FormatPaste

Safe formatter practices

Security

FormatPaste security notes: request limits, same-origin API protection, strict headers, allowlisted static files, and safe formatting guidance.

Last updated: July 2026

Same-origin formatter endpoint

The formatter endpoint is intended for FormatPaste pages, not as a public API. Direct calls without same-origin browser context are rejected, and cross-site browser calls are blocked.

Input and output limits

Formatter requests are size-limited to reduce parser abuse and accidental large-paste crashes. Unsupported languages and modes are rejected before formatting.

Static file allowlist

Only the required public browser assets are served. Server files, package metadata, source formatter internals, and arbitrary filesystem paths are not exposed through the static asset route.

Browser security headers

FormatPaste sets a Content Security Policy, frame blocking, nosniff, referrer policy, permissions policy, and same-origin resource policy to reduce common browser abuse paths.

Responsible use

Formatting code can reveal syntax errors, but it is not a security scanner. Review output before using it and avoid online tools for secrets or regulated data.