JS Recon & Secret Scanner

About

JS Recon & Secret Scanner is a powerful, privacy-first Manifest V3 Chrome extension designed for developers, security researchers, and authorized penetration testers. It allows you to inspect JavaScript files loaded by the current active page to easily identify likely endpoints, possible secret-like strings, and available sourcemaps.

Unlike other scanning tools, this extension processes everything locally in your browser. It does not use external backend servers, tracking scripts, or analytics.

🛡️ CORE FEATURES:
• User-Initiated Scanning: The extension only runs when you actively click "Scan Current Page". Zero background drain.
• Endpoint Discovery: Extracts likely API routes, internal paths, form endpoints, GraphQL paths, and versioned APIs from JS bundles.
• Smart Categorization: Automatically groups findings into App Endpoints, Tracking/Analytics, Media Embeds, and Consent/Privacy to filter out the noise.
• Secret & Token Detection: Uses regex patterns to identify exposed API keys, JWTs, and tokens, complete with confidence labels and safe-masking UI.
• Sourcemap Probing: Checks if related `.js.map` files are exposed on the host.
• Memory-Safe Parsing: Uses streamed fetching and file-size caps to prevent browser crashes on massive Webpack/React bundles.

🔐 STRICT PRIVACY:
Your data never leaves your browser. 
• No data is sent to the developer.
• No analytics or tracking pixels.
• No remote logging.
• Uses minimal permissions (`activeTab` and `scripting`). Optional cross-origin permissions are only requested if you manually choose to scan third-party scripts.

⚠️ RESPONSIBLE USE:
This tool is intended for defensive security review, development debugging, and authorized testing only. Users are responsible for following all applicable laws, website terms of service, and bug bounty rules. Use this extension only on websites that you own, manage, or are explicitly authorized to test.