diff --git a/.github/workflows/seo-test.yml b/.github/workflows/seo-test.yml index 069657f0..1a0629b7 100644 --- a/.github/workflows/seo-test.yml +++ b/.github/workflows/seo-test.yml @@ -24,7 +24,7 @@ jobs: - name: Setup Node.js uses: actions/setup-node@v4 with: - node-version: '18' + node-version: '20' cache: 'npm' cache-dependency-path: frontend/package-lock.json @@ -72,4 +72,3 @@ jobs: repo: context.repo.repo, body: body }); - diff --git a/.gitignore b/.gitignore index ae115862..758194c3 100644 --- a/.gitignore +++ b/.gitignore @@ -150,6 +150,7 @@ celerybeat.pid .env.local .env.*.local .venv +env env/ venv/ ENV/ diff --git a/frontend/.nvmrc b/frontend/.nvmrc index 35f49783..5bd68117 100644 --- a/frontend/.nvmrc +++ b/frontend/.nvmrc @@ -1,2 +1 @@ -20 - +20.19.0 diff --git a/frontend/package-lock.json b/frontend/package-lock.json index 77a4698d..80d0eb3f 100644 --- a/frontend/package-lock.json +++ b/frontend/package-lock.json @@ -49,11 +49,11 @@ "tailwind-merge": "^3.4.0", "tailwindcss": "^4.1.18", "tailwindcss-animate": "^1.0.7", - "vite": "^7.3.2", + "vite": "7.3.2", "vitest": "^3.2.4" }, "engines": { - "node": ">=18.0.0" + "node": ">=20.19.0" } }, "node_modules/@adobe/css-tools": { diff --git a/frontend/package.json b/frontend/package.json index cf464932..15f026b7 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -6,7 +6,7 @@ "author": "Stanzin", "license": "MIT", "engines": { - "node": ">=18.0.0" + "node": ">=20.19.0" }, "scripts": { "dev": "vite", @@ -72,7 +72,7 @@ "tailwind-merge": "^3.4.0", "tailwindcss": "^4.1.18", "tailwindcss-animate": "^1.0.7", - "vite": "^7.3.2", + "vite": "7.3.2", "vitest": "^3.2.4" }, "overrides": { diff --git a/frontend/public/sitemap.xml b/frontend/public/sitemap.xml index 24f809dc..c225e4d5 100644 --- a/frontend/public/sitemap.xml +++ b/frontend/public/sitemap.xml @@ -2,211 +2,349 @@ https://extensionshield.com/ - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z weekly 1.0 https://extensionshield.com/about - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.7 https://extensionshield.com/blog - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z weekly 0.8 - https://extensionshield.com/blog/enterprise-browser-extension-risk-management - 2026-04-04T07:06:16.970Z + https://extensionshield.com/blog/all-urls-chrome-extension-permission + 2026-04-22T04:05:55.360Z monthly 0.6 - https://extensionshield.com/blog/how-to-audit-chrome-extension-before-installing - 2026-04-04T07:06:16.970Z + https://extensionshield.com/blog/audit-crx-zip-before-release + 2026-04-22T04:05:55.360Z monthly 0.6 - https://extensionshield.com/blog/how-to-detect-malicious-chrome-extensions - 2026-04-04T07:06:16.970Z + https://extensionshield.com/blog/best-chrome-extension-security-scanner-tools-2026 + 2026-04-22T04:05:55.360Z + monthly + 0.6 + + + https://extensionshield.com/blog/browser-extension-compliance-checklist + 2026-04-22T04:05:55.360Z + monthly + 0.6 + + + https://extensionshield.com/blog/browser-extension-supply-chain-attacks + 2026-04-22T04:05:55.360Z + monthly + 0.6 + + + https://extensionshield.com/blog/can-chrome-extensions-steal-cookies-sessions + 2026-04-22T04:05:55.360Z + monthly + 0.6 + + + https://extensionshield.com/blog/can-chrome-extensions-steal-data + 2026-04-22T04:05:55.360Z + monthly + 0.6 + + + https://extensionshield.com/blog/chrome-extension-allowlist-policy + 2026-04-22T04:05:55.360Z + monthly + 0.6 + + + https://extensionshield.com/blog/chrome-extension-scanner-vs-governance-platform + 2026-04-22T04:05:55.360Z + monthly + 0.6 + + + https://extensionshield.com/blog/chrome-web-store-ratings-do-not-prove-extension-safety + 2026-04-22T04:05:55.360Z + monthly + 0.6 + + + https://extensionshield.com/blog/crxcavator-vs-extensionshield-2026 + 2026-04-22T04:05:55.360Z + monthly + 0.6 + + + https://extensionshield.com/blog/crxplorer-vs-extensionshield + 2026-04-22T04:05:55.360Z + monthly + 0.6 + + + https://extensionshield.com/blog/dangerous-chrome-extension-permissions + 2026-04-22T04:05:55.360Z + monthly + 0.6 + + + https://extensionshield.com/blog/extension-auditor-vs-extensionshield + 2026-04-22T04:05:55.360Z + monthly + 0.6 + + + https://extensionshield.com/blog/extension-security-scoring-explained + 2026-04-22T04:05:55.360Z + monthly + 0.6 + + + https://extensionshield.com/blog/how-hackers-use-browser-extensions-to-steal-data + 2026-04-22T04:05:55.360Z + monthly + 0.6 + + + https://extensionshield.com/blog/how-to-check-if-chrome-extension-is-safe + 2026-04-22T04:05:55.360Z + monthly + 0.6 + + + https://extensionshield.com/blog/manifest-v3-extension-security + 2026-04-22T04:05:55.360Z + monthly + 0.6 + + + https://extensionshield.com/blog/read-and-change-all-your-data-extension-permission + 2026-04-22T04:05:55.360Z + monthly + 0.6 + + + https://extensionshield.com/blog/spin-ai-vs-extensionshield + 2026-04-22T04:05:55.360Z + monthly + 0.6 + + + https://extensionshield.com/blog/top-risky-chrome-extensions-2026 + 2026-04-22T04:05:55.360Z monthly 0.6 https://extensionshield.com/browser-extension-risk-assessment - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.8 https://extensionshield.com/careers - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.8 https://extensionshield.com/careers/apply - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.6 https://extensionshield.com/chrome-extension-permissions - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.8 https://extensionshield.com/chrome-extension-security-scanner - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.8 https://extensionshield.com/community - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.7 https://extensionshield.com/compare - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.8 https://extensionshield.com/compare/crxcavator - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.7 https://extensionshield.com/compare/crxplorer - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.7 https://extensionshield.com/compare/extension-auditor - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z + monthly + 0.7 + + + https://extensionshield.com/compare/spin-ai + 2026-04-22T04:05:55.360Z monthly 0.7 https://extensionshield.com/contribute - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.6 https://extensionshield.com/crxcavator-alternative - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.8 https://extensionshield.com/enterprise - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.8 + + https://extensionshield.com/extension-governance + 2026-04-22T04:05:55.360Z + monthly + 0.9 + + + https://extensionshield.com/extension-permissions + 2026-04-22T04:05:55.360Z + monthly + 0.8 + + + https://extensionshield.com/extension-risk-score + 2026-04-22T04:05:55.360Z + monthly + 0.8 + + + https://extensionshield.com/extension-security + 2026-04-22T04:05:55.360Z + monthly + 0.9 + https://extensionshield.com/glossary - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.7 https://extensionshield.com/gsoc/ideas - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.7 https://extensionshield.com/is-this-chrome-extension-safe - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.9 https://extensionshield.com/open-source - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.7 https://extensionshield.com/open-source/programs - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.7 https://extensionshield.com/privacy-policy - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.5 https://extensionshield.com/research - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z weekly 0.8 https://extensionshield.com/research/benchmarks - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.7 https://extensionshield.com/research/case-studies - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z weekly 0.8 https://extensionshield.com/research/case-studies/fake-ad-blockers - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.7 https://extensionshield.com/research/case-studies/honey - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.7 https://extensionshield.com/research/case-studies/pdf-converters - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.7 https://extensionshield.com/research/methodology - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z monthly 0.7 https://extensionshield.com/scan - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z weekly 0.9 https://extensionshield.com/scan/history - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z weekly 0.7 https://extensionshield.com/scan/upload - 2026-04-04T07:06:16.970Z + 2026-04-22T04:05:55.360Z weekly 0.8 diff --git a/frontend/src/App.jsx b/frontend/src/App.jsx index 45b75a40..cca53c8b 100644 --- a/frontend/src/App.jsx +++ b/frontend/src/App.jsx @@ -518,6 +518,7 @@ function getRouteSegment(pathname) { if (pathname === "/") return "home"; if (pathname.startsWith("/scan")) return "scan"; if (pathname.startsWith("/research")) return "research"; + if (pathname.startsWith("/extension-")) return "resources"; if (pathname.startsWith("/open-source") || pathname.startsWith("/contribute") || pathname.startsWith("/glossary") || pathname.startsWith("/gsoc") || pathname.startsWith("/community") || pathname.startsWith("/about") || pathname.startsWith("/blog") || pathname.startsWith("/compare")) return "resources"; return "default"; } diff --git a/frontend/src/components/home/DevOpenCoreSection.jsx b/frontend/src/components/home/DevOpenCoreSection.jsx index 7695b53d..2ad9392f 100644 --- a/frontend/src/components/home/DevOpenCoreSection.jsx +++ b/frontend/src/components/home/DevOpenCoreSection.jsx @@ -8,10 +8,11 @@ import SecurityPipeline from "./SecurityPipeline"; import "./DevOpenCoreSection.scss"; const PILLS = [ + "Open-source core", "VirusTotal", "SAST", - "Rulepacks", "Evidence attached", + "Governance rulepacks", ]; export default function DevOpenCoreSection({ reducedMotion = false }) { @@ -35,11 +36,11 @@ export default function DevOpenCoreSection({ reducedMotion = false }) { transition={{ duration: 0.35, ease: [0.22, 1, 0.36, 1] }} >

