HTTP Header Injector

About

HTTP Header Injector is a lightweight, NO ADs, privacy-focused browser extension that lets you add, modify, and manage custom HTTP headers on outgoing browser requests. Whether you're a web developer debugging API integrations, a QA engineer testing authentication flows, a security researcher analyzing request behavior, or a power user who needs granular control over HTTP traffic, this extension gives you a clean and intuitive interface to get the job done.

  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  WHAT IT DOES

  Every time your browser sends an HTTP request — loading a webpage, fetching an image, calling an API — it includes a set of headers. These headers carry metadata such as authentication tokens, content types, caching directives, custom flags, and more.

  HTTP Header Injector lets you define your own custom headers and inject them into every outgoing request, or selectively target specific domains. You have full control over which headers are sent, where they are sent, and when they are active.

  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  KEY FEATURES

  ● Master On/Off Switch
  A single global toggle lets you enable or disable all header injection at once. When turned off, the extension does absolutely nothing — no headers are modified, no requests are intercepted. The toolbar icon changes to reflect the current state so you always know at a glance whether injection is active.

  ● Unlimited Custom Rules
  Create as many header injection rules as you need (up to 100 active rules). Each rule defines a header name, a header value, and an optional domain filter. Rules are displayed as clean, organized cards for easy management.

  ● Per-Rule Enable/Disable
  Each rule has its own individual toggle switch. This means you can keep rules configured but temporarily disabled without deleting them. Useful when you need to quickly switch between different header configurations during testing.

  ● Domain Filtering
  By default, a rule applies to all outgoing requests regardless of the destination. But if you only want a header to be  sent to specific websites, simply enter one or more domains in the Domain field. Supports comma-separated values for targeting multiple domains with a single rule. Leave the field empty to match all traffic.

  Domain matching is smart — you can enter just the domain name (e.g., "example.com") without worrying about protocols or paths. The extension automatically strips "http://", "https://", and trailing paths.

  ● Real-Time Updates
  Changes take effect immediately. As soon as you add, edit, enable, disable, or remove a rule, the underlying network  rules are updated in real time. No need to reload pages or restart the browser.

  ● Clean, Modern Interface
  The popup UI is designed for clarity and efficiency. A dark theme reduces eye strain during long development sessions.
   Rules are presented as compact cards with clearly labeled fields. The interface is 500px wide to give you enough room  to see your header names and values without scrolling horizontally.

  ● Visual Status Indicator
  The toolbar icon and status label update in real time:
    — Green icon + "ACTIVE" label when injection is enabled
    — Gray icon + "OFFLINE" label when injection is disabled

  ● Informative Tooltips
  Hover over the (?) icons to get contextual help explaining what each feature does. No need to consult external documentation.

  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  USE CASES

  ► Web Development & Debugging
  Inject custom headers like X-Debug-Mode: true, X-Request-ID: test-123, or Cache-Control: no-cache to test how your server handles specific header values. Simulate different client configurations without modifying your application
  code.

  ► API Testing
  Add Authorization headers (Bearer tokens, API keys) to test authenticated endpoints directly from your browser. Useful  when working with REST APIs, GraphQL endpoints, or webhook integrations where you need to include specific headers.

  ► Authentication & Session Testing
  Inject session tokens, CSRF tokens, or custom authentication headers to test different user sessions or permission levels. Switch between different auth configurations by toggling rules on and off.

  ► A/B Testing & Feature Flags
  Send custom headers like X-Feature-Flag: new-checkout or X-Experiment: variant-b to trigger specific server-side behavior. Test different feature flag combinations without changing server configuration.

  ► Content Negotiation
  Override Accept, Accept-Language, Accept-Encoding, or other content negotiation headers to test how your server responds to different client preferences.

  ► Security Testing
  Inject headers like X-Forwarded-For, X-Real-IP, or custom security tokens to test how your application handles various  request origins and authentication mechanisms. Verify that your server correctly validates and processes incoming headers.

  ► CORS & Cross-Origin Testing
  Add Origin or custom headers to simulate cross-origin requests and test your server's CORS configuration.

  ► Load Balancer & CDN Testing
  Inject headers that your infrastructure uses for routing decisions, such as X-Forwarded-Proto, X-Custom-Route, or CDN-specific directives.

  ► Microservices & Distributed Tracing
  Add tracing headers like X-Trace-ID, X-Correlation-ID, or X-Request-ID to track requests across microservice architectures during debugging sessions.

  ► QA & Staging Environments
  Use domain filtering to inject environment-specific headers only when accessing staging or QA servers, while keeping
  production traffic untouched.

