Deep Dive · 6 min read
Chrome Extension Security Checklist for 2026
Every Chrome extension is a privileged piece of code in a user's browser. Here's the security checklist every extension should pass before publishing.
A poorly-secured Chrome extension can leak browsing data, expose API keys, or become a vector for account takeover. The good news: most security issues are caught by a short pre-publish checklist.
Pre-publish checklist
- No hardcoded API keys, tokens, or secrets in any source file.
- Content scripts use Shadow DOM for injected UI to prevent CSS-based clickjacking.
- All external API calls go through the service worker, not content scripts.
- `host_permissions` is scoped to the minimum domains required.
- No use of `eval`, `new Function`, or remote-loaded scripts.
- Content Security Policy in the manifest blocks remote code execution.
- User data stored in `chrome.storage.local` is encrypted if sensitive.
Reviewing AI-generated extensions
ManifestGo applies these defaults automatically. When you download the .zip, open the manifest and confirm the permissions match what you asked for — never ship an extension whose permissions you don't understand.