Checkout Security Shield
The padlock means the connection is encrypted. It says nothing about what the scripts on the page are doing.
The fraud happens on legitimate sites
Formjacking — also called Magecart attacks — injects malicious JavaScript into legitimate retailers' checkout pages. The attack runs silently: you type your card number, the store processes your order normally, and a second script copies your card data to a remote server in the same fraction of a second.
You receive the order confirmation. The fraud charges appear on your statement days or weeks later. The FTC reported $15.9 billion in consumer fraud losses in the most recent annual report. The FBI's Internet Crime Complaint Center processes roughly 3,000 cybercrime complaints every day.
A significant share of these involve payment data stolen at checkout from legitimate, HTTPS-secured websites.
Step by step
- Install the extension in Chrome.
- Navigate to any checkout page.
- The extension audits every script loaded on the page against a list of known legitimate payment processor domains.
- It intercepts
navigator.sendBeaconandfetchcalls during form submission to detect unauthorized data exfiltration attempts. - Suspicious activity is flagged before you submit your card details.
Online shoppers
Anyone who regularly enters card details online and wants a script-level check running before they hit submit.
Developers building payment security tools
The source code includes the script auditor, beacon interceptor, and payment endpoint verification logic.
- Full Chrome extension source code (Manifest V3)
- Script domain auditor against known payment processors
- navigator.sendBeacon interceptor
- fetch() monitoring during form submission
- Vanilla JavaScript, no dependencies
Your card details deserve more than a padlock.
The attack happens before you click submit. The defense has to happen there too.
Get the source code ($19) →One-time payment · No account required · Instant download