Header Relay

Chrome extension security incident — July 2026

Looking for a ModHeader alternative after the malware flag?

On July 3, 2026, Microsoft removed ModHeader — Modify HTTP Headers (roughly 1.6M combined Chrome/Edge installs) from the Edge Add-ons store after Google flagged it as malware. Independent researchers who examined build 7.0.18 found a hidden module, disguised as a date-formatting library, capable of collecting the domains you visit and preparing a daily encrypted upload to an external endpoint. Researchers noted the collector was dormant in the build they tested and found no confirmed evidence of data leaving a test profile — see the sources below for the full technical analysis.

What Header Relay does differently.

Built for the same job — attaching headers to matching requests — with a narrower, inspectable data path.

No bundled code phones home

Header lifecycle logic lives in one reviewable module. It only ever talks to Chrome's declarativeNetRequest API and local storage — never an external endpoint.

Captured values stay visible

Captured header values are shown in plain text in the popup and management screen, so you can see exactly what would be attached instead of trusting a black box.

Nothing leaves your machine

Profiles, captured values, session state, and audit logs are never transmitted anywhere. See the privacy policy for details.

Scoped by design

Capture and attachment only run for the target origins you enable on an active profile; everything else is ignored.

Switching over takes three steps.

Header Relay doesn't import another extension's settings — recreating a setup is quick.

01

Create a profile

Add the target origin(s) you were using before.

02

Re-add fixed headers

Anything you always sent — API keys, client IDs — becomes a Fixed Header.

03

Automate what you were copy-pasting

Manually copying a session token or trace ID between requests? Add it as a Captured Header and Header Relay reattaches it automatically.

Questions before you switch.

Is this the only extension affected by this kind of issue?

No. Browser extension supply-chain compromises have hit multiple tools, not just one. Treat any extension with broad host permissions and an opaque update process as a risk, and prefer ones whose data handling you can verify yourself.

Does Header Relay send data to an external server?

No. Profiles, captured values, session state, and audit logs remain in the local Chrome profile unless you choose to export or disclose them.

Can I verify that myself?

Yes — inspect network requests in Chrome DevTools while Header Relay is enabled, or read the published privacy policy and permission justifications.

Sources

Header Relay is not affiliated with ModHeader or its developer. The information above reflects third-party security research published in July 2026 — consult the linked sources for the full technical analysis.