← Back to Blog

Why a Placeholder Text Generator Should Never See Your Project

Published April 23, 2026

At first glance, a lorem ipsum generator is the rare web tool with no obvious privacy surface. You do not paste anything into it. It gives you output, you copy the output, and you move on. What could there possibly be to protect?

Plenty, as it turns out. The input to a placeholder-text generator is not text — it is everything surrounding the request. Which theme you picked. How many paragraphs you asked for. Whether you needed headings, list items, or cells to fill a specific grid. What time of day you asked, from what IP, against which Referer. For an unreleased product, those fields are not a harmless analytics signal. They are a rough sketch of what someone is about to ship.

How a typical online tool handles your input

Most server-side generators are built as small web apps with a backend route like POST /api/generate. The browser sends your options — theme, length, format — and the server returns the filler text. This is fine for the task itself, but it puts a machine in the middle that has the same observability surface as any other web app.

In a normal production deployment, the following are all possible without anyone being careless:

  • Request logs. The generation options are part of the request body or querystring. Every load balancer and framework in the path has some default about how much of that to log.
  • Analytics events. Server-side analytics pipelines commonly fire a custom event on each generation that includes the theme name, the length bucket, and the originating page.
  • Error monitoring. Services like Sentry or Rollbar often attach the full request context to an error, which means a single bug can pull weeks of generation options into a third-party dashboard.
  • CDN edge logs. If the generate endpoint is routed through a CDN, the URL path and query are available in edge-level log exports that are often retained longer than the site's own application logs.
  • Terms of service. Free tools frequently reserve the right to use "submitted content" for product improvement. For a generator, the "content" is your choice of theme.

The site operator does not need to be hostile for any of this to be true. It is what a standard web app looks like when nobody has explicitly designed for privacy.

What a generator learns about you (when it's not client-side)

Put that logging surface next to real design work and the problem sharpens.

A designer prepping mockups for an unannounced startup. Someone asks a themed generator for "fintech copy" at "landing page length" on a Tuesday night, repeatedly, over three weeks. The content of those requests is uninteresting. The pattern — fintech theme, landing-page length, end-of-quarter cadence, a single IP — describes a brand that is preparing to go live. Anyone with access to that analytics store knows more about the launch plan than most of the company's own employees do.

A developer seeding a CMS for a stealth product. Engineers often grab themed lorem ipsum when populating content models for new products. "Healthcare," "marketplace," "education" — each theme name is a fairly direct label for what the team is building. Bulk requests from a corporate IP, repeated across staging environments, draw a very legible picture.

An agency building a pitch. The exact combination of theme, tone, and length an agency chooses for a spec deck is a reasonable proxy for the client's brief. If the generator's backend is aggregating that data — even just into "popular themes this month" — it is aggregating confidential RFPs.

A journalist prototyping a layout. Reporters working on a sensitive story sometimes stub out layouts before any real text exists. The theme selection, the block counts, and the referring URL can be enough to place a newsroom on a particular topic ahead of publication.

In every one of these cases, the generator's output is not the secret. The shape of the request is.

Why client-side is a structural guarantee, not a promise

A client-side generator runs the whole thing in your browser. The site ships a fixed corpus of seed words and some JavaScript, and from there every click of "generate five paragraphs of fintech" happens entirely on your device. The options you picked never cross the network.

You can verify this without trusting anyone's claims:

  • DevTools Network. Generate text with the Network tab open. If no new request fires when you click the button, the generation is local. If a POST or GET lights up, it is not.
  • Offline mode. Load the page once, turn Wi-Fi off, and keep generating. A client-side tool keeps working indefinitely; a server-dependent one stops the moment the endpoint is unreachable.
  • Deployment shape. Static exports on S3 + CloudFront, Netlify, Vercel static, and GitHub Pages cannot process a generation request because they have no backend runtime. Response headers give the deployment away.

Loremtextgen.com is a static export. There is no generate endpoint, no theme-tracking table, and no analytics event that fires when you change the length. The word corpus and the generation logic are both in the JavaScript bundle your browser already downloaded. The act of generating text does not produce a network signal, because there is nobody on the other end of the wire to listen for it.

A short checklist for evaluating any placeholder tool

  • Does generation fire a network request? Open DevTools, click the button, and watch. Silence means local.
  • Does the tool still work offline? A quick airplane-mode test is definitive.
  • Is there a themed-generation feature? If yes, and the request goes to a server, the theme name is a data field about what you are building.
  • Does the site have login, saved projects, or API keys? Those features imply a database, which implies a different threat model than a static site.
  • What does the privacy policy say about "generation options" specifically? Most policies talk about "personal data" and ignore the options themselves, which is where the signal actually lives.
  • For genuinely sensitive work, use a local package. The npm faker family, Figma's built-in lorem plugin, or a simple offline script all give you filler text without any network round-trip at all.

The point

Placeholder text is, by definition, meaningless. The meaning is in the surrounding decisions — the theme, the length, the cadence, the timing. A generator that runs on a server sees every one of those decisions and, by default, records at least some of them. For an unannounced product, that is the one data point you were trying hardest to keep quiet.

The fix is not a stronger privacy policy. It is a different architecture. If the generation happens on your device, the shape of the request does not exist outside your browser in the first place. That is the only design that matches what the tool is actually for.

Generate placeholder text that stays on your device →