Stealth Guard reduces passive browser fingerprinting across Canvas, WebGL, fonts, AudioContext, ClientRects, WebGPU, timezone, User-Agent, and WebRTC surfaces. Settings and optional saved site sessions stay in local extension storage; there is no telemetry or analytics.
Important
Stealth Guard currently uses Manifest V2. Standard Google Chrome releases have disabled MV2, and most Chromium forks followed upstream. Opera is the primary current target because it still supports existing MV2 extensions. See Browser compatibility before installing.
- Fail-closed startup: browser API wrappers install at
document_startwith safe defaults, then receive trusted local configuration. - Compatibility controls: global and per-feature allowlists make protection practical on complex web apps.
- Local-first operation: no accounts, telemetry, analytics, or Stealth Guard servers.
- Auditable source: plain JavaScript with no production dependencies and no opaque build artifacts.
- Quality gates: manifest validation, syntax checks, dependency auditing, and 100% coverage for deterministic core modules.
| Protection | Description |
|---|---|
| 🌍 Proxy | Masks your IP address by routing traffic through SOCKS4/5 or HTTP/HTTPS proxy servers |
| 🌐 User-Agent | Spoofs browser User-Agent string in both HTTP headers and JavaScript |
| 🕐 Timezone | Spoofs timezone information (configurable, default: UTC+1) |
| 📡 WebRTC | Prevents IP address leaks through WebRTC connections |
| 🎨 Canvas | Adds imperceptible noise to canvas data exports, preventing canvas fingerprinting |
| 📐 ClientRects | Adds noise to element bounding rectangle measurements |
| 🔤 Font | Randomizes font measurement values to prevent font enumeration |
| 🔊 AudioContext | Injects noise into audio frequency data to prevent audio fingerprinting |
| 🕹️ WebGL | Spoofs GPU vendor/renderer information and adds noise to WebGL buffers |
| 🎮 WebGPU | Spoofs WebGPU adapter limits and buffer operations |
- 🔌 SOCKS5/HTTP/HTTPS Proxy Support - Route traffic through proxy servers with per-profile configuration
- 🔄 Per-Site Session Switcher - Save, rename, delete, clear, and switch login sessions (cookies + local/session storage) from the popup
- 🗺️ Domain-based Routing Engine - PAC-based domain routing is supported in core proxy logic (UI route editor is not currently exposed)
- ✅ Global & Per-Feature Allowlists - Whitelist sites globally or per protection feature
- 🎯 Wildcard Domain Patterns - Support for
*.example.comandwebmail.*patterns - ☁️ Cloudflare Challenge Compatibility - Leaves Cloudflare-owned challenge frames unmodified without granting the embedding page a UA bypass
- 🔔 Real-time Notifications - Optional alerts when fingerprinting attempts are blocked
- 💾 Export/Import Settings - Backup and restore your configuration
- 📦 No Build System Required - Pure vanilla JavaScript, ready to use
- Download or clone this repository
- In Opera, navigate to
opera://extensions/(or open the equivalent extensions page in another explicitly MV2-enabled Chromium build) - Enable Developer mode (toggle in top-right corner)
- Click Load unpacked
- Select the extension folder
Click the Stealth Guard icon in your browser toolbar to:
- Toggle protection on/off globally
- Enable/disable individual protection features
- Select User-Agent presets (macOS Safari, Chrome, Windows Edge, iPhone, Android)
- Choose timezone presets
- View proxy status
- See which protections were triggered on the current page
Open Advanced Settings from the popup to access:
- Per-feature allowlists
- Proxy profile management
- Proxy active profile + bypass list
- WebGL presets (Apple, Pixel 4, Surface Pro 7)
- Export/import configuration
- WebRTC policy settings
Right-click on any webpage to quickly add or remove the current domain from allowlists.