- Developer Gate: pre-release Chrome extension audit + Open-source core. Governance where decisions happen.

-

Private build audit (Pro)

+

Private build audit for developers

- Upload a private CRX/ZIP before release. We flag risky patterns, attach evidence (file + rule), and suggest fixes. + Upload a private CRX/ZIP before release. ExtensionShield flags risky code, excessive permissions, privacy gaps, and policy issues with file-level evidence and fix guidance.

{PILLS.map((label) => ( diff --git a/frontend/src/components/home/HowWeProtectYouSection.jsx b/frontend/src/components/home/HowWeProtectYouSection.jsx index de494184..dd8067f0 100644 --- a/frontend/src/components/home/HowWeProtectYouSection.jsx +++ b/frontend/src/components/home/HowWeProtectYouSection.jsx @@ -142,13 +142,13 @@ export default function HowWeProtectYouSection() { transition={{ duration: 0.5, ease }} >

- Why a “safe” extension can turn risky + Why extension governance has to happen before install

- Most incidents happen after an update. We flag risky changes before release (Pro) and can monitor updates for teams (Enterprise). + Extensions can change through updates, ownership shifts, new permissions, and remote behavior. ExtensionShield gives teams evidence before install, before release, and before allowlisting.

- Batch scan every extension on your system and stay secure—no manual entry. + Scan, score, allow, block, monitor, or fix with one evidence-backed workflow.

