Kenny Hietbrink

HeaderForge

HeaderForge: modify HTTP request and response headers in any Chromium browser (Edge, Chrome, Brave, ...). Per-site or global, toggleable, local-only.

0
0
0
JavaScript
public
View on GitHub

HeaderForge

A lightweight extension for Chromium browsers (Edge, Chrome, Brave, Opera, Vivaldi, …) to
modify HTTP request and response headers without spinning up a proxy. Headers are remembered,
can be toggled per header and per profile, and apply either globally or per site. All
configuration stays local to your browser.

Built on Manifest V3 with the modern declarativeNetRequest API, so it stays lean and avoids the
instability that some older header extensions hit after the MV3 transition.

Manifest V3
Chromium
License: MIT

Features

  • Modify both request and response headers.
  • Three operations per header: Set (replace or create), Append (add to multi-value headers),
    and Remove (delete).
  • Two scopes per profile: Global (every site) or Per site (one or more domains, subdomains
    included).
  • Toggle individual headers, whole profiles, or everything at once with a master switch.
  • Settings are stored locally with chrome.storage.local. No account sync, no telemetry.
  • Built-in help and an inline warning when Append is used on an unsupported request header.

Screenshot

HeaderForge

Installation

This extension is loaded unpacked (no store listing required).

  1. Download the latest release zip, or clone the repository:
    git clone https://github.com/dev/headerforge.git
  2. If you downloaded a zip, unzip it to a permanent folder (the browser loads the extension from
    this folder, so do not move or delete it afterwards).
  3. Open the extensions page of your Chromium browser:
    • Edge: edge://extensions
    • Chrome: chrome://extensions
    • Brave: brave://extensions (and similar for other Chromium browsers)
  4. Enable Developer mode.
  5. Click Load unpacked and select the headerforge folder (the one containing
    manifest.json).
  6. Optionally pin it to the toolbar.

Usage

Click the toolbar icon to open the popup.

  • Master switch (top right): turns all rules on or off without losing your profiles.
  • + New profile: each profile has a name, an on/off toggle, and a scope (Global or
    Per site). For Per site, enter one or more comma-separated domains.
  • + Header: each row has an on/off checkbox, a direction (Request / Response), an operation
    (Set / Append / Remove), a name, and a value.

Changes save and apply automatically. Click the ? button for inline help on the options.

Examples

Goal Scope Operation Name Value
Send a bearer token to an API Per site api.example.com Set Authorization Bearer eyJ...
Strip CSP for testing Per site Remove (response) Content-Security-Policy (none)
Custom debug header everywhere Global Set X-Debug 1
Spoof a forwarding IP Per site Set X-Forwarded-For 127.0.0.1

How it works

  • Manifest V3 + declarativeNetRequest. On every change, all dynamic rules are removed and rebuilt
    from the stored config, so storage and active rules never drift apart.
  • A service worker re-applies the rules on install and on startup as a safety net.
  • Configuration lives in chrome.storage.local, scoped to the current browser only.

Limitations

  • Append on request headers is only supported for a fixed allowlist (accept, accept-encoding,
    accept-language, access-control-request-headers, cache-control, connection, content-language,
    cookie, forwarded, if-match, if-none-match, keep-alive, range, te, trailer, transfer-encoding,
    upgrade, user-agent, via, want-digest, x-forwarded-for). For other request headers, use Set. The
    UI warns you. Response headers have no such limit.
  • No conditional logic. declarativeNetRequest cannot read an existing header value, so
    “replace X only if it equals Y” is not possible. Use a full proxy for that.
  • Browser-managed headers. A few headers are controlled by the network stack and may not be
    overridable depending on the Chromium version.
  • Privacy. Header values, including any tokens or credentials, are stored locally in plaintext,
    the same as comparable tools.

Project structure

headerforge/
  manifest.json     Manifest V3 definition
  rules.js          Storage + DNR rule building (the core)
  background.js     Service worker, reconciles rules on install/startup
  popup.html        Popup markup
  popup.css         Popup styling
  popup.js          Popup logic
  icons/            16 / 48 / 128 px icons

After editing code, reload the extension from your browser’s extensions page. Errors show up via the
Service worker link (DevTools console).

Contributing

Issues and pull requests are welcome. Keep the extension dependency-free and the permission
footprint minimal (declarativeNetRequest, storage, and host access only).

License

MIT. See LICENSE.

v0.3.3[beta]