[{"data":1,"prerenderedAt":210},["ShallowReactive",2],{"blog-checklists/chrome-extension-checklist":3},{"id":4,"title":5,"body":6,"category":186,"date":187,"dateModified":187,"description":188,"draft":189,"extension":190,"faq":191,"featured":189,"headerVariant":195,"image":196,"keywords":196,"meta":197,"navigation":198,"ogDescription":199,"ogTitle":196,"path":200,"readTime":196,"schemaOrg":201,"schemaType":202,"seo":203,"sitemap":204,"stem":205,"tags":206,"twitterCard":208,"__hash__":209},"blog/blog/checklists/chrome-extension-checklist.md","Chrome Extension Security Checklist: 15-Item Guide for Safe Extensions",{"type":7,"value":8,"toc":180},"minimark",[9,16,19,22,47,66,82,100,116,121,124,127,149,168],[10,11,12],"tldr",{},[13,14,15],"p",{},"This 15-item checklist covers the most critical security issues in browser extensions: permission management, code security, and data handling. 5 critical items must be fixed before launch, 7 important items within the first week, and 3 recommended items when you can.",[13,17,18],{},"Browser extensions sit in a uniquely powerful position -- they can read page content, intercept requests, and access sensitive data across every site your users visit. That level of access means the security bar is higher than a typical web app. This checklist will help you meet it.",[20,21],"print-button",{},[23,24,26,31,35,39,43],"checklist-section",{"title":25},"Quick Checklist (5 Critical Items)",[27,28],"checklist-item",{"description":29,"label":30},"Avoid broad permissions like all_urls when specific patterns work","Request minimum permissions",[27,32],{"description":33,"label":34},"Better security with service workers and restricted remote code","Use Manifest V3",[27,36],{"description":37,"label":38},"All code must be bundled in your extension","Never execute remote code",[27,40],{"description":41,"label":42},"Never use eval() or innerHTML with untrusted content","Avoid eval and innerHTML",[27,44],{"description":45,"label":46},"Content scripts receive untrusted data","Sanitize all web page data",[23,48,51,54,58,62],{"title":49,"count":50},"Permission Management","4",[27,52],{"description":53,"label":30},"Only request permissions you need. Avoid broad permissions like all_urls when specific host patterns work. How to minimize permissions",[27,55],{"description":56,"label":57},"Request permissions at runtime when needed rather than at install. Better user experience and trust. How to use optional permissions","Use optional_permissions",[27,59],{"description":60,"label":61},"Users see permission warnings. Document why each permission is necessary in your listing description. How to document permissions","Explain why you need permissions",[27,63],{"description":64,"label":65},"Each update, verify you still need all permissions. Remove unused permissions to maintain user trust. How to audit permissions","Review permissions on updates",[23,67,69,72,75,78],{"title":68,"count":50},"Code Security",[27,70],{"description":71,"label":34},"Migrate from Manifest V2. V3 has better security with service workers and restricted remote code execution. How to migrate to Manifest V3",[27,73],{"description":74,"label":38},"Do not fetch and execute JavaScript from external servers. All code must be bundled in your extension. How to bundle extension code",[27,76],{"description":77,"label":42},"Never use eval() or innerHTML with untrusted content. Use textContent or DOM APIs instead. How to prevent XSS in extensions",[27,79],{"description":80,"label":81},"Configure CSP in manifest.json to prevent XSS. Avoid unsafe-eval and unsafe-inline directives. How to configure extension CSP","Set strict Content Security Policy",[23,83,85,88,92,96],{"title":84,"count":50},"Data Handling",[27,86],{"description":87,"label":46},"Never trust content from web pages. Content scripts receive untrusted data that could be malicious. How to sanitize extension data",[27,89],{"description":90,"label":91},"Validate all messages between content scripts, background scripts, and popups. Check origin and format. How to secure message passing","Validate message passing",[27,93],{"description":94,"label":95},"chrome.storage is not encrypted by default. Encrypt sensitive data before storing. How to encrypt