), access to storage or cookies, and optional_host_permissions in Manifest V3. Our chrome extension permissions checker and chrome extension risk score give you a clear picture before you install." + heading: "Risk patterns to watch", + body: "Watch for all-site host access, history or cookie access, clipboard read permissions, excessive downloads or management access, and extensions whose stated purpose does not justify their permissions. A coupon tool, PDF converter, VPN, ad blocker, or productivity extension can be useful and still require careful review." }, { - heading: "Next steps", - body: "Paste any Chrome Web Store URL into ExtensionShield to get a chrome extension risk score, permission breakdown, and audit chrome extension security report in under a minute." + heading: "How ExtensionShield helps", + body: "Paste the Chrome Web Store URL into ExtensionShield to see a Security, Privacy, and Governance risk score before install. Use the report to review evidence instead of guessing from ratings alone." } ] }, { - slug: "how-to-audit-chrome-extension-before-installing", - title: "How to Audit a Chrome Extension Before Installing", - description: "Step-by-step guide to audit a chrome extension before installing: permissions, risk score, and how to check if a Chrome extension is safe using a browser extension security scanner.", - date: "2026-02", + slug: "dangerous-chrome-extension-permissions", + title: "What Permissions Are Dangerous in Chrome Extensions?", + description: "Dangerous Chrome extension permissions explained: all-site access, cookies, history, clipboard, scripting, webRequest, debugger, and risky combinations.", + date: "2026-04", + category: "Permissions", + sections: [ + { + heading: "Most dangerous permissions", + body: "High-risk permissions include all-site access, cookies, history, clipboardRead, debugger, downloads, management, scripting, webRequest, and broad tab access. These permissions are not always malicious, but they create a larger blast radius." + }, + { + heading: "Combinations matter", + body: "The most important question is how permissions combine. All-site access plus external network calls can enable data exfiltration. Cookie access plus host permissions can expose sensitive session context. Scripting plus broad host access can modify pages users trust." + }, + { + heading: "What to do before installing", + body: "Check whether the permission matches the feature. Then scan the extension so you can see code, network, and governance signals beyond the permission prompt." + } + ] + }, + { + slug: "can-chrome-extensions-steal-data", + title: "Can Chrome Extensions Steal Data? What Users and Teams Need to Know", + description: "Can Chrome extensions steal data? Learn how extension permissions, page access, cookies, clipboard access, and network calls can expose sensitive information.", + date: "2026-04", category: "Security", sections: [ { - heading: "Before you install", - body: "Auditing a chrome extension before installing reduces the risk of malware, spyware, and privacy violations. Use a browser extension security scanner to get a chrome extension risk score, review requested permissions, and check for known threats. ExtensionShield combines static analysis, VirusTotal, and governance signals so you can check if a Chrome extension is safe." + heading: "Yes, if permissions and behavior allow it", + body: "Chrome extensions can expose data when they have permission to read page content, access cookies or history, inspect tabs, read the clipboard, or send collected data to external servers. The risk depends on both permission scope and code behavior." }, { - heading: "What an audit should cover", - body: "A good audit covers: permission risk, code quality (SAST), obfuscation, external domains and data exfiltration signals, publisher reputation, and compliance with store policies. Our extension security analysis tool provides all of this in one report." + heading: "Common data paths", + body: "Sensitive data can appear in page content, form fields, SaaS dashboards, URLs, copied clipboard text, cookies, local storage, and downloaded files. Extensions close to these surfaces need a higher trust bar." }, { - heading: "Try it", - body: "Scan any extension at ExtensionShield for free. You'll get an overall chrome extension risk score plus Security, Privacy, and Governance breakdowns—so you can audit chrome extension security in one place." + heading: "How to reduce risk", + body: "Scan before install, remove unused extensions, limit extension allowlists, and re-check extensions after major updates. ExtensionShield turns these checks into evidence-backed risk assessments." } ] }, { - slug: "enterprise-browser-extension-risk-management", - title: "Enterprise Browser Extension Risk Management", - description: "How to run a browser extension risk management program: allowlist policy, compliance monitoring, shadow IT browser extensions, and chrome enterprise extension security with ExtensionShield.", - date: "2026-02", - category: "Enterprise", + slug: "how-to-check-if-chrome-extension-is-safe", + title: "How to Check if a Chrome Extension Is Safe Before Installing", + description: "A simple checklist to check if a Chrome extension is safe: permissions, publisher, reviews, updates, privacy policy, network behavior, and risk score.", + date: "2026-04", + category: "Guide", + sections: [ + { + heading: "Five-step safety checklist", + body: "Check permissions, publisher identity, recent update history, privacy policy, and whether the feature actually needs the requested access. Then use an extension risk score to review evidence before installation." + }, + { + heading: "Red flags", + body: "Be cautious when a simple extension asks for all-site access, history, cookies, clipboard read, or broad scripting permissions. Also watch for vague privacy policies, sudden ownership changes, or updates that add powerful permissions." + }, + { + heading: "Scan before you install", + body: "ExtensionShield provides a pre-install report with Security, Privacy, and Governance evidence so you can decide whether to allow, block, monitor, or find an alternative." + } + ] + }, + { + slug: "chrome-extension-scanner-vs-governance-platform", + title: "Chrome Extension Scanner vs Extension Governance Platform", + description: "A scanner finds extension risk. A governance platform turns extension findings into allow, block, monitor, and audit decisions.", + date: "2026-04", + category: "Governance", + sections: [ + { + heading: "The core difference", + body: "A Chrome extension scanner produces findings. An extension governance platform turns findings into decisions: approve, block, monitor, request a fix, or document an exception." + }, + { + heading: "Why governance matters", + body: "Security teams need repeatable policy decisions, not one-off scores. Governance requires evidence, ownership, update monitoring, risk acceptance, and audit-ready records." + }, + { + heading: "Where ExtensionShield fits", + body: "ExtensionShield keeps the scanner as the entry point, then adds Security, Privacy, and Governance layers so users, developers, and enterprises can act on the evidence." + } + ] + }, + { + slug: "how-hackers-use-browser-extensions-to-steal-data", + title: "How Hackers Use Browser Extensions to Steal Data", + description: "Browser extension attack paths