Cloak Check

A friendly cybersecurity audit of the page you're on, in plain English.

Cloak Check — a friendly cybersecurity audit for every page you visit Is this site actually safe? Cloak Check answers that question in plain English, the moment you click its toolbar icon. The web is full of subtle signals about whether a page is trustworthy: how it handles encryption, whether its address is quietly impersonating a well-known brand, whether its forms send your password to somewhere they shouldn't, whether invisible overlays are trying to trick you into clicking something. Browsers know about all of these signals, but they don't surface them to you — they're buried in DevTools, technical jargon, and pages of documentation aimed at developers. Cloak Check pulls those signals out, weighs them up, and gives you a single traffic-light verdict for the page you're looking at — backed by a friendly, jargon-free explanation of what it found and why it matters. ──────────────────────────────────── WHAT IT DOES ──────────────────────────────────── When you click the Cloak Check icon, you get: • A traffic-light verdict — green, yellow, or red — based on a weighted score of everything the extension observed about the page. • A small coloured shape overlaid on the toolbar icon itself — a green circle, a yellow triangle, or a red diamond — so you can read the verdict at a glance without even opening the popup. The shapes are intentionally distinct so the verdict reads from silhouette alone, which matters for anyone who finds colour alone hard to distinguish. • A list of findings, each written in plain English. No acronyms without explanation, no log dumps, no "consult your network administrator". Just: here's what we noticed, and here's why we think it matters (or doesn't). • Full transparency: every finding has a details view that shows the underlying technical observation — the specific header, cookie name, or URL — so curious users and developers can verify the call. ──────────────────────────────────── WHAT IT CHECKS ──────────────────────────────────── Cloak Check inspects eleven different aspects of the page: 1. Connection security Is the page served over HTTPS? Did Chrome encounter a certificate error on the way in? Is the site asking the browser to remember to always use HTTPS in future (HSTS)? Is the page mixing secure and insecure content? 2. Web-address sanity Is the address using lookalike characters from other alphabets to impersonate a familiar brand (a mixed-script homograph attack)? Is it stacking a brand name into a subdomain of an unrelated domain to look legitimate (paypal.evil-site.com)? Is the subdomain depth so deep it might be hiding the real destination? 3. Site security headers Is the site setting the standard browser-side defences against script injection (Content-Security-Policy), framing attacks (X-Frame-Options / frame-ancestors), MIME-type confusion (X-Content-Type-Options), and so on? Load-bearing headers are weighted more heavily than nice-to-have ones, so a well-run site missing one or two of the latter still reads green. 4. Forms and credentials Is the page asking for a password or payment details over an unencrypted connection? Is the form submitting to a different origin than the one you're looking at? 5. Iframes Are there embedded frames from other origins? Is any frame rendered at near-zero opacity, large enough to cover meaningful content (a clickjacking shape)? Tracking pixels and hidden SSO bridges are commonplace and stay informational only — only the clickjacking pattern escalates to a warning. 6. Cookies Are session-like cookies on this HTTPS page being set without the Secure flag, meaning they could leak over a downgraded connection? The check is deliberately precise: it ignores cookies whose names happen to contain "session" in a generic way (CSRF tokens, analytics IDs), and it downgrades its warning when the site is demonstrably using modern secure-cookie patterns elsewhere. 7. Scripts How many third-party origins is the page loading code from? Are any of them loaded without subresource integrity (SRI) hashes? This is reported for transparency and contributes no weight to the verdict — third-party scripts are a fact of modern web life, not in themselves a red flag. 8. Phishing heuristics Is the page mentioning a well-known brand by name while sitting on an unrelated domain and asking for a password? Is it using urgency phrasing ("verify your account or it will be suspended") near a password field? Brand mention plus password form on a mismatched domain is treated as DANGER. Urgency phrasing near a password form is a warning. A bare brand mention on its own is informational — brands get mentioned all over the web (reviews, news, sibling sites) and a keyword match alone isn't enough signal. 9. Favicon origin Is the page's favicon being loaded from a well-known brand's domain while the page itself sits on a different registrable domain? That's a classic impersonation tell. 10. Overlay traps Are there large, position-absolute or position-fixed anchors or buttons rendered at near-zero opacity over the page content? Those are designed to intercept clicks invisibly. 11. Page behaviour Is the page asking for camera, microphone, geolocation, or notification permissions? Are there direct download links ending in .exe, .scr, .bat, .dmg, or .msi that the user might click without realising? ──────────────────────────────────── THE VERDICT, EXPLAINED ──────────────────────────────────── Cloak Check does not report the worst single finding as the page verdict. That approach produces a lot of alarming red badges on perfectly legitimate sites that are missing one obscure header. Instead, each finding contributes a weight, and the sum determines the colour. This means: • A single severe finding — a homograph attack, brand impersonation on a mismatched domain — is enough on its own to push the verdict past the red threshold. • Five separate yellow warnings will also add up to red. Cumulative risk matters. • A well-run site missing one or two nice-to-have headers stays green. The user shouldn't be alarmed about a missing Referrer-Policy header on their bank's site. The thresholds and weights are documented in the source. You can read every check in plain JavaScript and audit the decisions for