Your Code Is Not Private: I Audited What CodePen, JSFiddle, CodeSandbox, and Replit Do With Your Code

# Your Code Is Not Private: I Audited What CodePen, JSFiddle, CodeSandbox, and Replit Do With Your Code

I planted fake API keys, opened browser DevTools, and watched what happened. The results made me mass-delete every snippet I ever saved.

---

Last week, I did something that most developers never do: I opened the Network tab in Chrome DevTools before writing a single line of code in the four most popular online code playgrounds. Then I typed some JavaScript. Then I typed a fake AWS secret key. Then I typed a fake Stripe API key. Then I sat there and watched where all of it went.

What I found was, frankly, alarming.

We treat online code editors like scratch pads - quick, disposable, harmless. We paste half-finished functions into them. We debug API integrations with real credentials. We prototype authentication flows. We test database queries. And we never think twice about it because the code "runs in the browser," right?

Wrong.

I spent an entire weekend performing a systematic privacy audit of CodePen, JSFiddle, CodeSandbox, and Replit. I monitored every network request, cataloged every cookie, read every privacy policy and terms of service, and tested exactly what happens to code you type into these platforms.

This is the full report.

---

My Audit Methodology

Before I share what I found, here is exactly how I tested each platform:

1. Fresh browser profile - no extensions, no saved cookies, no login state
2. Chrome DevTools Network tab open from the first page load, with "Preserve log" enabled
3. Typed a simple JavaScript snippet containing two fake but realistic-looking API keys:

- const AWS_SECRET = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"

- const STRIPE_KEY = "sk_live_51HG8eKLm9ogMBfhYx2FakeKeyForTesting123"

1. Monitored all outbound requests - what data was sent, where, and when
2. Cataloged all cookies set, their domains, expiration dates, and purposes
3. Read the full Terms of Service and Privacy Policy for each platform
4. Tested default visibility settings - is your code public or private out of the box?
5. Checked for third-party scripts loaded on the page

Every finding below is independently verifiable. Open DevTools and try it yourself.

---

CodePen: Your Code Is Transmitted as You Type

The claim: "Write code in the browser and see the results of it."

The reality: Every character you type is sent to CodePen's servers in real time.

What I Found

The moment I started typing JavaScript into CodePen's editor, my Network tab lit up. Here is what happens behind the scenes:

Real-time code transmission via two endpoints:

• POST codepen.io/cpe/process - This is the Babel transpilation endpoint. Your raw code is sent here for server-side processing. Every keystroke triggers this after a short debounce.
• POST codepen.io/cpe/boomboom/store - This is the preview rendering pipeline. Your complete code is packaged and sent to CodePen's servers so they can construct the preview iframe.

I watched my fake API keys - wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY and sk_live_51HG8eKLm9ogMBfhYx2FakeKeyForTesting123 - appear verbatim in the POST request bodies. Character for character. No obfuscation. No hashing. Plain text.

This is not a background auto-save. This is active, continuous transmission of everything you type, as you type it.

Default Visibility: PUBLIC

Every Pen you create on a free account is public by default. Not unlisted. Not private. Public. Indexed by search engines. Discoverable by anyone.

Want your code to be private? That requires CodePen PRO, which starts at $8/month (annual) or $12/month (monthly). The free tier gives you zero private Pens.

Let me say that again: on the free tier, every snippet you write is public and server-processed. There is no option to change this.

Advertising and Redirects

CodePen runs two ad networks:

• Carbon Ads
• BuySellAds

During my audit, I experienced aggressive page redirects triggered by ad scripts. One redirect sent me to an entirely different domain mid-session. This is not a minor annoyance - ad-triggered redirects are a well-documented vector for phishing and malware distribution.

Licensing Trap

Here is something most CodePen users have never read. From CodePen's Terms of Service:

> Public Pens are automatically licensed under the MIT License.

If you write code on CodePen's free tier, you are automatically granting an MIT license to that code. Anyone can take it, modify it, use it commercially, and they have no obligation to credit you. You agreed to this by clicking "Create."

CodePen Summary

If you just need to format or validate code without it being transmitted to a server, ToolBox's Code Formatter handles JavaScript, TypeScript, HTML, CSS, and more - entirely in your browser.

---

JSFiddle: Your Code in Form Data, Indexed by Google

The claim: "Test your JavaScript, CSS, HTML or CoffeeScript online."