explained: malicious permissions, injected scripts, cookies, clipboard theft, update abuse, and data exfiltration.", + date: "2026-04", + category: "Security", + sections: [ + { + heading: "Typical attack chain", + body: "An attacker gets an extension installed, gains permission to read or modify pages, collects sensitive browser data, then sends it to an external server. The extension may begin benignly and add risky behavior later through an update." + }, + { + heading: "Common techniques", + body: "Techniques include script injection, form scraping, cookie access, clipboard reading, affiliate hijacking, ad injection, remote configuration, and permission creep after users already trust the extension." + }, + { + heading: "Detection signals", + body: "Look for broad host permissions, obfuscated code, suspicious domains, external command-and-control patterns, disclosure gaps, and updates that change permission scope." + } + ] + }, + { + slug: "spin-ai-vs-extensionshield", + title: "Spin.ai vs ExtensionShield: Honest Browser Extension Security Comparison", + description: "Compare Spin.ai SpinMonitor and SpinCRX with ExtensionShield for extension risk assessment, governance, open-source trust, and pre-install scanning.", + date: "2026-04", + category: "Comparison", + sections: [ + { + heading: "Where Spin.ai is strong", + body: "Spin.ai is positioned as an enterprise SaaS security platform with browser extension risk assessment inside a broader security posture workflow. That can be valuable for teams already buying centralized SaaS protection." + }, + { + heading: "Where ExtensionShield is different", + body: "ExtensionShield focuses on transparent browser extension security: open-source core, pre-install scans, private CRX/ZIP audits, evidence-linked reports, and governance decisions that can be reviewed before an extension reaches users." + }, + { + heading: "Best-fit summary", + body: "Choose Spin.ai for a broader SaaS security program. Choose ExtensionShield when open-source trust, extension-specific evidence, developer audits, and pre-install governance are the main requirements." + } + ] + }, + { + slug: "crxcavator-vs-extensionshield-2026", + title: "CRXcavator vs ExtensionShield in 2026", + description: "Compare CRXcavator and ExtensionShield for Chrome extension risk scores, transparent methodology, SAST, governance, and pre-install scanning.", + date: "2026-04", + category: "Comparison", + sections: [ + { + heading: "CRXcavator's legacy", + body: "CRXcavator helped popularize extension risk scoring for enterprise review. It is still a common comparison point for teams evaluating Chrome extension security tooling." + }, + { + heading: "ExtensionShield's angle", + body: "ExtensionShield adds open-source trust, modern UX, Security/Privacy/Governance scoring, private build audits, and evidence-first reports that are designed for pre-install and enterprise governance workflows." + }, + { + heading: "What to compare", + body: "Compare methodology visibility, evidence quality, current availability, governance depth, developer workflow support, and whether the tool helps make allow/block decisions." + } + ] + }, + { + slug: "extension-auditor-vs-extensionshield", + title: "Extension Auditor vs ExtensionShield: Which Extension Security Tool Fits?", + description: "Compare Extension Auditor and ExtensionShield for extension security, privacy review, monitoring, governance, open-source trust, and developer audits.", + date: "2026-04", + category: "Comparison", + sections: [ + { + heading: "Where Extension Auditor is strong", + body: "Extension Auditor emphasizes enterprise extension monitoring, inventory, and risk management. It is relevant for teams that want commercial browser extension oversight." + }, + { + heading: "Where ExtensionShield competes", + body: "ExtensionShield differentiates with open-source core positioning, pre-install URL scans, private CRX/ZIP audits, transparent scoring, and evidence-linked Security, Privacy, and Governance reports." + }, + { + heading: "Decision point", + body: "If you want a transparent extension-specific platform that works before install and before release, ExtensionShield is the stronger fit." + } + ] + }, + { + slug: "crxplorer-vs-extensionshield", + title: "CRXplorer vs ExtensionShield: Free Scanner or Governance Platform?", + description: "Compare CRXplorer and ExtensionShield for Chrome extension risk scoring, code review, methodology transparency, and governance workflows.", + date: "2026-04", + category: "Comparison", + sections: [ + { + heading: "Scanner value", + body: "CRXplorer is useful for quick extension risk review. It competes on speed and accessibility for users who want a fast check." + }, + { + heading: "Governance value", + body: "ExtensionShield is designed to go further: transparent risk layers, open-source trust, private build audits, policy evidence, and enterprise allow/block context." + }, + { + heading: "Best-fit summary", + body: "Use a scanner for one-off checks. Use ExtensionShield when the decision must be explainable, repeatable, and tied to governance evidence." + } + ] + }, + { + slug: "chrome-web-store-ratings-do-not-prove-extension-safety", + title: "Why Chrome Web Store Ratings Do Not Prove an Extension Is Safe", + description: "Star ratings and reviews are useful, but they do not prove Chrome extension safety. Learn what ratings miss and what evidence to check instead.", + date: "2026-04", + category: "Security", + sections: [ + { + heading: "Ratings measure user sentiment, not security", + body: "A high rating can mean users like the feature. It does not prove the extension uses minimal permissions, avoids risky data flows, or will remain safe after future updates." + }, + { + heading: "What ratings miss", + body: "Ratings usually miss obfuscated code, suspicious network destinations, permission creep, ownership changes, remote configuration, and policy disclosure gaps." + }, + { + heading: "What to check instead", + body: "Use ratings as one input, then review permissions, code indicators, network access, update behavior, and governance evidence before trusting an extension." + } + ] + }, + { + slug: "read-and-change-all-your-data-extension-permission", + title: "Read and Change All Your Data: Chrome Extension Permission Explained", + description: "What the 'read and change all your data' Chrome extension permission means, why it can be risky, and when it may be justified.", + date: "2026-04", + category: "Permissions", + sections: [ + { + heading: "What it means", + body: "This permission usually means the extension can read and modify content on the websites covered by its host permissions. If the host scope is all sites, the extension can interact with a very broad set of pages." + }, + { + heading: "When it is justified", + body: "Ad blockers, password managers, accessibility tools, translators, and developer tools may need broad page access. The key is whether the access is necessary and whether behavior matches the stated purpose." + }, + { + heading: "How to evaluate it", + body: "Check host scope, network destinations, code behavior, privacy policy, and update history. ExtensionShield shows these signals in one risk report." + } + ] + }, + { + slug: "all-urls-chrome-extension-permission", + title: "What Is all_urls in Chrome Extensions?", + description: "Learn what the all_urls