yourself. ──────────────────────────────────── WHO IT'S FOR ──────────────────────────────────── • People who'd like a second opinion before typing a password into a page they're not sure about. • Family members of more technical people, who would benefit from a friendly heads-up about phishing-shaped pages without needing to learn what HSTS means. • Developers and security-curious folks who want a quick scan of the security posture of pages they're building, reviewing, or browsing — without having to open DevTools every time. • Anyone who'd like the security signals their browser already knows about surfaced in plain English, on demand. It is NOT a replacement for being thoughtful about what you click. It is a heuristic aid that surfaces signals; it can't read the contents of cross-origin iframes, it can't intercept dynamically triggered downloads, and it can't know whether a site you're on is the real thing or a perfect clone on a never-before-seen lookalike domain. Treat the verdict as one input into your decision, not a guarantee. ──────────────────────────────────── PRIVACY — THE PART THAT MATTERS MOST ──────────────────────────────────── Cloak Check is built around one promise: nothing about your browsing leaves your browser. • No telemetry. No analytics. No remote calls. The extension never contacts any server — not ours, not anyone's. There is no server. • All analysis happens locally, inside your browser, on the page you're already looking at. • Scan results live in chrome.storage.session, which is RAM-only and wiped when you close Chrome. Nothing about the pages you visited is written to disk by the extension. • No browsing history is collected, stored, or transmitted. We don't have a database; we don't have a backend. • The source code is plain readable JavaScript with no minification, no bundling, no obfuscation. You can audit every check in the checks/ directory of the project. We ask for the host_permissions: <all_urls> permission because the extension needs to read response headers as pages load (so the verdict is ready the moment you click the icon) and re-run checks on navigation. Both of those happen independently of you clicking the toolbar icon, which means the lighter-touch activeTab permission alone isn't enough. We've constrained the use of <all_urls> as tightly as we can: read-only inspection, observational mode, no blocking or modification of any request, no transmission of any data anywhere. ──────────────────────────────────── PERMISSIONS, IN PLAIN ENGLISH ──────────────────────────────────── • activeTab — lets the popup talk to the page currently in focus. • storage — per-tab scan results live in RAM-only session storage so the popup opens instantly. • webRequest — read response headers (CSP, X-Frame-Options, HSTS, etc.) as pages load. Used in observational mode only; Cloak Check never blocks, redirects, or modifies any request. • cookies — inspect cookie attributes for missing Secure flags on HTTPS pages. Read access only. • webNavigation — re-run checks automatically when a tab finishes navigating, so the verdict is ready before you click. • host_permissions: <all_urls> — required so the above can happen on any page you visit. See the privacy section above. ──────────────────────────────────── HOW TO USE IT ──────────────────────────────────── 1. Install the extension. 2. Pin it to your toolbar so the icon stays visible. 3. Browse normally. 4. Glance at the toolbar icon to see the shape-and-colour verdict — green circle, yellow triangle, or red diamond. 5. Click the icon to see the full list of findings with plain-English explanations. That's it. There's no account to create, no settings to configure, no subscription, no upsell. It's free and the source is open. ──────────────────────────────────── HONEST LIMITATIONS ──────────────────────────────────── We'd rather tell you up front what Cloak Check can't do than have you discover it the hard way: • Certificate validity is not exposed to extensions by Chrome at all. We catch certificate errors at the moment of navigation, but if you bypassed a certificate warning before installing the extension, subsequent visits to that same site will look like normal HTTPS to us. • Permission-prompt detection (camera, microphone, location, notifications) only catches calls made after our probe loads. Anything fired in the first few milliseconds of page load may be invisible to us. • Cross-origin iframes are detected as present, but their contents cannot be inspected. We report them as such rather than pretending to have looked inside them. • Download detection is link-based. Dynamically triggered downloads (via JavaScript) are not caught in this version, because we deliberately don't ask for the downloads permission. • Headers are read once at page load. If a site changes its security posture after navigation (very unusual), we won't notice. • Brand impersonation uses a built-in list of high-value brands. Targeted attacks against brands we don't list will not be flagged. • On pages with very strict Content-Security-Policy rules, our deeper behaviour probe may be blocked. When that happens, the popup tells you so explicitly — "Advanced behaviour monitoring is restricted by this site's security policy" — rather than silently failing and reporting a clean bill of health. Cloak Check is a heuristic aid, not a guarantee of safety. Stay sceptical. Use it as one input into your judgement. ──────────────────────────────────── WHY INSTALL IT ──────────────────────────────────── Because a one-second glance at a coloured shape on a toolbar icon is a much friendlier way to keep an eye on the security of the web than reading specifications, learning acronyms, or hoping for the best. Because the browser already knows most of what you'd want to know about a page — it just doesn't tell you, unless you ask it nicely in DevTools. Because phishing pages and lookalike domains are still the most common way ordinary people lose money and credentials online, and a friendly second opinion at the moment you're about to type a password is genuinely useful. And because all of this can — and should — be done locally, with no telemetry, no account, and no data leaving your browser. Install Cloak Check, pin it to your toolbar, and let it quietly keep an eye on things for you.