SecretSifter: Live Credentials & Secrets Scanner
Detects secrets, API keys, and tokens in JS, JSON, XML, and HTML at runtime
As of June 2026, SecretSifter: Live Credentials & Secrets Scanner has 82 users and a 5.00/5 rating from 2 reviews in the Developer Tools category.
Usersup 1266.7 percent+1266.7%
82
82
Ratingno change0%
5.00
2 reviews
Reviewsup 100.0 percent+100.0%
2
Version
1.1.2
Manifest V3
90-day change · In the last 90 days this extension 1 version update.
History
11 snapshotsTracking since Apr 1, 2026.
View as table
| Date | Users | Rating | Reviews | Version |
|---|---|---|---|---|
| Apr 1, 2026 | 6 | 5.00 | 1 | 1.1.0 |
| Apr 17, 2026 | 6 | 5.00 | 1 | 1.1.0 |
| Apr 22, 2026 | 29 | 5.00 | 1 | 1.1.0 |
| Apr 27, 2026 | 38 | 5.00 | 1 | 1.1.0 |
| May 4, 2026 | 43 | 5.00 | 2 | 1.1.0 |
| May 10, 2026 | 54 | 5.00 | 2 | 1.1.0 |
| May 15, 2026 | 65 | 5.00 | 2 | 1.1.0 |
| May 22, 2026 | 82 | 5.00 | 2 | 1.1.2 |
| May 28, 2026 | 85 | 5.00 | 2 | 1.1.2 |
| Jun 4, 2026 | 83 | 5.00 | 2 | 1.1.2 |
| Jun 10, 2026 | 80 | 5.00 | 2 | 1.1.2 |
| Now | 82 | 5.00 | 2 | 1.1.2 |
Changelog
- May 15, 2026description
SecretSifter is a runtime secrets scanner built for penetration testers, bug bounty hunters, and security engineers. It automatically intercepts and scans network traffic in the active tab — JavaScript files, JSON API responses, XML responses, HTML pages, and WebSocket frames — and flags exposed secrets such as: • API keys, Bearer tokens and JWT secrets • Passwords and credentials in response bodies KEY FEATURES • T1 / T2 / T3 confidence tiers to separate real findings from noise • WebSocket scanning — intercepts both incoming and outgoing WS frames • CDN blocklist — skip known third-party libraries and analytics scripts automatically • Suppressed key names — silence app-specific noise with one click • Full findings report with severity badges (Critical / High / Medium / Low) • Export findings to JSON, CSV, or HTML report • Export scanned URL list (JS, JSON, HTML, XML, requests, WebSocket) • DevTools panel + popup — works however you prefer • Privacy-first — all findings stored locally in your browser; the only external call is an optional Google Maps API key validation probe sent directly to Google DESIGNED FOR SECURITY PROFESSIONALS Scanning is opt-in per tab. No accounts, no telemetry, no developer-controlled servers.
SecretSifter is a runtime secrets scanner built for penetration testers, bug bounty hunters, and security engineers. It automatically intercepts and scans network traffic in the active tab — JavaScript files, JSON API responses, XML responses, HTML pages, and WebSocket frames — and flags exposed secrets such as: • API keys, Bearer tokens, JWT secrets and Encrypted CryptoJS blobs • Passwords and credentials in response bodies KEY FEATURES • T1 / T2 / T3 confidence tiers to separate real findings from noise • WebSocket scanning — intercepts both incoming and outgoing WS frames • CDN blocklist — skip known third-party libraries and analytics scripts automatically • Suppressed key names — silence app-specific noise with one click • Full findings report with severity badges (Critical / High / Medium / Low) • Export findings to JSON, CSV, or HTML report • Export scanned URL list (JS, JSON, HTML, XML, requests, WebSocket) • DevTools panel + popup — works however you prefer • Privacy-first — all findings stored locally in your browser; the only external call is an optional Google Maps API key validation probe sent directly to Google HOW TO USE IT 1. Enable scanning on a tab Open the target site, click the SecretSifter toolbar icon, toggle "Scanning: ON". The setting is per-domain and persists across reloads. 2. Browse the app Findings appear live as the page (and its lazy-loaded chunks) execute. Each finding shows the rule that fired, severity, masked value, source URL, and line number. 3. Triage findings • Popup — quick view of total count and severity breakdown; toggle masking, copy values, export. • DevTools panel — open DevTools, click the "SecretSifter" tab. Full table with rule/severity/status filters, search, JSON copy. • Full Report page — click the toolbar icon, then "Open Full Report". Sortable cards with positive/negative classification signals, per-finding edit (severity, tier, delete), and detailed export. 4. Export JSON, CSV, or standalone HTML report — available from the popup or report page. SETTINGS & CUSTOMIZATION Right-click the toolbar icon → "Options" (or open Settings from the popup): • CDN blocklist — domains whose URLs are ignored as findings (Google Fonts, Datadog, Segment, etc. preloaded) • Noise keys — common variable names that frequently cause false positives (preloaded, editable) • Custom rules — define your own regex patterns v1.1.2: • Added 11 additional vendor patterns • Detection accuracy improvements DESIGNED FOR SECURITY PROFESSIONALS Scanning is opt-in per tab. No accounts, no telemetry, no developer-controlled servers.