Chrome extension permission means, why all-site access is risky, and how to decide if it is justified.", + date: "2026-04", + category: "Permissions", sections: [ { - heading: "Why enterprises need extension risk management", - body: "Shadow IT browser extensions—installations outside of IT approval—create compliance and security gaps. A browser extension risk management program with a clear browser extension allowlist policy and extension permissions audit for employees helps you manage chrome extensions in enterprise and reduce exposure to malicious chrome extension campaigns and browser extension spyware." + heading: "Definition", + body: "The all_urls host pattern gives an extension access across a very broad set of websites. It can be necessary for some products, but it should never be ignored." }, { - heading: "Key components", - body: "Implement browser extension compliance monitoring, define a browser extension allowlist policy, and use a chrome extension risk score tool to evaluate extensions before allowlisting. Zero trust browser extension security means verifying every extension against your policy and re-scanning when extensions update. ExtensionShield Enterprise supports extension governance and audit-ready reporting." + heading: "Why it matters", + body: "All-site access increases blast radius. If code is malicious, compromised, or poorly designed, more websites and more data can be affected." }, { - heading: "Getting started", - body: "Request an Enterprise pilot at ExtensionShield for monitoring, allow/block governance, and extension risk assessment at scale. We help IT and security teams with chrome enterprise extension security and extension permissions audit for employees." + heading: "Review checklist", + body: "Confirm the feature requires all-site access, review privacy disclosures, check external network behavior, and scan the extension before installing or allowing it." } ] }, { - slug: "how-to-detect-malicious-chrome-extensions", - title: "How to Detect Malicious Chrome Extensions", - description: "Signs of malicious chrome extensions, browser extension spyware, and how to detect data exfiltration and extension hijacking. Use a chrome extension security scanner to check if an extension is safe.", - date: "2026-02", + slug: "can-chrome-extensions-steal-cookies-sessions", + title: "Can Chrome Extensions Steal Cookies or Sessions?", + description: "Can browser extensions steal cookies or sessions? Learn how cookie permissions, page access, and token exposure can create session risk.", + date: "2026-04", category: "Security", sections: [ { - heading: "Signs of malicious extensions", - body: "Malicious chrome extension campaigns and browser extension spyware often rely on broad permissions, obfuscated code, or extension hijacked via update. Chrome extension data exfiltration signs include requests to external domains you don't recognize, access to cookies or session storage, and permission combinations that allow reading and sending data. Extension session hijacking cookies is a real risk when extensions have cookie or storage access." + heading: "The practical answer", + body: "Extensions can create session risk when they can access cookies, page content, storage, requests, or tokens exposed in the browser. Not every extension can steal sessions, but the wrong permission set can expose sensitive context." + }, + { + heading: "Where session data appears", + body: "Session-related data may appear in cookies, local storage, page scripts, URLs, authorization headers, or copied text. Extensions with broad visibility require careful review." + }, + { + heading: "How teams reduce exposure", + body: "Use allowlists, block unnecessary extensions, scan before approval, and monitor updates that add cookie, host, or scripting access." + } + ] + }, + { + slug: "browser-extension-supply-chain-attacks", + title: "Browser Extension Supply Chain Attacks Explained", + description: "Browser extension supply chain attacks explained: ownership changes, malicious updates, compromised publishers, remote configuration, and extension governance controls.", + date: "2026-04", + category: "Enterprise", + sections: [ + { + heading: "What makes extensions a supply chain risk", + body: "Extensions update automatically and run in trusted browser contexts. A safe extension can become risky if ownership changes, a publisher is compromised, or a remote configuration introduces harmful behavior." + }, + { + heading: "Signals to monitor", + body: "Monitor new permissions, new domains, version changes, obfuscation changes, publisher changes, privacy policy drift, and behavior that no longer matches the listed feature." + }, + { + heading: "Governance response", + body: "Treat extensions like software supply chain components. Review before allowlisting, re-scan after updates, and preserve evidence for exceptions." + } + ] + }, + { + slug: "manifest-v3-extension-security", + title: "Manifest V3 Extension Security: What Changed and What Still Matters", + description: "Manifest V3 changed Chrome extension architecture, but permissions, host access, data flows, updates, and governance still determine extension risk.", + date: "2026-04", + category: "Technical", + sections: [ + { + heading: "What changed", + body: "Manifest V3 introduced architectural changes such as service workers and changes to extension APIs. These changes matter, but they do not remove the need to review permissions and behavior." + }, + { + heading: "What still matters", + body: "Host permissions, sensitive APIs, external network access, disclosure quality, code behavior, and automatic updates still drive browser extension risk." + }, + { + heading: "How to assess MV3 extensions", + body: "Review the manifest, permissions, content scripts, service worker behavior, remote domains, and policy fit. ExtensionShield combines those signals into a risk score." + } + ] + }, + { + slug: "chrome-extension-allowlist-policy", + title: "How to Build a Chrome Extension Allowlist Policy", + description: "Build a Chrome extension allowlist policy with risk scoring, permission thresholds, exception handling, monitoring, and audit evidence.", + date: "2026-04", + category: "Enterprise", + sections: [ + { + heading: "Start with decision criteria", + body: "Define which permissions require review, which extension categories are restricted, who approves exceptions, and what evidence is required before an extension is allowed." + }, + { + heading: "Use risk tiers", + body: "Create tiers for low, medium, high, and blocked extensions. Map risk score drivers to policy actions such as approve, approve with monitoring, block, or request remediation." + }, + { + heading: "Keep evidence", + body: "Store the extension version, score, findings, approval owner, and rationale. ExtensionShield reports are designed to support this governance record." + } + ] + }, + { + slug: "browser-extension-compliance-checklist", + title: "Browser Extension Compliance Checklist for Security Teams", + description: "A browser extension compliance checklist for enterprise teams: inventory, permissions, privacy disclosures, update monitoring, allowlists, and audit evidence.", + date: "2026-04", + category: "Enterprise", + sections: [ + { + heading: "Compliance checklist", + body: "Maintain extension inventory, require pre-install review, document permissions, review