For the complete documentation index, see llms.txt. Prefer markdown by appending.mdto documentation URLs or sendingAccept: text/markdown.
Checklist
A pre-submit security checklist for the extension: permissions, trusted origins, content scripts, and storage.
Use this checklist before submitting to Chrome Web Store, Firefox Add-ons, or Edge Add-ons, and again after permission or content-script changes. Pair it with the publishing checklist.
Permissions
- Only required permissions are declared in
wxt.config.ts -
host_permissionsare limited to your app origins (no<all_urls>) - Store privacy / permission justifications match the manifest
- Removed features no longer leave unused permissions behind
Session & origins
- Production
chrome-extension://(and other store ids) are in Better AuthtrustedOrigins - Cookie + host permissions match the production web origin
- Sign-out clears the shared session across web and extension
- Session cookies / tokens are not logged to monitoring tools
Content scripts & messaging
- Content-script
matchesare as narrow as possible - No secrets or raw session tokens in page-facing scripts
- Message handlers validate payloads before acting
- Privileged work runs in background or on the Hono API
Storage
- Extension storage holds prefs/cache only - not server secrets
- Account-related cache is cleared on sign-out when appropriate
API & process
- Sensitive actions call protected API routes (see Web security)
- Dependencies updated for known extension / bundler advisories
- Monitoring covers popup, background, and content scripts without leaking cookies
Ship with confidence
You do not need every optional hardening step on day one, but you do need least-privilege permissions, correct trusted origins, isolated content scripts, and server-side enforcement for anything sensitive.
How is this guide?
Last updated on