debugtools / security
Security and privacy model
debugtools is designed around explicit data boundaries. A tool should make it clear whether data stays in the browser, leaves through a user-triggered request, or syncs through an authenticated cloud feature.
Local-first tools
JSON, JWT, Hash, HTML, HTTP Status, Diff, Base64, UUID, URL, Timestamp, and most inspectors process data in the browser.
API Workbench network requests
API Workbench sends headers, bodies, tokens, and cookies only to the target URLs entered by the user, subject to browser CORS rules.
Optional sync
Authenticated collection sync is optional and stores saved API Workbench collections through the configured Supabase project.
Secrets handling
Use throwaway tokens for reports, redact credentials, and keep production secrets out of issues, screenshots, fixtures, and exports.
Private reporting
Security issues should go through GitHub Security Advisories before any public issue or disclosure.