privacy disclosures, monitor updates, define allow/block policy, preserve evidence, and revisit exceptions periodically." + }, + { + heading: "Evidence to collect", + body: "Collect extension ID, version, publisher, requested permissions, host access, network indicators, code findings, privacy policy status, risk score, decision owner, and approval rationale." + }, + { + heading: "How ExtensionShield helps", + body: "ExtensionShield combines security, privacy, and governance findings into an evidence-backed report that supports extension compliance reviews." + } + ] + }, + { + slug: "audit-crx-zip-before-release", + title: "How to Audit a CRX or ZIP Chrome Extension Before Release", + description: "Audit a private CRX or ZIP Chrome extension before release: SAST, permissions, privacy, policy checks, evidence, and fix guidance.", + date: "2026-04", + category: "Developer", + sections: [ + { + heading: "Why audit before release", + body: "Developers should catch risky permissions, insecure patterns, privacy gaps, and policy issues before submitting to the Chrome Web Store or shipping internally." + }, + { + heading: "What to include", + body: "Review manifest permissions, content scripts, service worker behavior, external requests, storage access, obfuscation, vulnerable libraries, and whether privacy disclosures match actual behavior." + }, + { + heading: "Use ExtensionShield Pro", + body: "Upload a private CRX/ZIP build to ExtensionShield for an evidence-linked pre-release audit with Security, Privacy, and Governance findings." + } + ] + }, + { + slug: "best-chrome-extension-security-scanner-tools-2026", + title: "Best Chrome Extension Security Scanner Tools in 2026", + description: "Compare Chrome extension security scanner tools in 2026: ExtensionShield, Spin.ai, CRXcavator, Extension Auditor, and CRXplorer.", + date: "2026-04", + category: "Comparison", + sections: [ + { + heading: "What to compare", + body: "Compare tools by methodology transparency, permission analysis, SAST depth, threat intelligence, governance workflows, monitoring, private build support, and audit evidence." + }, + { + heading: "Scanner vs platform", + body: "A scanner is enough for one-off checks. A platform is better when teams need repeatable governance decisions, update monitoring, and evidence for allow/block policy." + }, + { + heading: "ExtensionShield's position", + body: "ExtensionShield combines free pre-install scans, open-source trust, private build audits, and Security/Privacy/Governance reports for users, developers, and enterprises." + } + ] + }, + { + slug: "extension-security-scoring-explained", + title: "Extension Security Scoring Explained: Security, Privacy, and Governance", + description: "Extension security scoring explained: how Security, Privacy, and Governance signals combine into an extension risk score.", + date: "2026-04", + category: "Methodology", + sections: [ + { + heading: "A useful score needs drivers", + body: "A risk score should not be a black box. Teams need to see which signals drove the result and whether those signals are security, privacy, or governance issues." }, { - heading: "How scanners help", - body: "A chrome extension security scanner that uses SAST, VirusTotal, and permission analysis can flag suspicious patterns before you install. ExtensionShield provides a chrome extension risk score and highlights security, privacy, and governance issues so you can detect malicious chrome extensions and avoid extension hijacked via update scenarios." + heading: "ExtensionShield's model", + body: "ExtensionShield scores Security at 40%, Privacy at 35%, and Governance at 25%. The report keeps each layer visible so the final number can be explained." }, { - heading: "Stay protected", - body: "Scan extensions before installing and re-scan after major updates. Use our scan chrome extension for malware workflow to get a report in under a minute and check if a chrome extension is safe." + heading: "Use the score as a decision aid", + body: "The score helps prioritize review. The decision should come from the evidence: permissions, code indicators, network access, disclosure quality, and policy fit." } ] } diff --git a/frontend/src/nav/navigation.js b/frontend/src/nav/navigation.js index d38dbd40..ec8ecebd 100644 --- a/frontend/src/nav/navigation.js +++ b/frontend/src/nav/navigation.js @@ -15,8 +15,14 @@ export const topNavItems = [ category: NAV_CATEGORIES.PRODUCT, label: "Scan", path: "/scan", - matchPaths: ["/scan"], + matchPaths: ["/scan", "/extension-security", "/extension-risk-score", "/extension-permissions"], dropdownItems: [ + { + icon: "🛡️", + label: "Security Platform", + description: "Open-source extension governance", + path: "/extension-security" + }, { icon: "🔍", label: "Risk Check (Free)", @@ -68,7 +74,7 @@ export const topNavItems = [ category: NAV_CATEGORIES.ENTERPRISE, label: "Enterprise", path: "/enterprise", - matchPaths: ["/enterprise"], + matchPaths: ["/enterprise", "/extension-governance"], dropdownItems: [ { icon: "🏢", @@ -81,6 +87,12 @@ export const topNavItems = [ label: "Monitoring & Alerts", description: "Real-time updates", path: "/enterprise#monitoring" + }, + { + icon: "📋", + label: "Extension Governance", + description: "Policy evidence & approvals", + path: "/extension-governance" } ] } @@ -139,16 +151,18 @@ export const userMenuItems = [ * Two-column layout: left = brand + disclaimer, right = link groups. */ export const footerConfig = { - disclaimer: "Comprehensive extension governance through security, privacy, and compliance analysis. We aggregate multiple dimensions into a single actionable score. So you can trust the results you find.", - tagline: "Extension security you can trust.", + disclaimer: "Open-source browser extension security and governance through Security, Privacy, and Governance analysis. ExtensionShield turns extension evidence into allow, block, monitor, or fix decisions.", + tagline: "Pre-install extension security you can trust.", linkGroups: [ { heading: "Product", links: [ { label: "Risk Check (Free)", path: "/scan" }, { label: "Private Build Audit (Pro)", path: "/scan/upload" }, + { label: "Extension Security", path: "/extension-security" }, + { label: "Risk Score", path: "/extension-risk-score" }, { label: "Is extension safe?", path: "/is-this-chrome-extension-safe" }, - { label: "Scan History", path: "/scan/history" } + { label: "Permissions", path: "/extension-permissions" } ] }, { @@ -157,12 +171,13 @@ export const footerConfig = { { label: "How We Score", path: "/research/methodology" }, { label: "Case Studies", path: "/research/case-studies" }, { label: "Compare Scanners", path: "/compare" }, - { label: "Benchmarks", path: "/research/benchmarks" } + { label: "Spin.ai Comparison", path: "/compare/spin-ai" } ] }, { heading: "Company", links: [ + { label: "Extension Governance", path: "/extension-governance" }, { label: "Enterprise", path: "/enterprise" }, { label: "Careers", path: "/careers" }, { label: "Contribute", path: "/contribute" } @@ -187,4 +202,3 @@ export default { getMobileNavSections, NAV_CATEGORIES, }; - diff --git a/frontend/src/pages/EnterprisePage.jsx b/frontend/src/pages/EnterprisePage.jsx index b7b72044..527e628d 100644 --- a/frontend/src/pages/EnterprisePage.jsx +++ b/frontend/src/pages/EnterprisePage.jsx @@ -162,8 +162,8 @@ const EnterprisePage = () => { return ( <> { Back -