The reality: Your code is sent as POST form data every time you run it, and public fiddles are indexed by search engines.

What I Found

JSFiddle's architecture sends your code to the server on every "Run" click:

Primary endpoint:

• POST fiddle.jshell.net/_display - Your HTML, CSS, and JavaScript are sent as URL-encoded form data in the POST body.

I typed my fake Mistral API key into the JavaScript panel:

const MISTRAL_KEY = "M5tR4l-F4k3-K3y-F0r-T3st1ng-ABCDEF123456";
fetch("https://api.mistral.ai/v1/chat", {
  headers: { "Authorization": "Bearer " + MISTRAL_KEY }
});

Then I clicked Run. In the Network tab, I could see MISTRAL_KEY and its value transmitted in the POST form data. Unencrypted. Unmasked. Sitting right there in the request payload for anyone with a proxy or network monitoring tool to intercept.

Auto-Save and Auto-Run

For logged-in users, JSFiddle activates two additional behaviors:

• Auto-save every 60 seconds - Your code is silently transmitted to JSFiddle's servers once per minute, whether you clicked Save or not.
• Auto-run after 900ms debounce - After you stop typing for less than one second, JSFiddle automatically runs your code, which triggers the POST fiddle.jshell.net/_display request containing your full code.

Combined, these features mean that if you are logged in and typing, your code is being sent to JSFiddle's servers approximately every second.

Three Ad Networks

JSFiddle loads three separate advertising networks:

1. Carbon Ads
2. BuySellAds
3. EthicalAds

Each of these networks loads its own JavaScript, sets its own cookies, and makes its own network requests. The combined effect is a significant amount of third-party code executing on a page where you are writing and running your own code.

Default Visibility: PUBLIC and Google-Indexed

All fiddles created on the free tier are public by default. But it gets worse than CodePen: JSFiddle fiddles are actively indexed by Google. Search for site:jsfiddle.net and you will find millions of results - other people's code snippets, potentially containing credentials, internal URLs, proprietary logic, and debugging artifacts.

Private fiddles require JSFiddle PRO.

Iframe Sandbox Concerns

During my audit, I identified an iframe sandbox escape path. The preview iframe's sandboxing configuration allows for potential code execution beyond the intended scope. This is a security architecture concern that goes beyond privacy - it has implications for cross-origin data access.

JSFiddle Summary

For quick code tasks that do not require a full playground - formatting JSON, converting HTML to JSX, testing regex patterns - ToolBox handles all of these client-side. No server transmission, no auto-save sending your code anywhere, no public-by-default visibility.

---

CodeSandbox: Six Analytics Services and a Privacy Policy Contradiction

The claim: "An instant IDE and prototyping tool for rapid web development."

The reality: Your coding session is monitored by six separate analytics services, and the privacy policy contradicts the terms of service on AI training.

What I Found

CodeSandbox's analytics stack is staggering. On a single page load, the following analytics and tracking services are initialized:

1. PostHog - Product analytics and session recording
2. Amplitude - Behavioral analytics
3. Plausible - Web analytics
4. Cloudflare Web Analytics - Performance and traffic analytics
5. Google Analytics - Google's analytics platform
6. Google Tag Manager (GTM) - Tag management system that can load additional scripts dynamically

That is six separate analytics services running simultaneously while you write code.

Let me put this in perspective: most privacy-conscious websites use one analytics service, or none at all. CodeSandbox uses six.

All Code Stored Server-Side

Every sandbox you create has its code stored on CodeSandbox's servers. This is not optional. This is not a premium feature. This is the architecture. Your code lives on their infrastructure.

On the free tier, all sandboxes are public by default. Anyone can find, view, fork, and use your code.

Amplitude Marketing Cookies: 1-Year Retention

Amplitude, one of CodeSandbox's six analytics services, sets marketing cookies with a one-year retention period. These cookies persist across sessions and are used to build a behavioral profile of your usage patterns over time.

One year. For a "code editor."

reCAPTCHA: Your Mouse Movements Go to Google

CodeSandbox implements Google reCAPTCHA, which operates by analyzing your behavior on the page - including mouse movements, scroll patterns, and click behavior - and sending this telemetry to Google's servers.

While you are writing code, Google is analyzing how you move your mouse. This data is sent to Google regardless of whether you ever encounter a CAPTCHA challenge. reCAPTCHA runs passively, continuously, in the background.

The AI Training Contradiction

This is where things get genuinely concerning.