Permissions & access
- Permissions
- debuggertabsstorage
- Host access
- <all_urls>
Screenshots
About
SecretSifter is a runtime secrets scanner built for penetration testers, bug bounty hunters, and security engineers. It automatically intercepts and scans network traffic in the active tab — JavaScript files, JSON API responses, XML responses, HTML pages, and WebSocket frames — and flags exposed secrets such as: • API keys, Bearer tokens, JWT secrets and Encrypted CryptoJS blobs • Passwords and credentials in response bodies KEY FEATURES • T1 / T2 / T3 confidence tiers to separate real findings from noise • WebSocket scanning — intercepts both incoming and outgoing WS frames • CDN blocklist — skip known third-party libraries and analytics scripts automatically • Suppressed key names — silence app-specific noise with one click • Full findings report with severity badges (Critical / High / Medium / Low) • Export findings to JSON, CSV, or HTML report • Export scanned URL list (JS, JSON, HTML, XML, requests, WebSocket) • DevTools panel + popup — works however you prefer • Privacy-first — all findings stored locally in your browser; the only external call is an optional Google Maps API key validation probe sent directly to Google HOW TO USE IT 1. Enable scanning on a tab Open the target site, click the SecretSifter toolbar icon, toggle "Scanning: ON". The setting is per-domain and persists across reloads. 2. Browse the app Findings appear live as the page (and its lazy-loaded chunks) execute. Each finding shows the rule that fired, severity, masked value, source URL, and line number. 3. Triage findings • Popup — quick view of total count and severity breakdown; toggle masking, copy values, export. • DevTools panel — open DevTools, click the "SecretSifter" tab. Full table with rule/severity/status filters, search, JSON copy. • Full Report page — click the toolbar icon, then "Open Full Report". Sortable cards with positive/negative classification signals, per-finding edit (severity, tier, delete), and detailed export. 4. Export JSON, CSV, or standalone HTML report — available from the popup or report page. SETTINGS & CUSTOMIZATION Right-click the toolbar icon → "Options" (or open Settings from the popup): • CDN blocklist — domains whose URLs are ignored as findings (Google Fonts, Datadog, Segment, etc. preloaded) • Noise keys — common variable names that frequently cause false positives (preloaded, editable) • Custom rules — define your own regex patterns v1.1.2: • Added 11 additional vendor patterns • Detection accuracy improvements DESIGNED FOR SECURITY PROFESSIONALS Scanning is opt-in per tab. No accounts, no telemetry, no developer-controlled servers.
Technical
- Version
- 1.1.2
- Manifest
- V3
- Size
- 113KiB
- Min Chrome
- 88
- Languages
- 1
- Featured
- No
Metadata
- ID
- okjoofmgkkgopigaipccailblmpcchjo
- Developer ID
- u60138743ddf4ff6571d2e9a73965de1e
- Developer Email
- [email protected]
- Created
- Mar 27, 2026
- Last Updated (Store)
- May 11, 2026
- Last Scraped
- Jun 10, 2026
- Website
- —
- Support URL
- —
Data sourced from the Chrome Web Store · last verified Jun 10, 2026.