For the complete documentation index, see llms.txt. Prefer markdown by appending.mdto documentation URLs or sendingAccept: text/markdown.
Overview
Extension security centers on least-privilege permissions, a shared web session, and isolating content scripts from page JavaScript.
The browser extension is a client with a smaller auth UI surface: it shares the web app session instead of reinventing sign-in. Most of its risk sits in permissions, host access, and content scripts.
This section is a security playbook - what to allow in the manifest, how session sharing stays safe, and what to double-check before you submit to the stores.
Be mindful
Security is not a one-time setup. Revisit these practices whenever you add permissions, content-script matches, messaging handlers, or store listing claims.
Security model
Defense in the extension is permission- and isolation-focused. The API still owns authorization:
| Layer | What it protects | Where it lives |
|---|---|---|
| Shared session | Users sign in once on the web; extension reuses the cookie | Better Auth + cookies / host permissions |
| Trusted origins | Only your extension id can participate in auth redirects | Better Auth trustedOrigins |
| Least privilege | Manifest grants only what you need | wxt.config.ts manifest |
| Content script isolation | Page JS cannot read extension privileges directly | Isolated world + narrow matches |
| Messaging boundaries | Popup / background / content treat messages as untrusted input | Typed WXT messaging |
| API enforcement | Mutations still go through protected Hono routes | Shared API (see Web security) |
Server-side rules (middleware, Zod, webhooks, secrets) stay in Web security. The extension should call that API - not embed secret keys in the bundle.
Each of these topics is covered in more detail in the following guides:
Permissions
Request the smallest set of permissions and host access your extension needs. Broad grants hurt security and slow store review.
Session & origins
Share the web app cookie with the extension, register chrome-extension:// in trustedOrigins, and avoid a second auth stack.
Content scripts & messaging
Keep content scripts isolated from page JavaScript, narrow match patterns, and treat extension messages as untrusted input.
Storage
Use extension storage for preferences, not for server secrets or as a replacement for httpOnly session cookies.
Checklist
A pre-submit security checklist for the extension: permissions, trusted origins, content scripts, and storage.
How is this guide?
Last updated on