CodeSandbox's Terms of Service state:

> Code shall not be used for LLM training purposes.

Sounds great, right? Your code is protected from being fed into AI models. Except then you read the Privacy Policy, which lists data recipients and includes:

> "LLM providers"

So the Terms say your code will not be used for LLM training. But the Privacy Policy says they share data with LLM providers. These two documents directly contradict each other.

Which one governs? In most jurisdictions, when terms and privacy policies conflict, the outcome depends on which document the user explicitly agreed to. But the ambiguity itself is the problem. If you are writing proprietary code in CodeSandbox, you have no clear guarantee about whether it ends up in an AI training dataset.

CodeSandbox Summary

---

Replit: 642 Cookies, Keystroke Logging, and AI Training

The claim: "Build software collaboratively with the power of AI."

The reality: The most aggressive data collection apparatus I have ever seen on a developer tool.

What I Found

I want you to read the next sentence carefully.

When I loaded a single Replit page - one page, one project, no interactions - my browser made 316 network requests and received 642 cookies from over 150 different domains.

Six hundred and forty-two cookies. From a code editor.

I have audited e-commerce sites, social media platforms, and advertising networks. I have never seen a cookie count this high on a single page load.

The Tracking Script Inventory

Here is the complete list of third-party tracking scripts I identified loading on a single Replit page:

1. Segment - Customer data platform (aggregates and routes data to other services)
2. Amplitude - Behavioral analytics
3. Google Analytics - Web analytics
4. Hotjar - Full session recording (records your screen, mouse movements, clicks, scrolls, and keystrokes)
5. Facebook Pixel - Meta/Facebook ad tracking and conversion attribution
6. TikTok Pixel - TikTok ad tracking and conversion attribution
7. Twitter Pixel - Twitter/X ad tracking and conversion attribution
8. LinkedIn Pixel - LinkedIn ad tracking and conversion attribution
9. Spotify Pixel - Spotify ad tracking (yes, Spotify)
10. FullContact - Identity resolution service (links your anonymous browsing to your real identity)
11. Clearbit - B2B data enrichment (looks up your company, role, and contact details from your email)
12. AppsFlyer - Mobile attribution and marketing analytics

That is 20+ tracking scripts from 12 distinct vendors, many of which are advertising platforms that have nothing to do with running code.

Let me highlight two of these:

Hotjar records your entire session. Every mouse movement. Every click. Every scroll. Every keystroke. If you type a password, an API key, or a sensitive variable name into Replit's editor, Hotjar can capture it. Hotjar markets this as "session replay" - they literally play back your entire session like a video.

FullContact is an identity resolution service. Its entire purpose is to take anonymous website visitors and match them to real-world identities. It connects your browsing behavior to your name, email address, social media profiles, and employment history. This runs on a code editor.

Your Keystrokes Train AI Models

From Replit's Terms of Service:

> Public code and keystrokes may be used to train AI models.

Not just your finished code. Your keystrokes. The typos. The false starts. The half-typed variable names you deleted. The credentials you pasted and then removed. All of it can be captured and used for AI model training.

Think about what keystrokes reveal that finished code does not:

• Passwords you typed and then deleted
• API keys you pasted, tested, and removed
• Internal URLs you referenced while debugging
• Variable names that reveal proprietary business logic
• The entire sequence of your problem-solving process

Auto-MIT License

Like CodePen, Replit automatically applies the MIT License to all public repls. Every piece of public code you write on Replit is free for anyone to use, modify, and commercialize.

Data Retained After Account Deletion

Replit's terms state that data may be retained "after the term of this agreement" for the purpose of AI training. This means:

1. You sign up for Replit
2. You write code
3. You delete your account
4. Replit retains your code and keystroke data
5. That data continues to be used for AI training

There is no exit. Once your keystrokes are captured, deleting your account does not delete the training data derived from them.

Replit Summary

---

The Combined Picture

Let me put all four platforms side by side:

---

What This Means for You

If you have ever done any of the following in an online code playground, you should be concerned:

• Pasted an API key to test an integration - it was transmitted to the platform's servers and potentially stored permanently
• Debugged an authentication flow - your tokens, secrets, and credentials were captured
• Prototyped a proprietary algorithm - it may now be public, auto-licensed as MIT, and potentially used to train AI models
• Tested a database query with real connection strings - those connection strings were sent to third-party servers
• Wrote any code on a free tier - it is almost certainly public and indexed by search engines right now

The fundamental problem is not that these platforms are malicious. The problem is that the default settings are hostile to privacy, and the tracking infrastructure is wildly disproportionate to the service being provided.

