │
│ │ • No backend processing │ │
│ └───────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────┘
│
✕ No data leaves browser
│
┌─────────────────────────────────────────────────────┐
│ Server │
│ │
│ Static file serving only: │
│ • HTML, CSS, JavaScript │
│ • Vendor libraries (self-hosted) │
│ • No API endpoints for user data │
│ • No data processing backend │
│ │
└─────────────────────────────────────────────────────┘
- All user input - JSON, CSV, XML, YAML, CSS
- All processing - Conversion, validation, formatting
- All output - Generated JSON, TypeScript, schemas
- Clipboard operations - Paste, copy
- Nothing by default - Analytics are OFF by default (opt-in only)
- If analytics enabled - Aggregate usage data (cookieless, no identifiers)
- Compliance mode - Zero network calls guaranteed
| Threat | Mitigation |
|---|---|
| Data exfiltration | No network transmission of user data |
| Man-in-the-middle | All static assets; HTTPS in production |
| Session hijacking | No sessions, no cookies, no auth |
| Cross-site scripting (XSS) | CSP headers; no dynamic HTML injection of user data |
| Data persistence | Optional localStorage only for preferences |
| Third-party tracking | No external scripts; self-hosted analytics |
- Browser security vulnerabilities
- Local machine compromise
- Physical access attacks
- Malicious browser extensions
For enterprise and regulated environments, JSON Toolbox offers compliance mode:
// Via URL parameter
https://example.com/tools/json/?compliance=1
// Via environment variable
JSON_TOOLBOX_COMPLIANCE=true
// Via JavaScript (before page load)
window.JSON_TOOLBOX_COMPLIANCE = true;- Zero network calls - No analytics, no external requests
- No persistent storage - localStorage operations are no-ops
- Memory-only processing - All data discarded on page close
For maximum assurance, use the zero-telemetry build:
- Access:
/tools/json/index-zero-telemetry.php - No analytics code loaded (script excluded, not just disabled)
- Compliance mode automatically enabled
See COMPLIANCE.md for full documentation.
Analytics are OFF by default (opt-in only). When explicitly enabled by user:
// Privacy configuration in analytics.js
_paq.push(['disableCookies']); // No tracking cookies
_paq.push(['setDoNotTrack', true]); // Respects browser DNT
_paq.push(['disableBrowserFeatureDetection']); // No fingerprinting
_paq.push(['setRequestMethod', 'POST']); // No URL logging- Collected: Page view, tab switch, operation type (e.g., "format")
- Not collected: User data, identifiers, session info, IP (anonymized)
- Destination: Self-hosted Matomo on same infrastructure
- Retention: Standard Matomo retention policies
localStorage.setItem('json-toolbox-analytics-enabled', 'true');
location.reload();localStorage.removeItem('json-toolbox-analytics-enabled');
location.reload();JSON Toolbox uses localStorage for (in non-compliance mode):
- Theme preference
- Language preference
- Last input per tab (for convenience)
- Analytics opt-in status
In compliance mode, all storage operations are no-ops:
- Reads return default values
- Writes silently succeed but don't persist
- Data exists only in memory during session
// Via API
window.JSONToolbox.clearAllStorage();
// Or directly
localStorage.clear();Or use the "Clear saved data" option in the UI.
For maximum security, self-host JSON Toolbox:
Standard Hosting:
- Download the
/tools/json/directory - Analytics are already OFF by default
- Serve via any static file server
- No backend required
Air-Gapped / Enterprise Hosting:
- Use
index-zero-telemetry.phpas entry point - No analytics code will be loaded
- Compliance mode auto-enabled
- Zero network dependencies
All dependencies are:
- Self-hosted in
/vendor/ - No CDN dependencies
- No runtime fetching
| Library | Purpose | Security Notes |
|---|---|---|
| PapaParse | CSV parsing | RFC 4180 compliant, no network |
| js-yaml | YAML parsing | YAML 1.2, safe schema default |
| jsonrepair | JSON fixing | Deterministic, no network |
| Lucide | Icons | SVG only, no external requests |
If you discover a security vulnerability:
- Do NOT open a public issue
- Email: security@mackan.eu
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (optional)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 7 days
- Fix deployment: Depends on severity
JSON Toolbox architecture supports:
| Regulation | How |
|---|---|
| GDPR | No personal data collected or processed server-side |
| HIPAA | PHI never leaves browser; no third-party transmission |
| SOX | Deterministic, auditable local processing |
| CCPA | No sale or sharing of personal information |
| Date | Version | Change |
|---|---|---|
| 2026-01-20 | 2.0.0 | Analytics default-off (opt-in), compliance mode, zero-telemetry build |
| 2026-01-18 | 1.0.0 | Added privacy-first analytics (cookieless, self-hosted) |
| 2026-01-15 | 0.9.0 | Initial SECURITY.md |
Last updated: 2026-01-20