Request an Enterprise Pilot

+

Request an Extension Governance Pilot

- Monitoring, alerting, governance, and audit-ready exports for teams. No self-serve checkout — we’ll set up a pilot with you. + Govern browser extensions before they become shadow IT. Get allow/block policies, update monitoring, risk alerts, and audit-ready evidence for your team.

@@ -304,4 +304,3 @@ const EnterprisePage = () => { export default EnterprisePage; - diff --git a/frontend/src/pages/HomePage.jsx b/frontend/src/pages/HomePage.jsx index 4a61dc20..faa8a7f1 100644 --- a/frontend/src/pages/HomePage.jsx +++ b/frontend/src/pages/HomePage.jsx @@ -134,7 +134,7 @@ const HomePage = () => { "name": "ExtensionShield", "url": "https://extensionshield.com", "logo": "https://extensionshield.com/logo.png", - "description": "Chrome extension scanner — safety reports in seconds.", + "description": "Open-source browser extension security and governance platform.", "sameAs": [ "https://github.com/Stanzin7/ExtensionShield" ] @@ -150,7 +150,7 @@ const HomePage = () => { { "@type": "Offer", "price": "0", "priceCurrency": "USD", "description": "Free public extension scan by Chrome Web Store URL" }, { "@type": "Offer", "description": "Pro: private CRX/ZIP security audit and vulnerability scan" } ], - "description": "Chrome extension security scanner. Scan by Chrome Web Store URL for free. Upload private CRX/ZIP for pre-release security audit, vulnerability scanning, and fix suggestions.", + "description": "Open-source browser extension security and governance platform. Scan Chrome Web Store extensions, audit private CRX/ZIP builds, and generate evidence-backed Security, Privacy, and Governance reports.", "url": "https://extensionshield.com/scan" }; @@ -180,8 +180,8 @@ const HomePage = () => { }, { "@type": "Question", - "name": "Is the Chrome extension scanner free?", - "acceptedAnswer": { "@type": "Answer", "text": "Yes. Our free extension scanner lets you scan any Chrome extension by Web Store URL. Private CRX/ZIP upload and audit are available on Pro for developers." } + "name": "Is ExtensionShield just a Chrome extension scanner?", + "acceptedAnswer": { "@type": "Answer", "text": "No. The free scanner is the entry point. ExtensionShield is a browser extension security and governance platform with Security, Privacy, and Governance scoring, private CRX/ZIP audits, and evidence-backed decision support." } } ] }; @@ -189,12 +189,12 @@ const HomePage = () => { return ( <>
@@ -205,8 +205,8 @@ const HomePage = () => { > {/* Mobile/tablet: scanner not supported — show idea + Step-by-step guide + Check on desktop */}
-

CHROME EXTENSION SECURITY GATE

-

Ship safer Chrome extensions.

