Free · Passive · No account needed

Your browser's
security expert

ThirdEye scans every website you visit for XSS, CSRF, insecure cookies, vulnerable libraries, and 20+ real vulnerabilities — in real time, right in your browser.

Add to Chrome — Free Firefox · Edge · Opera
Chrome
Firefox
Edge
Brave
What we detect
20+ security checks on every page
Passive scanning — ThirdEye reads but never modifies any page. No slowdowns, no privacy risks.
Critical
DOM XSS Sinks
Detects innerHTML, eval(), document.write and 7 other dangerous JS patterns.
Critical
Sensitive Data Exposure
AWS keys, JWT tokens, Stripe keys, GitHub tokens exposed in page source.
Critical
HTTPS / TLS Status
Detects plaintext HTTP connections serving login or payment pages.
Critical
PCI DSS Compliance
Verifies SRI, HTTPS, iframe sandbox on payment forms. PCI DSS signals.
High
CSRF Protection
Checks every POST form for CSRF tokens. Flags GET forms with password fields.
High
Vulnerable JS Libraries
Detects outdated jQuery, Lodash, Bootstrap, Vue, React with CVE IDs and CVSS scores.
High
Cookie Security
Missing HttpOnly, Secure, SameSite flags on session cookies.
High
Mixed Content
HTTP resources (scripts, images) loaded on HTTPS pages — MITM risk.
Medium
Content Security Policy
Validates CSP headers for unsafe-inline, unsafe-eval, wildcard sources.
Medium
Clickjacking Protection
Checks X-Frame-Options and frame-ancestors CSP directive.
Medium
13 HTTP Security Headers
HSTS, CSP, COOP, COEP, CORP, Referrer-Policy — validated for misconfig.
Low
Privacy Tracker Detection
Identifies 15+ trackers: GA4, Facebook Pixel, Hotjar, TikTok, LinkedIn.
How it works
Install once. Works everywhere.
No configuration, no accounts, no servers.
1

Install the extension

Add ThirdEye from Chrome Web Store, Firefox Add-ons, or Edge Add-ons. Free, one click.

2

Browse normally

ThirdEye scans every page automatically as you navigate. No buttons to push.

3

See your security grade

The toolbar badge shows A–F instantly. Click it for the full breakdown.

4

Fix issues fast

The Fix It tab shows exact remediation steps, OWASP references, and CWE IDs.

Pricing
Simple, honest pricing
Free forever for casual use. Pro for developers, security teams, and agencies.
Free
$0
forever, no card needed
  • All 20+ security checks
  • 13 HTTP header checks
  • CSV & JSON export
  • 20 scans per day
  • Unlimited scans
  • Scan history
Install Free →
Most Popular
Pro
$29 / year
or $4.99/month · cancel anytime
  • Everything in Free
  • Unlimited scans
  • Scan history (last 100)
  • Priority email support
  • Early access to new checks
  • Instant license key delivery
Get Pro — $29/yr →
Agency
$99 / mo
up to 10 seats · billed monthly
  • Everything in Pro
  • 10 license keys
  • White-label PDF reports
  • Priority support & SLA
  • Invoice available
  • Onboarding call
Contact for Agency →
Already purchased?
Activate your Pro key
After buying on Gumroad, you'll receive a key that looks like TE-PRO-XXXX…

🔑 How to activate

You activate your key directly inside the browser extension — not here. Follow these steps:

  1. Open any website in your browser
  2. Click the ThirdEye shield icon in your toolbar
  3. If you've hit the daily limit, you'll see a "Daily limit reached" screen
  4. Scroll down to "Already purchased?"
  5. Paste your TE-PRO-... key and click Activate
  6. The badge shows — you're on Pro!
💬 Key not working? Email rockyd65r@gmail.com with your Gumroad order number. We respond within 24 hours.

Privacy Policy

ThirdEye Security · Last updated: June 2025

ThirdEye ("the extension") performs all security analysis locally inside your browser. We do not collect, transmit, store, or sell any browsing data on external servers.

What data the extension accesses

What data leaves your device

Nothing. All analysis is performed client-side. The only network request the extension makes is loading the IBM Plex Mono font from Google Fonts (standard CSS @import). This is a browser-level font fetch with no extension data attached.

License key storage

If you activate a Pro license key, that key is stored in chrome.storage.local / browser.storage.local on your device only. It is never transmitted to any server. ThirdEye has no backend server — key validation happens entirely inside the extension.

Scan quota

Your daily scan count is stored in chrome.storage.local on your device only. No URLs, page content, or scan results are stored persistently.

Third parties

ThirdEye does not use any analytics SDKs, crash reporting services, advertising networks, or remote configuration services. We have no backend infrastructure.

Children's privacy

ThirdEye does not knowingly collect any information from children under 13.

Changes to this policy

If this policy changes materially, we will update the date above and post a notice in the extension's store listing.

Contact

Questions about privacy: rockyd65r@gmail.com