Http Header Injector

HTTP Header Injector is a lightweight, NO ADs, privacy-focused browser extension that lets you add, modify, and manage custom HTTP headers on outgoing browser requests. Whether you're a web developer debugging API integrations, a QA engineer testing authentication flows, a security researcher analyzing request behavior, or a power user who needs granular control over HTTP traffic, this extension gives you a clean and intuitive interface to get the job done.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

WHAT IT DOES

Every time your browser sends an HTTP request — loading a webpage, fetching an image, calling an API — it includes a set of headers. These headers carry metadata such as authentication tokens, content types, caching directives, custom flags, and more.

HTTP Header Injector lets you define your own custom headers and inject them into every outgoing request, or selectively target specific domains. You have full control over which headers are sent, where they are sent, and when they are active.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

KEY FEATURES

● Master On/Off Switch
A single global toggle lets you enable or disable all header injection at once. When turned off, the extension does absolutely nothing — no headers are modified, no requests are intercepted. The toolbar icon changes to reflect the current state so you always know at a glance whether injection is active.

● Unlimited Custom Rules
Create as many header injection rules as you need (up to 100 active rules). Each rule defines a header name, a header value, and an optional domain filter. Rules are displayed as clean, organized cards for easy management.

● Per-Rule Enable/Disable
Each rule has its own individual toggle switch. This means you can keep rules configured but temporarily disabled without deleting them. Useful when you need to quickly switch between different header configurations during testing.

● Domain Filtering
By default, a rule applies to all outgoing requests regardless of the destination. But if you only want a header to be sent to specific websites, simply enter one or more domains in the Domain field. Supports comma-separated values for targeting multiple domains with a single rule. Leave the field empty to match all traffic.

Domain matching is smart — you can enter just the domain name (e.g., "example.com") without worrying about protocols or paths. The extension automatically strips "http://", "https://", and trailing paths.

● Real-Time Updates
Changes take effect immediately. As soon as you add, edit, enable, disable, or remove a rule, the underlying network rules are updated in real time. No need to reload pages or restart the browser.

● Clean, Modern Interface
The popup UI is designed for clarity and efficiency. A dark theme reduces eye strain during long development sessions.
Rules are presented as compact cards with clearly labeled fields. The interface is 500px wide to give you enough room to see your header names and values without scrolling horizontally.

● Visual Status Indicator
The toolbar icon and status label update in real time:
— Green icon + "ACTIVE" label when injection is enabled
— Gray icon + "OFFLINE" label when injection is disabled

● Informative Tooltips
Hover over the (?) icons to get contextual help explaining what each feature does. No need to consult external documentation.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

USE CASES

► Web Development & Debugging
Inject custom headers like X-Debug-Mode: true, X-Request-ID: test-123, or Cache-Control: no-cache to test how your server handles specific header values. Simulate different client configurations without modifying your application
code.

► API Testing
Add Authorization headers (Bearer tokens, API keys) to test authenticated endpoints directly from your browser. Useful when working with REST APIs, GraphQL endpoints, or webhook integrations where you need to include specific headers.

► Authentication & Session Testing
Inject session tokens, CSRF tokens, or custom authentication headers to test different user sessions or permission levels. Switch between different auth configurations by toggling rules on and off.

► A/B Testing & Feature Flags
Send custom headers like X-Feature-Flag: new-checkout or X-Experiment: variant-b to trigger specific server-side behavior. Test different feature flag combinations without changing server configuration.

► Content Negotiation
Override Accept, Accept-Language, Accept-Encoding, or other content negotiation headers to test how your server responds to different client preferences.

► Security Testing
Inject headers like X-Forwarded-For, X-Real-IP, or custom security tokens to test how your application handles various request origins and authentication mechanisms. Verify that your server correctly validates and processes incoming headers.

► CORS & Cross-Origin Testing
Add Origin or custom headers to simulate cross-origin requests and test your server's CORS configuration.

► Load Balancer & CDN Testing
Inject headers that your infrastructure uses for routing decisions, such as X-Forwarded-Proto, X-Custom-Route, or CDN-specific directives.

► Microservices & Distributed Tracing
Add tracing headers like X-Trace-ID, X-Correlation-ID, or X-Request-ID to track requests across microservice architectures during debugging sessions.

