DevHeaderModify Chrome request headers, safely

A minimal, local alternative to ModHeader for scoping custom HTTP request headers to development domains, with minimal permissions, no remote calls, and no third-party trust.

Why DevHeader exists

ModHeader, a popular HTTP header modification extension, was flagged as malware by Google and removed from the Microsoft Edge store in early July 2026, after researchers found dormant, encrypted domain-harvesting code in a recent build. Separately from that specific incident, its broad <all_urls> host permissions had long been flagged as a general risk, the kind of access a header tool doesn't strictly need for normal development work.

DevHeader is a personal, locally-installed alternative: a minimal extension that modifies HTTP request headers during local development, without broad permissions, remote calls, or third-party trust.

Security principles

No <all_urls>

Host access is scoped to approved domains only, via optional_host_permissions and runtime permission requests.

No network calls out

Rule data never leaves the local machine.

No remote code

Everything is bundled locally with no eval and nothing fetched dynamically.

Least privilege by default

Each rule supports session-only storage via chrome.storage.session for data you don't want to persist.

Self-auditable

The codebase is intentionally small enough to review end to end yourself.

Optional domain scoping

Attach headers only to approved development domains, or apply them globally like a traditional header tool.

See it in action

DevHeader popup showing the Header Rules tab with six request headers configured
Add, edit, and toggle header rules — name, value, target, and action per row
DevHeader popup showing the Domains tab with five scoped domain patterns
Scope rules to specific domains, with per-domain enable and access status

Get started

Running an app on localhost, attach headers like:

X-Tenant-ID: demo-tenant
X-Feature-Flag: new-dashboard

only when requests go to your approved development domain, or apply them globally like a traditional header tool if no domains are configured.

Chrome Web Store

Listing pending. Check back soon.