Stealth Guard supports flexible domain matching:
| Pattern | Matches |
|---|---|
example.com |
example.com and www.example.com |
*.example.com |
All subdomains (sub.example.com, deep.sub.example.com) |
webmail.* |
Any domain starting with webmail. (webmail.company.com) |
*pattern* |
Generic wildcard matching (foo-localhost-bar) |
Choose from predefined User-Agent strings:
- macOS Safari
- macOS Chrome
- Windows Edge
- iPhone Safari
- Android Chrome
Available timezones:
- UTC-8 (Los Angeles)
- UTC-7 (Denver)
- UTC-6 (Chicago)
- UTC-5 (New York)
- UTC+0 (London)
- UTC+1 (Paris) - Default
- UTC+2 (Athens)
- UTC+3 (Istanbul)
- UTC+4 (Dubai)
- UTC+7 (Jakarta)
- UTC+8 (Shanghai)
- UTC+9 (Tokyo)
Visit these sites to verify your fingerprinting protection:
- https://browserleaks.com/ - Comprehensive fingerprint testing
- https://webbrowsertools.com/ - AudioContext testing
- https://amiunique.org/ - Browser uniqueness analysis
- https://dnscheck.tools/ - WebRTC and DNS leak testing
Use Node.js 20.19+ or 22.12+. Install the dev dependencies once:
npm installRun the local quality gate:
npm run checkThis validates extension source syntax and manifest integrity, then runs Vitest with 100% statements, branches, functions, and lines coverage enforced for deterministic core modules in lib/. Browser lifecycle code in background.js, content-scripts/, popup/, and options/ is syntax-checked and must also be manually validated in an MV2-compatible browser.
The content script installs wrappers immediately at document_start with embedded safe defaults, then applies trusted chrome.storage.local config through a private authenticated MAIN-world update channel. This fail-closed design avoids a pre-patch fingerprinting window; if storage is slow, default protections may apply briefly before stored disables or allowlists take effect.
background.js → Runtime orchestrator (webRequest UA spoofing, WebRTC policy, proxy lifecycle, message hub)
↓
content-scripts/
injector.js → Fail-closed MAIN-world injection + trusted dynamic config update
↓
lib/
config.js → Config defaults + merge/persistence helpers
domainFilter.js → Domain extraction + wildcard allowlist matching
proxy.js → Proxy mode/PAC generation and profile helpers
session.js → Session hostname and cookie-scope helpers
storage.js → Promise wrapper for chrome.storage.local
This extension intentionally uses Manifest V2 for maximum API compatibility. Key features like webRequestBlocking and synchronous header modification require MV2 and are restricted or impossible in Manifest V3.
Warning
Because of Manifest V2, this extension does not work on current standard versions of Google Chrome. A separate Manifest V3 architecture is required for broad Chrome, Brave, Vivaldi, and Edge support.
| Permission | Purpose |
|---|---|
storage |
Save user settings |
cookies |
Save and restore per-site login sessions |
privacy |
Control WebRTC IP handling policy |
proxy |
Configure SOCKS5/HTTP proxy |
webRequest / webRequestBlocking |
Modify User-Agent headers |
webNavigation |
Reapply browser-global WebRTC policy during navigation |
declarativeNetRequest |
Legacy compatibility cleanup for prior UA rule path |
tabs |
Identify active tabs, reload updated tabs, and track per-tab protection state |
contextMenus |
Right-click menu integration |
notifications |
Fingerprint detection alerts |
<all_urls> |
Apply protections, header spoofing, proxy rules, and session tools across websites |
Stealth Guard:
- Does not collect telemetry, analytics, or browsing history
- Makes no background service calls except optional proxy location checks via
ipinfo.io/ipapi.coand proxy test checks viaapi.ipify.org - Stores all settings locally in browser storage
- Is fully open source - audit the code yourself
| Browser | Support | Notes |
|---|---|---|
| Opera | ✅ Primary target | Opera states that existing MV2 extensions remain supported; its store no longer accepts new MV2 uploads, so use developer-mode installation. |
| Brave | ❌ Unsupported | Brave limits post-phase-out MV2 support to four specifically maintained extensions; Stealth Guard is not one of them. |
| Vivaldi | ❌ Unsupported | Vivaldi announced that MV2 extensions would stop working as Chromium removed the platform. |
| Microsoft Edge | ❌ Unsupported | Current project releases are not validated against an MV2-capable Edge channel. |
| Google Chrome | ❌ Unsupported | Chrome disabled MV2 everywhere starting with Chrome 138/139. |
Note: Firefox uses a different extension format and is not currently supported.
Vendor references: Chrome MV2 timeline, Opera MV2 status, Brave MV2 policy, and Vivaldi MV3 update.
Contributions are welcome. Read CONTRIBUTING.md for setup, testing, privacy, and pull-request expectations. Please report vulnerabilities privately according to SECURITY.md.
Release changes are tracked in CHANGELOG.md.
This project is licensed under the MIT License - see the LICENSE file for details.
- Inspired by the need for better privacy tools in an increasingly tracked web
- Thanks to the browser fingerprinting research community for documenting these techniques