-
Notifications
You must be signed in to change notification settings - Fork 0
FAQ
Common questions and answers about ModHead.
ModHead is a Chrome extension that allows you to modify HTTP request headers dynamically based on user-defined rules. It uses Chrome's Manifest V3 declarativeNetRequest API for efficient and secure header modification.
ModHead uses the modern Manifest V3 architecture, which provides:
- Better performance through declarative rules
- Enhanced security with limited permissions
- Chrome's native support for rule-based modifications
- Support for variables and auto-refresh tokens
ModHead modifies headers for URLs that match your configured rules. It works on all websites where Chrome's declarativeNetRequest API is allowed, which includes most websites.
Exception: Chrome Web Store and some Chrome internal pages (chrome://) do not allow extensions to modify headers.
Yes! ModHead is an open-source project. You can view the source code, contribute, or report issues on GitHub.
storage.sync API.
Security implications:
- Data is NOT encrypted
- Data syncs across all Chrome browsers signed into your Google account
- Any extension with storage permissions could potentially access this data
- Data is stored locally on your device(s)
Recommendations:
- Don't store production credentials in ModHead
- Use development/staging tokens when possible
- Leverage auto-refresh to use short-lived tokens
- Mark sensitive variables as "Sensitive" to hide them in the UI (this only masks the display, it doesn't encrypt the value)
- Regularly rotate your tokens and API keys
- Be cautious when sharing your Chrome profile or screenshots
The "Sensitive" flag masks the variable value in the UI, displaying it as •••••••• instead of plain text.
What it does:
- Hides the value in the options page
- Prevents shoulder-surfing
- Helps avoid accidental exposure in screenshots
What it does NOT do:
- Encrypt the value in storage
- Protect against malicious extensions
- Prevent syncing to other devices
ModHead is designed for development and testing purposes. While it's technically possible to use it in production scenarios, we strongly recommend against it due to:
- Plain text storage of credentials
- Manual configuration requirements
- Potential for misconfiguration
- Security risks
For production:
- Use proper authentication flows in your application code
- Store credentials in secure vaults (AWS Secrets Manager, HashiCorp Vault, etc.)
- Implement token refresh logic in your backend
- Follow security best practices for your specific use case
ModHead does NOT collect, transmit, or share any user data. All configuration is stored locally in Chrome's storage and optionally synced via your Google account (if Chrome sync is enabled).
Possible causes and solutions:
-
Rule is disabled
- Check that the rule toggle is ON
- Disabled rules don't modify headers
-
URL pattern doesn't match
- Verify the target domain matches the request URL
- Check the match type (startsWith, endsWith, equals)
- Test with a simpler pattern first
-
Rule hasn't been saved
- Make sure you clicked "Save" after editing
- Check if the rule appears in the rules list
-
Browser cache
- Clear your browser cache
- Try in an Incognito window
- Reload the page after saving rules
-
Chrome Web Store pages
- Extensions cannot modify headers on Chrome Web Store or
chrome://pages
- Extensions cannot modify headers on Chrome Web Store or
Debugging steps:
- Open Chrome DevTools (F12)
- Go to Network tab
- Make a request to your target URL
- Check the request headers
- Verify your headers are present
Problem: Header shows ${variableName} instead of the actual value.
Solutions:
-
Variable doesn't exist
- Check spelling (case-sensitive)
- Verify the variable exists in the Variables section
-
Syntax error
- Correct:
${variableName} - Incorrect:
$variableName,{variableName},${ variableName }(extra spaces)
- Correct:
-
Variable not saved
- Ensure you saved the variable after creating/editing it
Problem: Variable value doesn't update when clicking refresh.
Solutions:
-
Check the refresh URL
- Verify the URL is correct and accessible
- Test the endpoint with curl or Postman
-
Verify HTTP method and headers
- Ensure the method (GET, POST, etc.) is correct
- Check that required headers are included
-
Check response transformation
- Verify the transform path matches the response structure
- Use
$responseto see the full response - Check for typos in the path (case-sensitive)
-
Check for errors
- Open the browser console (F12)
- Look for error messages
- Check the Network tab for failed requests
-
CORS issues
- The refresh request must allow cross-origin requests from the extension
- Contact your API provider if CORS is blocking the request
Solutions:
-
Check Chrome extensions page
- Go to
chrome://extensions/ - Verify ModHead is installed and enabled
- Go to
-
Reload the extension
- Click the reload icon on the extension card
-
Check for errors
- Look for errors on the extension card
- Click "Errors" if available to see details
-
Reinstall the extension
- Remove ModHead
- Reinstall from source or Chrome Web Store
Solutions:
-
Check theme setting
- Click the theme toggle in the options page
- Try switching between Light, Dark, and Auto
-
Clear cache
- Clear browser cache
- Reload the options page
-
Auto mode
- If set to Auto, theme follows your system settings
- Change your OS theme to test
-
No automatic time-based refresh
- Currently, auto-refresh is triggered manually
- Future versions may support time-based automatic refresh
-
Tab URL filtering not fully implemented
- The UI allows configuring tab URL filters
- The background worker doesn't currently apply this filter
- Will be implemented in future versions
-
No conditional logic
- Cannot use if/else or other conditional logic in rules
- Cannot dynamically enable/disable rules based on conditions
-
No request body modification
- ModHead only modifies headers, not request bodies
- Cannot intercept or modify POST data
-
No response header modification
- Only modifies request headers
- Cannot modify response headers from the server
-
Plain text storage
- No encryption for stored variables and rules
- See Security section for details
-
Chrome rule limits
- Maximum 5,000 dynamic declarativeNetRequest rules
- Each header modification = 1 rule
- In practice, this limit is rarely reached
No, ModHead only modifies request headers (headers sent from the browser to the server).