► QA & Staging Environments
Use domain filtering to inject environment-specific headers only when accessing staging or QA servers, while keeping
production traffic untouched.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

HOW TO USE

1. Click the HTTP Header Injector icon in your browser toolbar to open the popup.
2. Turn on the master switch in the top-right corner. The status will change from "OFFLINE" to "ACTIVE" and the icon
will turn green.
3. Click "+ Add Rule" to create a new header injection rule.
4. Fill in the fields:
— Header: The HTTP header name (e.g., X-Custom-Header, Authorization, X-Debug)
— Value: The header value (e.g., true, Bearer my-token, my-value)
— Domain: (Optional) Comma-separated list of domains to target. Leave empty to apply to all websites.
5. The rule is saved automatically as you type. Changes take effect immediately on all new requests.
6. Use the individual toggle switch on each rule card to enable or disable specific rules without deleting them.
7. Click the delete button on a rule card to permanently remove a rule you no longer need.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

EXAMPLES

Here are some common header configurations:

Header: Authorization
Value: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Domain: api.myapp.com
→ Sends a JWT token only to your API server.

Header: X-Debug-Mode
Value: true
Domain: (empty)
→ Enables debug mode on all requests to any server that supports it.

Header: X-Forwarded-For
Value: 203.0.113.50
Domain: staging.example.com
→ Simulates a specific client IP on your staging server.

Header: Accept-Language
Value: fr-FR
Domain: (empty)
→ Forces French language content negotiation on all websites.

Header: Cache-Control
Value: no-cache
Domain: mysite.com, api.mysite.com
→ Disables caching for requests to your site and its API.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

PRIVACY & SECURITY

HTTP Header Injector is built with privacy as a core principle:

● No Data Collection — The extension does not collect, transmit, or share any data. Period.

● Local Storage Only — All your rules and settings are stored locally in your browser using Chrome's built-in storage API (chrome.storage.local). Nothing is sent to any external server.

● No Remote Connections — The extension makes zero network requests. It has no analytics, no telemetry, no update pings, no remote configuration.

● No Third-Party Dependencies — The extension is built with zero external libraries or frameworks. No CDN resources, no Google Fonts, no tracking pixels. The entire codebase is self-contained.

● Manifest V3 — Built on Chrome's latest extension platform (Manifest V3), which provides enhanced security through the declarativeNetRequest API. This modern API is more secure than the older webRequest API because header modifications are declared as rules rather than executed as arbitrary code.

● Minimal Permissions
— The extension only requests the permissions it strictly needs:
— "storage" to save your rules locally
— "declarativeNetRequest" to modify HTTP headers
— "host_permissions: " to apply rules to any website you choose

● Open & Transparent — The extension's code is minimal and auditable. The entire logic fits in three small files (background.js, popup.js, popup.html) with no obfuscation or minification tricks that would hide behavior.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

TECHNICAL DETAILS

● Platform: Chrome Extension (Manifest V3)
● API: declarativeNetRequest (dynamic rules)
● Storage: chrome.storage.local
● Max Active Rules: 100
● Supported Resource Types: main_frame, sub_frame, stylesheet, script, image, font, object, xmlhttprequest, ping,
media, websocket, webtransport, webbundle, other
● Header Operation: "set" (adds or overwrites the specified header)
● UI: Self-contained HTML/CSS/JS popup, no external dependencies
● Size: < 20 KB total package

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

FREQUENTLY ASKED QUESTIONS

Q: Does this extension work on all websites?
A: Yes. When no domain filter is set, headers are injected on all outgoing requests. You can restrict to specific domains using the Domain field.

Q: Can I inject multiple headers at once?
A: Absolutely. Create one rule per header. There is no limit to how many rules you can define (up to 100 active rules, which is Chrome's limit for dynamic declarativeNetRequest rules).

Q: Do headers persist after closing the browser?
A: Yes. All rules and the master toggle state are saved in local storage and restored when you reopen the browser.

Q: Does the extension slow down my browsing?
A: No. The extension uses Chrome's declarativeNetRequest API, which processes header modifications at the network layer natively, without any JavaScript overhead on each request. This is the most performant approach available.

Q: Can I use this to modify response headers?
A: The current version focuses on request headers (outgoing). Response header modification may be added in a future update.

Q: Does this work in Incognito mode?
A: By default, extensions are disabled in Incognito mode. You can enable it by going to chrome://extensions, finding HTTP Header Injector, clicking "Details", and toggling "Allow in Incognito".

Q: Is this compatible with Brave, Edge, or other Chromium browsers?
A: Yes. HTTP Header Injector works on any Chromium-based browser that supports Manifest V3, including Google Chrome, Brave, Microsoft Edge, Vivaldi, and Opera.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

SUPPORT & FEEDBACK

If you encounter any issues or have feature requests, please use the "Support" tab on this extension's Chrome Web Store page. We appreciate your feedback and are committed to keeping this tool simple, fast, and reliable.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

HTTP Header Injector — Simple. Fast. Private. Take full control of your HTTP headers.
By Refficience.com / Thomas SOUDAZ