  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  HOW TO USE

  1. Click the HTTP Header Injector icon in your browser toolbar to open the popup.
  2. Turn on the master switch in the top-right corner. The status will change from "OFFLINE" to "ACTIVE" and the icon
  will turn green.
  3. Click "+ Add Rule" to create a new header injection rule.
  4. Fill in the fields:
  — Header: The HTTP header name (e.g., X-Custom-Header, Authorization, X-Debug)
  — Value: The header value (e.g., true, Bearer my-token, my-value)
  — Domain: (Optional) Comma-separated list of domains to target. Leave empty to apply to all websites.
  5. The rule is saved automatically as you type. Changes take effect immediately on all new requests.
  6. Use the individual toggle switch on each rule card to enable or disable specific rules without deleting them.
  7. Click the delete button on a rule card to permanently remove a rule you no longer need.

  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  EXAMPLES

  Here are some common header configurations:

  Header: Authorization
  Value: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
  Domain: api.myapp.com
  → Sends a JWT token only to your API server.

  Header: X-Debug-Mode
  Value: true
  Domain: (empty)
  → Enables debug mode on all requests to any server that supports it.

  Header: X-Forwarded-For
  Value: 203.0.113.50
  Domain: staging.example.com
  → Simulates a specific client IP on your staging server.

  Header: Accept-Language
  Value: fr-FR
  Domain: (empty)
  → Forces French language content negotiation on all websites.

  Header: Cache-Control
  Value: no-cache
  Domain: mysite.com, api.mysite.com
  → Disables caching for requests to your site and its API.

  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  PRIVACY & SECURITY

  HTTP Header Injector is built with privacy as a core principle:

  ● No Data Collection — The extension does not collect, transmit, or share any data. Period.

  ● Local Storage Only — All your rules and settings are stored locally in your browser using Chrome's built-in storage  API (chrome.storage.local). Nothing is sent to any external server.

  ● No Remote Connections — The extension makes zero network requests. It has no analytics, no telemetry, no update pings, no remote configuration.

  ● No Third-Party Dependencies — The extension is built with zero external libraries or frameworks. No CDN resources,  no Google Fonts, no tracking pixels. The entire codebase is self-contained.

  ● Manifest V3 — Built on Chrome's latest extension platform (Manifest V3), which provides enhanced security through the declarativeNetRequest API. This modern API is more secure than the older webRequest API because header modifications are declared as rules rather than executed as arbitrary code.

  ● Minimal Permissions 
— The extension only requests the permissions it strictly needs:
    — "storage" to save your rules locally
    — "declarativeNetRequest" to modify HTTP headers
    — "host_permissions: " to apply rules to any website you choose

  ● Open & Transparent — The extension's code is minimal and auditable. The entire logic fits in three small files  (background.js, popup.js, popup.html) with no obfuscation or minification tricks that would hide behavior.

  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  TECHNICAL DETAILS

  ● Platform: Chrome Extension (Manifest V3)
  ● API: declarativeNetRequest (dynamic rules)
  ● Storage: chrome.storage.local
  ● Max Active Rules: 100
  ● Supported Resource Types: main_frame, sub_frame, stylesheet, script, image, font, object, xmlhttprequest, ping,
  media, websocket, webtransport, webbundle, other
  ● Header Operation: "set" (adds or overwrites the specified header)
  ● UI: Self-contained HTML/CSS/JS popup, no external dependencies
  ● Size: < 20 KB total package

  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  FREQUENTLY ASKED QUESTIONS

  Q: Does this extension work on all websites?
  A: Yes. When no domain filter is set, headers are injected on all outgoing requests. You can restrict to specific domains using the Domain field.

  Q: Can I inject multiple headers at once?
  A: Absolutely. Create one rule per header. There is no limit to how many rules you can define (up to 100 active rules, which is Chrome's limit for dynamic declarativeNetRequest rules).

  Q: Do headers persist after closing the browser?
  A: Yes. All rules and the master toggle state are saved in local storage and restored when you reopen the browser.

  Q: Does the extension slow down my browsing?
  A: No. The extension uses Chrome's declarativeNetRequest API, which processes header modifications at the network layer natively, without any JavaScript overhead on each request. This is the most performant approach available.

  Q: Can I use this to modify response headers?
  A: The current version focuses on request headers (outgoing). Response header modification may be added in a future update.

  Q: Does this work in Incognito mode?
  A: By default, extensions are disabled in Incognito mode. You can enable it by going to chrome://extensions, finding  HTTP Header Injector, clicking "Details", and toggling "Allow in Incognito".

  Q: Is this compatible with Brave, Edge, or other Chromium browsers?
  A: Yes. HTTP Header Injector works on any Chromium-based browser that supports Manifest V3, including Google Chrome, Brave, Microsoft Edge, Vivaldi, and Opera.

  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  SUPPORT & FEEDBACK

  If you encounter any issues or have feature requests, please use the "Support" tab on this extension's Chrome Web   Store page. We appreciate your feedback and are committed to keeping this tool simple, fast, and reliable.

  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

HTTP Header Injector — Simple. Fast. Private. Take full control of your HTTP headers.
By Refficience.com / Thomas SOUDAZ