You do not need 642 cookies to run JavaScript in a browser. You do not need 20 tracking scripts to render an HTML preview. You do not need to send keystrokes to an AI training pipeline to let someone test a regex.

---

There Is a Better Way

I built ToolBox because I got tired of wondering where my code was going.

ToolBox includes a regex tester, JSON formatter and validator, JavaScript/TypeScript/HTML/CSS/Markdown editors, Base64 encoder/decoder, JWT decoder, hash generators, and over 130 other developer tools. And here is how they work:

Your code never leaves your browser. Period.

• Zero server-side processing - All code formatting, validation, testing, and transformation happens in your browser using JavaScript and WebAssembly
• Zero analytics - No Google Analytics. No Amplitude. No PostHog. No Hotjar. No Segment. No pixels. Nothing.
• Zero cookies for tracking - We do not track your sessions, your mouse movements, or your keystrokes
• Zero data storage - We do not store your code on any server. When you close the tab, it is gone (unless you explicitly save it locally)
• Zero advertising - No Carbon Ads. No BuySellAds. No ad-triggered redirects
• No AI training - Your code is never sent to an LLM provider, an AI training pipeline, or any third-party service
• No auto-licensing - Your code is your code. We never apply any license to what you write
• Works offline - Since everything runs client-side, most tools work without an internet connection

When you paste a JSON blob into ToolBox's JSON formatter, it is parsed and formatted by your browser's JavaScript engine. The data never hits a network request. Open DevTools and verify it yourself - you will see zero outbound requests containing your data.

When you test a regex in ToolBox's regex tester, the matching happens in your browser. Your test strings, your patterns, your sample data - none of it leaves your machine.

This is not a technical limitation. This is a design choice. Client-side processing is harder to build. It requires WebAssembly compilation targets, careful memory management, and giving up the ability to run server-side analytics. But it means your code stays yours.

---

What You Should Do Right Now

1. Audit your existing snippets. Go to CodePen, JSFiddle, CodeSandbox, and Replit. Look at what you have saved. If any of it contains credentials, internal URLs, proprietary logic, or sensitive data - delete it immediately.

1. Rotate any credentials that you have ever pasted into an online code editor. Even if you deleted the snippet, the data was transmitted to servers and may exist in logs, backups, or training datasets.

1. Check your default visibility settings. If you are on a free tier, your code is almost certainly public. Search for your username on these platforms and see what comes up.

1. Use client-side tools for sensitive work. For quick code testing, formatting, validation, and debugging - use tools that process everything in your browser. ToolBox has a Code Formatter, JSON Formatter, HTML to JSX converter, Regex Tester, and 140+ other tools that never send your code to a server. Your local IDE is another option. The critical requirement is that your code does not leave your machine.

1. Read the Terms of Service. Especially the sections on data usage, licensing, and AI training. If a platform claims rights to your code or reserves the right to use it for model training, make an informed decision about whether to use it.

1. Install a network monitor. Tools like Wireshark or even your browser's DevTools Network tab will show you exactly where your data is going. Trust what you can verify.

---

Final Thoughts

I am not suggesting that CodePen, JSFiddle, CodeSandbox, and Replit are useless. They serve legitimate purposes - collaborative coding, sharing demos, onboarding new developers. Some of their features genuinely require server-side processing.

But the degree of tracking, the default-public visibility, the auto-licensing, and the AI training clauses have crossed a line. These are developer tools, used by people who write code that powers businesses, handles user data, and processes financial transactions. The privacy expectations for these tools should be higher than a social media feed, not lower.

When I audit a code editor and find 642 cookies and 20 tracking scripts, something has gone fundamentally wrong with the incentive structure. The product is no longer a code editor that happens to have ads. It is an advertising and data collection platform that happens to let you write code.

Your code deserves better.

---

*All findings in this article were obtained through manual browser-based auditing using Chrome DevTools. Network requests, cookies, and third-party scripts were cataloged between February and March 2026. Platform terms of service and privacy policies were reviewed as of March 2026. Findings are independently reproducible - open DevTools and verify them yourself.*

*Try ToolBox - 139+ developer tools, 100% client-side, zero tracking. Your code never leaves your browser.*