extension storage","Encrypt sensitive stored data",[27,97],{"description":98,"label":99},"Do not leave user data behind. Clean up local storage and any synced data when appropriate. How to cleanup extension data","Clear data on uninstall",[23,101,104,108,112],{"title":102,"count":103},"Privacy and Trust","3",[27,105],{"description":106,"label":107},"Chrome Web Store requires a privacy policy for extensions requesting sensitive permissions. How to create a privacy policy","Publish a privacy policy",[27,109],{"description":110,"label":111},"Only collect data essential for functionality. Never sell user data or include tracking without consent. How to minimize data collection","Minimize data collection",[27,113],{"description":114,"label":115},"Clearly describe what your extension does. Hidden functionality violates Chrome Web Store policies. How to write extension description","Be transparent about functionality",[117,118,120],"h2",{"id":119},"extensions-are-high-trust-software","Extensions Are High-Trust Software",[13,122,123],{},"Browser extensions run with significant privileges. They can read page content, modify requests, access browsing history, and more. Users install extensions trusting they will not abuse this access.",[13,125,126],{},"A security vulnerability in your extension could expose user data across all websites they visit. Take security seriously, minimize your attack surface, and be transparent about what your extension does.",[128,129,130,137,143],"faq-section",{},[131,132,134],"faq-item",{"question":133},"Why does Chrome require Manifest V3?",[13,135,136],{},"Manifest V3 improves security by replacing persistent background pages with service workers, limiting remote code execution, and requiring declarative network request handling. It reduces the attack surface of extensions.",[131,138,140],{"question":139},"What permissions should I avoid requesting?",[13,141,142],{},"Avoid broad permissions like all_urls, webRequest (blocking), and tabs unless essential. Users see permission warnings and may reject extensions with excessive permissions. Request permissions only when needed using optional_permissions.",[131,144,146],{"question":145},"Can my extension be removed for security issues?",[13,147,148],{},"Yes. Chrome Web Store regularly reviews extensions and removes those with security vulnerabilities, excessive permissions, or policy violations. Follow security best practices to avoid removal.",[150,151,152,158,163],"related-articles",{},[153,154],"related-card",{"description":155,"href":156,"title":157},"Secure your extension's backend APIs","/blog/checklists/api-security-checklist","API Security Checklist",[153,159],{"description":160,"href":161,"title":162},"Security for React-based extensions","/blog/checklists/react-security-checklist","React Security Checklist",[153,164],{"description":165,"href":166,"title":167},"CSP best practices for extensions","/blog/how-to/add-security-headers","Content Security Policy",[169,170,173,177],"cta-box",{"href":171,"label":172},"/","Start Free Scan",[117,174,176],{"id":175},"security-scan-for-your-backend","Security Scan for Your Backend",[13,178,179],{},"If your extension connects to a backend, scan it for vulnerabilities.",{"title":181,"searchDepth":182,"depth":182,"links":183},"",2,[184,185],{"id":119,"depth":182,"text":120},{"id":175,"depth":182,"text":176},"checklists","2026-01-26","Security checklist for Chrome and browser extensions. Minimize permissions, protect user data, and follow Chrome Web Store security requirements.",false,"md",[192,193],{"question":133,"answer":136},{"question":139,"answer":194},"Avoid broad permissions like 'all_urls', 'webRequest' (blocking), and 'tabs' unless essential. Users see permission warnings and may reject extensions with excessive permissions. Request permissions only when needed using optional_permissions.","green",null,{},true,"Security checklist for Chrome extensions covering permissions and data protection.","/blog/checklists/chrome-extension-checklist","[object Object]","HowTo",{"title":5,"description":188},{"loc":200},"blog/checklists/chrome-extension-checklist",[207],"Security Checklist","summary_large_image","NvKqPJ1ZSW2F4vysoGM_QGKT3THZuSdpBKASf2UyZ58",1775843931701]