A free, open-source Chrome extension to modify HTTP request and response headers, inject cookies and query parameters, and redirect requests — built for frontend developers and API testing.
Built on Manifest V3 and the declarativeNetRequest API: the browser applies
your rules natively, so the extension never reads, intercepts, or forwards any
of your traffic. No dependencies, no build step, no network calls, no
analytics — see PRIVACY.md. The entire extension is a handful of
plain-JS files you can audit in one sitting.
- Request headers — set, append, or remove headers on outgoing requests
(e.g.
Authorization,X-Forwarded-For, customX-*headers). - Response headers — set, append, or remove headers on responses
(e.g.
Access-Control-Allow-Originfor CORS testing). - Cookies — append
name=valuepairs to the outgoingCookieheader without touching the browser's stored cookies. - Redirects — map matching URLs to another URL, e.g. point a production
script at
http://localhost:3000. Wildcard patterns or RE2 regexes with\1backreferences in the target. - Query parameters — add/replace or remove query params on matching URLs
(e.g. force
?debug=1everywhere). - URL filters — include filters restrict modifications to matching URLs
(
*wildcards, e.g.*://api.example.com/*); exclude filters carve out URLs that must never be touched. - Tab scoping — optionally pin a profile to specific tabs so the rest of your browsing is untouched.
- Value placeholders —
{{timestamp}},{{isodate}},{{uuid}},{{random}}in header/cookie/param values and redirect targets. Resolved each time rules are rebuilt (any settings change), not per request — an MV3 platform limit. - Profiles — create, rename, and switch between independent rule sets.
- Per-row toggle and a global pause button.
- Badge counter showing how many modifications are currently active.
- Export / import profiles as JSON.
- Open
chrome://extensionsin Chrome (oredge://extensions,brave://extensions). - Enable Developer mode (top-right toggle).
- Click Load unpacked and select this folder.
- Pin HeaderMod to the toolbar and click its icon to add headers.
- Changes apply immediately (saves are debounced ~250 ms after you stop typing).
- The Remove operation deletes the header from the request/response; the value field is ignored.
- Some headers are protected by the browser and cannot be modified by any
extension (e.g.
Host,Content-Length, certainSec-*headers). - URL filter patterns use Chrome's
urlFilter syntax:
plain substrings match anywhere,
*matches anything,||anchors to a domain,^matches a separator character. - Regex redirects use RE2 syntax; lookaheads/lookbehinds are not supported.
- Tab pins live for the browser session only — tab ids don't survive a restart, so pinned tabs are cleared on startup. Tab-scoped rules use session rules under the hood.
- Cookies are appended to the
Cookieheader on the wire only; they don't appear in DevTools' Application tab ordocument.cookie. - Exported profile JSON contains your header values verbatim — including any auth tokens. Treat exports as secrets and strip them before sharing.
| File | Purpose |
|---|---|
manifest.json |
MV3 manifest |
background.js |
Service worker: converts state into dynamic DNR rules |
shared.js |
State model + rule builder shared by worker and popup |
popup.html/css/js |
The toolbar popup UI |
icons/ |
Extension icons |
tests/ |
Unit tests (node --test tests/shared.test.js) |
Contributions are welcome — see CONTRIBUTING.md for the dev setup (there is none, really: load the folder unpacked and edit) and guidelines. Security issues go to SECURITY.md, not the public issue tracker.
HeaderMod is free and always will be. If it has been useful to you and you'd like to support its development, you can buy me a coffee. ☕
MIT — free to use, modify, and distribute.