Workarounds:
- Configure your server to send the desired response headers
- Use a local proxy that can modify response headers
- Use browser DevTools to override response headers for testing
No, ModHead only modifies headers, not request bodies.
Workarounds:
- Modify the request in your application code
- Use a local proxy that can modify request bodies
- Use tools like Postman for testing specific payloads
By default, Chrome extensions are disabled in Incognito mode.
To enable in Incognito:
- Go to
chrome://extensions/ - Find ModHead
- Click "Details"
- Enable "Allow in Incognito"
Note: Your rules and variables will still be available in Incognito mode if you enable this setting.
Rules are applied in real-time as Chrome makes network requests.
Application flow:
- You save a rule in ModHead
- ModHead updates Chrome's declarativeNetRequest rules
- Chrome applies the rules to matching network requests
- Headers are modified before the request is sent
No reload required: Rules take effect immediately for new requests.
Yes, rules apply to all request types, including:
- Main frames (page loads)
- Sub-frames (iframes)
- XHR (AJAX requests)
- Fetch API requests
- Script loads
- Stylesheet loads
- Image loads
- And all other resource types
If multiple rules match the same URL, all matching rules are applied.
Example:
Rule 1:
- Target:
api.example.com - Header:
X-API-Key: key123
Rule 2:
- Target:
api.example.com - Header:
Authorization: Bearer token456
Request to api.example.com/users:
X-API-Key: key123
Authorization: Bearer token456
Both headers are added.
If headers conflict:
- Chrome will apply rules in order of rule ID
- The last matching rule wins for a specific header name
Best practice: Avoid creating conflicting rules.
No, disabled rules do not modify headers. Toggle a rule OFF to temporarily disable it without deleting the configuration.
Architecture:
-
Options UI (React)
- User interface for managing rules and variables
- Stores configuration in Chrome storage
-
Background Service Worker
- Listens for storage changes
- Converts user rules to Chrome
declarativeNetRequestrules - Updates Chrome's dynamic rules
-
Chrome declarativeNetRequest API
- Native Chrome API for efficient rule-based modifications
- Applies header modifications without extension overhead
Data flow:
User creates rule → Saved to storage → Background worker notified
→ Converts to Chrome rules → Chrome applies rules to requests
startsWith:
- Pattern:
api.example.com - Matches:
api.example.com,api.example.com/users,api.example.com/products/123 - Doesn't match:
www.api.example.com,example.com/api
endsWith:
- Pattern:
.json - Matches:
api.example.com/data.json,example.com/config.json - Doesn't match:
example.com/data.xml,example.com/json
equals:
- Pattern:
api.example.com/auth/login - Matches:
api.example.com/auth/login(exact match only) - Doesn't match:
api.example.com/auth/login?redirect=/home
ModHead generates unique rule IDs using this formula:
RULE_ID_OFFSET + (ruleIndex * 100) + headerIndex
Where:
RULE_ID_OFFSET = 1000-
ruleIndex= position of the rule in the rules array -
headerIndex= position of the header within that rule
Example:
- Rule 0, Header 0 = ID 1000
- Rule 0, Header 1 = ID 1001
- Rule 1, Header 0 = ID 1100
This ensures unique IDs and allows up to 100 headers per rule.
Currently, ModHead doesn't have a built-in export/import feature.
Workaround:
- Open Chrome DevTools console on the options page
- Run:
chrome.storage.sync.get('modhead_settings', console.log) - Copy the JSON output
- To import, run:
chrome.storage.sync.set({modhead_settings: YOUR_JSON_HERE})
Note: Be careful when manually editing storage. Invalid JSON will break ModHead.
Future feature: Export/import UI may be added in future versions.
ModHead is currently designed for Chrome and Chromium-based browsers (Edge, Brave, etc.).
Compatibility:
- ✅ Chrome
- ✅ Microsoft Edge
- ✅ Brave
- ✅ Other Chromium-based browsers
- ❌ Firefox (uses different extension APIs)
- ❌ Safari (different extension architecture)
For Firefox/Safari: A port would require significant changes to use their respective APIs.
If your question isn't answered here:
-
Check the documentation:
-
Open an issue on GitHub with:
- Detailed description of the problem
- Steps to reproduce
- Expected vs actual behavior
- Screenshots if applicable
-
Check existing GitHub issues for similar questions