IT & security overview

Last updated: 16 May 2026

This page summarizes how JSON & XML Tools is built and which hosts browsers may contact when users visit https://webtoolkit.in. Use it to configure allowlists, proxies, and SSL inspection exceptions. For legal wording on data handling, see our Privacy Policy.

1. Architecture

• Delivery: Static HTML, CSS, and JavaScript served over HTTPS.
• Application logic: Runs in the visitor’s browser (client-side only).
• Your documents: JSON/XML content entered or opened in the tools is processed locally. We do not operate an application API that receives those payloads for processing.
• Optional analytics: Google Analytics 4 loads only after the user accepts the cookie notice. Users who do not accept are not tracked by our GA integration.

2. Primary origin (required)

Browsers must reach our site and static assets on the same host:

• webtoolkit.in (HTTPS, typically port 443)
• /vendor/ — Monaco Editor, JSONEditor, and AJV bundles are copied here at deploy time (no jsDelivr or unpkg).

UI fonts use the system stack (Segoe UI, system-ui, monospace). No Google Fonts CDN is required for core tools.

3. Optional third-party hosts (analytics only)

If the user accepts the cookie notice, the browser may also contact Google for analytics. Core editors work without these hosts.

Exact subdomains may change as Google updates GA; refer to Google’s GA4 documentation if you need an exhaustive list for strict egress policies.

4. Related sites

Pages may link to our sibling project imagetoolkit.in. Allowlisting webtoolkit.in does not automatically allow that domain.

5. Discovery files

• /robots.txt — crawler hints and sitemap URL.
• /sitemap.xml — URL list for search engines.

6. Contact

For security disclosures or enterprise questions, use our Contact page. We do not publish a formal bug bounty program on this site.