SecretSifter — Privacy Policy

Effective date: March 15, 2026

  Summary: SecretSifter does not collect, transmit, or share any personal data.
  All scan findings are stored exclusively in your local browser.
  The only external network call made by the extension is an optional Google Maps API key
  validation probe sent directly to Google’s servers — see Section 5 for full details.

1. What SecretSifter Does

SecretSifter is a browser extension designed for security professionals and penetration testers. It intercepts network responses (JavaScript files, JSON APIs, XML responses, HTML pages, and WebSocket frames) in the active browser tab and scans them for exposed secrets such as API keys, tokens, passwords, and credentials using pattern-matching rules.

2. Data Collection

SecretSifter does not collect any personal data. Specifically:

No data is transmitted to the developer’s servers.
No analytics, telemetry, or usage tracking of any kind is performed.
No user accounts are created or required.
No browsing history is recorded beyond what is temporarily held in local browser storage for the current session.

3. Local Storage

SecretSifter stores the following data locally in your browser only using chrome.storage.sync and chrome.storage.session:

Scan findings (secret matches detected during your browsing session) — held in session storage and cleared when the browser session ends
User settings (CDN blocklist customisations, noise key list) — stored in sync storage so they persist across browser restarts
The list of hostnames you have enabled scanning on — held in session storage

This data never leaves your device except as described in Section 5. You can clear all stored findings at any time using the “Clear” button in the extension popup or DevTools panel.

4. Permissions Used

debugger — Used to attach to the Chrome DevTools Protocol (CDP) to intercept network responses in the active tab. This is required for full network coverage (JS files, JSON APIs, WebSocket frames, outgoing request headers) and is only activated when you explicitly enable scanning on a tab.
tabs — Used to associate scan findings with the correct browser tab and to read the current tab URL when attaching the debugger.
storage — Used to persist scan findings and user settings locally in the browser.
<all_urls> — Required so the extension can operate on any website the user chooses to scan. Scanning is always opt-in per tab.

5. Google Maps API Key Validation

External network call: When SecretSifter detects a potential Google Maps API key in a scanned page, it automatically sends a validation probe to maps.googleapis.com to determine whether the key is live and unrestricted.

Specifically:

The discovered API key value is included as a URL parameter in a request to Google’s Static Maps endpoint (maps.googleapis.com/maps/api/staticmap).
This request is sent directly to Google, not to any developer-controlled server. Google’s own Privacy Policy governs how Google handles this request.
The purpose is to confirm whether the key is functional — a 200 response indicates a live, unrestricted key; a 403 indicates a restricted key.
No other data (browsing history, page content, personal information) is included in this request.
The probe is performed only for findings classified as Google Maps API keys and only once per unique key value per session (results are cached locally).

6. Children’s Privacy

This extension is intended for security professionals and is not directed at children under the age of 13. We do not knowingly collect any information from children.

7. Changes to This Policy

If this privacy policy is updated, the effective date above will be revised. Significant changes will be noted in the extension’s version release notes.

8. Contact

For questions about this privacy policy, please open an issue on the GitHub repository or contact the developer directly via GitHub.