Same-origin formatter endpoint
The formatter endpoint is intended for FormatPaste pages, not as a public API. Direct calls without same-origin browser context are rejected, and cross-site browser calls are blocked.
Safe formatter practices
FormatPaste security notes: request limits, same-origin API protection, strict headers, allowlisted static files, and safe formatting guidance.
Last updated: July 2026
The formatter endpoint is intended for FormatPaste pages, not as a public API. Direct calls without same-origin browser context are rejected, and cross-site browser calls are blocked.
Formatter requests are size-limited to reduce parser abuse and accidental large-paste crashes. Unsupported languages and modes are rejected before formatting.
Only the required public browser assets are served. Server files, package metadata, source formatter internals, and arbitrary filesystem paths are not exposed through the static asset route.
FormatPaste sets a Content Security Policy, frame blocking, nosniff, referrer policy, permissions policy, and same-origin resource policy to reduce common browser abuse paths.
Formatting code can reveal syntax errors, but it is not a security scanner. Review output before using it and avoid online tools for secrets or regulated data.