DevHeaderModify Chrome request headers, safely
A minimal, local alternative to ModHeader for scoping custom HTTP request headers to development domains, with minimal permissions, no remote calls, and no third-party trust.
Why DevHeader exists
ModHeader, a popular HTTP header modification extension, was flagged as malware by Google and removed from the Microsoft Edge store in early July 2026, after researchers found dormant, encrypted domain-harvesting code in a recent build. Separately from that specific incident, its broad <all_urls> host permissions had long been flagged as a general risk, the kind of access a header tool doesn't strictly need for normal development work.
DevHeader is a personal, locally-installed alternative: a minimal extension that modifies HTTP request headers during local development, without broad permissions, remote calls, or third-party trust.
Security principles
No <all_urls>
Host access is scoped to approved domains only, via optional_host_permissions and runtime permission requests.
No network calls out
Rule data never leaves the local machine.
No remote code
Everything is bundled locally with no eval and nothing fetched dynamically.
Least privilege by default
Each rule supports session-only storage via chrome.storage.session for data you don't want to persist.
Self-auditable
The codebase is intentionally small enough to review end to end yourself.
Optional domain scoping
Attach headers only to approved development domains, or apply them globally like a traditional header tool.
See it in action


Get started
Running an app on localhost, attach headers like:
X-Tenant-ID: demo-tenant
X-Feature-Flag: new-dashboardonly when requests go to your approved development domain, or apply them globally like a traditional header tool if no domains are configured.
Chrome Web Store
Listing pending. Check back soon.