No bundled code phones home
Header lifecycle logic lives in one reviewable module. It only ever talks to Chrome's declarativeNetRequest API and local storage — never an external endpoint.
Chrome extension security incident — July 2026
On July 3, 2026, Microsoft removed ModHeader — Modify HTTP Headers (roughly 1.6M combined Chrome/Edge installs) from the Edge Add-ons store after Google flagged it as malware. Independent researchers who examined build 7.0.18 found a hidden module, disguised as a date-formatting library, capable of collecting the domains you visit and preparing a daily encrypted upload to an external endpoint. Researchers noted the collector was dormant in the build they tested and found no confirmed evidence of data leaving a test profile — see the sources below for the full technical analysis.
Built for the same job — attaching headers to matching requests — with a narrower, inspectable data path.
Header lifecycle logic lives in one reviewable module. It only ever talks to Chrome's declarativeNetRequest API and local storage — never an external endpoint.
Captured header values are shown in plain text in the popup and management screen, so you can see exactly what would be attached instead of trusting a black box.
Profiles, captured values, session state, and audit logs are never transmitted anywhere. See the privacy policy for details.
Capture and attachment only run for the target origins you enable on an active profile; everything else is ignored.
Header Relay doesn't import another extension's settings — recreating a setup is quick.
Add the target origin(s) you were using before.
Anything you always sent — API keys, client IDs — becomes a Fixed Header.
Manually copying a session token or trace ID between requests? Add it as a Captured Header and Header Relay reattaches it automatically.
No. Browser extension supply-chain compromises have hit multiple tools, not just one. Treat any extension with broad host permissions and an opaque update process as a risk, and prefer ones whose data handling you can verify yourself.
No. Profiles, captured values, session state, and audit logs remain in the local Chrome profile unless you choose to export or disclose them.
Yes — inspect network requests in Chrome DevTools while Header Relay is enabled, or read the published privacy policy and permission justifications.
Header Relay is not affiliated with ModHeader or its developer. The information above reflects third-party security research published in July 2026 — consult the linked sources for the full technical analysis.