For the complete documentation index, see llms.txt. Prefer markdown by appending .md to documentation URLs or sending Accept: text/markdown.

Checklist

A pre-submit security checklist for the extension: permissions, trusted origins, content scripts, and storage.

Use this checklist before submitting to Chrome Web Store, Firefox Add-ons, or Edge Add-ons, and again after permission or content-script changes. Pair it with the publishing checklist.

Permissions

  • Only required permissions are declared in wxt.config.ts
  • host_permissions are limited to your app origins (no <all_urls>)
  • Store privacy / permission justifications match the manifest
  • Removed features no longer leave unused permissions behind

Session & origins

  • Production chrome-extension:// (and other store ids) are in Better Auth trustedOrigins
  • Cookie + host permissions match the production web origin
  • Sign-out clears the shared session across web and extension
  • Session cookies / tokens are not logged to monitoring tools

Content scripts & messaging

  • Content-script matches are as narrow as possible
  • No secrets or raw session tokens in page-facing scripts
  • Message handlers validate payloads before acting
  • Privileged work runs in background or on the Hono API

Storage

  • Extension storage holds prefs/cache only - not server secrets
  • Account-related cache is cleared on sign-out when appropriate

API & process

  • Sensitive actions call protected API routes (see Web security)
  • Dependencies updated for known extension / bundler advisories
  • Monitoring covers popup, background, and content scripts without leaking cookies

Ship with confidence

You do not need every optional hardening step on day one, but you do need least-privilege permissions, correct trusted origins, isolated content scripts, and server-side enforcement for anything sensitive.

How is this guide?

Last updated on

On this page

Ship your startup everywhere. In minutes.Try TurboStarter