+

OPEN-SOURCE EXTENSION GOVERNANCE

+

Browser extension security before install.

 +
+ +
+

Spin.ai vs ExtensionShield

+

+ Spin.ai is strong for enterprise SaaS security programs. ExtensionShield is built to win the transparent, open-source, pre-install browser extension security and governance workflow. +

+
+ +
+

Where Spin.ai wins

+
    +
  • Enterprise SaaS security platform credibility across Google Workspace and Microsoft 365.
    • +
  • Browser extension risk assessment integrated into broader SaaS posture workflows.
    • +
  • Continuous monitoring, remediation, and enterprise console value for large organizations.
    • +
+ +

Where ExtensionShield is different

+
    +
  • Open-source core: trust comes from visible methodology and community-verifiable rules, not only vendor claims.
    • +
  • Pre-install scanning: anyone can scan a Chrome Web Store URL before installing, approving, or sharing an extension.
    • +
  • Private build audits: developers can upload CRX/ZIP builds before release to catch security, privacy, and policy issues.
    • +
  • Evidence-first reports: findings are tied to permissions, code, network indicators, disclosures, and governance checks.
    • +
+ +

Best fit

+

+ Choose Spin.ai when you need a broader SaaS security platform wrapped around browser extension monitoring. Choose ExtensionShield when your priority is transparent extension risk assessment, open-source trust, developer audits, and governance evidence before an extension reaches users. +

+
+ +
+ Scan an extension with ExtensionShield +
+ +
+

More comparisons

+
    +
  • Best browser extension security tools
    • +
  • ExtensionShield vs CRXcavator
    • +
  • ExtensionShield vs Extension Auditor
    • +
  • ExtensionShield vs CRXplorer
    • +
+
+
+ + + ); +}; + +export default CompareSpinAiPage; diff --git a/frontend/src/pages/landing/BrowserExtensionRiskAssessmentPage.jsx b/frontend/src/pages/landing/BrowserExtensionRiskAssessmentPage.jsx index 2d77fdfc..98f038af 100644 --- a/frontend/src/pages/landing/BrowserExtensionRiskAssessmentPage.jsx +++ b/frontend/src/pages/landing/BrowserExtensionRiskAssessmentPage.jsx @@ -56,6 +56,7 @@ const BrowserExtensionRiskAssessmentPage = () => { diff --git a/frontend/src/pages/landing/ChromeExtensionSecurityScannerPage.jsx b/frontend/src/pages/landing/ChromeExtensionSecurityScannerPage.jsx index 686730ab..5959e037 100644 --- a/frontend/src/pages/landing/ChromeExtensionSecurityScannerPage.jsx +++ b/frontend/src/pages/landing/ChromeExtensionSecurityScannerPage.jsx @@ -29,22 +29,22 @@ const ChromeExtensionSecurityScannerPage = () => {

Chrome Extension Security Scanner

- Check if a Chrome extension is safe before you install. ExtensionShield scans extensions for malware, privacy risks, and compliance issues and gives you a clear risk score in under a minute. + Check if a Chrome extension is safe before you install. ExtensionShield uses scanner workflows as the entry point into a broader browser extension security and governance platform.

- A chrome extension security scanner helps you understand what an extension can access and whether it has been flagged for malicious behavior. ExtensionShield combines static code analysis (SAST), permission checks, and threat intelligence so you get one actionable extension risk score plus a breakdown of Security, Privacy, and Governance. + A chrome extension security scanner helps you understand what an extension can access and whether it has been flagged for malicious behavior. ExtensionShield combines static code analysis (SAST), permission checks, threat intelligence, and governance signals so you get one actionable extension risk score plus a breakdown of Security, Privacy, and Governance.

Paste a Chrome Web Store URL — no install required. We analyze permissions, network access, obfuscation, and known threats so you can decide if an extension is safe to use.

  • Free to use; no account required for a single scan
    • -
  • Risk score 0–100 with Security, Privacy, and Compliance dimensions
    • +
  • Risk score 0–100 with Security, Privacy, and Governance dimensions
  • Transparent methodology; we document how we score
    • -
  • Useful for consumers and teams evaluating extensions
    • +
  • Useful for consumers, developers, and teams evaluating extensions
@@ -56,6 +56,7 @@ const ChromeExtensionSecurityScannerPage = () => {

Related

diff --git a/frontend/src/pages/landing/CrxcavatorAlternativePage.jsx b/frontend/src/pages/landing/CrxcavatorAlternativePage.jsx index 603d3024..2d5f3e93 100644 --- a/frontend/src/pages/landing/CrxcavatorAlternativePage.jsx +++ b/frontend/src/pages/landing/CrxcavatorAlternativePage.jsx @@ -37,7 +37,7 @@ const CrxcavatorAlternativePage = () => { CRXcavator provides permission-based scoring, RetireJS, and CSP checks for Chrome, Firefox, and Edge extensions. Teams often look for alternatives due to availability, limited transparency in how scores are calculated, or the need for a dedicated governance and compliance layer.

- ExtensionShield gives you a single chrome extension risk score (0–100) with three dimensions: Security (40%), Privacy (35%), and Compliance (25%). We add SAST (Semgrep), VirusTotal integration, obfuscation detection, and explicit governance signals so you can audit extensions and support compliance. Our methodology is documented; reports are evidence-based and suitable for audits. + ExtensionShield gives you a single chrome extension risk score (0–100) with three dimensions: Security (40%), Privacy (35%), and Governance (25%). We add SAST (Semgrep), VirusTotal integration, obfuscation detection, and explicit governance signals so you can audit extensions and support compliance. Our methodology is documented; reports are evidence-based and suitable for audits.