Enterprise-grade Chrome automation for AI agents with compliance-ready logging
Enterprise Features • Compliance Logging • Security Features • Quick Start • Docker Deploy
Built for corporate environments where security, compliance, and auditability are non-negotiable.
| Requirement | Solution |
|---|---|
| Audit Trails | Hash-chained audit logs with tamper detection |
| SIEM Integration | CEF (Splunk, ArcSight, QRadar) + Syslog (RFC 5424) |
| Credential Security | Post-quantum encryption (ML-KEM-768 + ChaCha20-Poly1305) |
| Data Protection | Auto-redaction of PII in screenshots and logs |
| Session Control | Configurable timeouts, auto-expiry, inactivity lockout |
| Access Control | Token-based authentication with brute-force protection |
| Compliance Logging | OWASP-compliant event categories, correlation IDs |
| Standard | Coverage |
|---|---|
| SOC 2 Type II | Audit logging, access controls, encryption at rest |
| GDPR | Data minimization, right to erasure, audit trails |
| PCI DSS | Credential protection, access logging, encryption |
| HIPAA | Audit controls, access management, encryption |
SIEM-ready logging in industry-standard formats. Every tool execution, credential access, and security event is logged.
| Format | Use Case | Example |
|---|---|---|
| CEF | Splunk, ArcSight, QRadar | CEF:0|Pantheon-Security|Chrome-MCP-Secure|2.3.0|... |
| Syslog | Centralized logging (RFC 5424) | <134>1 2025-12-16T10:30:00Z ... |
| JSONL | Elastic, custom pipelines | {"timestamp":"...","category":"audit",...} |
authentication- Login attempts, session creationauthorization- Access control decisionscredential- Vault operations (store, retrieve, delete)audit- Tool executions with timingsecurity- Rate limits, injection attempts, anomaliesdata_access- Sensitive data retrieval
# Enable CEF logging for Splunk
COMPLIANCE_LOG_FORMAT=cef
COMPLIANCE_LOG_DIR=./logs/compliance
# Forward to remote syslog
SYSLOG_HOST=siem.company.com
SYSLOG_PORT=514CEF:0|Pantheon-Security|Chrome-MCP-Secure|2.3.0|audit:tool:navigate|tool:navigate|3|rt=1702732800000 outcome=success msg=Tool navigate executed: success request=https://internal.company.com cn1=1702732800-abc123 cn1Label=correlationId
Security-hardened fork of lxe/chrome-mcp Maintained by Pantheon Security
"We used this MCP for hours building out our security dashboard - the reliability was incredible. The amount of work we produced was huge compared to manual browser interaction." — Pantheon Security team
| Metric | Result |
|---|---|
| Session Duration | 4+ hours continuous use |
| Stability | Zero crashes or disconnects |
| Credential Security | All logins encrypted, auto-wiped |
| Productivity Gain | 10x faster than manual browser work |
This isn't just a security enhancement - it's a reliable workhorse for AI-assisted browser automation. When you need Claude to interact with web apps for extended sessions, this MCP delivers.
| Feature | Description |
|---|---|
| Post-Quantum Encryption | ML-KEM-768 + ChaCha20-Poly1305 hybrid |
| Secure Credential Vault | Encrypted at rest, auto-wiped from memory |
| Memory Scrubbing | Zeros sensitive data after use |
| Audit Logging | Tamper-evident logs with hash chains |
| Profile Isolation | Dedicated Chrome profile for secure sessions |
| Log Sanitization | Credentials masked in all output |
| Rate Limiting | 100 requests per minute per operation |
| Input Validation | CSS selector sanitization, URL validation |
| Module | Description |
|---|---|
| Secrets Scanner | Detects 25+ credential patterns (AWS, GitHub, Slack, OpenAI keys, private keys, JWTs, credit cards, SSNs) |
| Response Validator | Prompt injection detection (15 patterns), suspicious URL blocking, encoded payload detection |
| Session Manager | Credential session lifecycle with 8h max lifetime and 30min inactivity timeout |
| MCP Authentication | Token-based auth with auto-generation, SHA256 hashing, brute-force lockout |
| Certificate Pinning | SPKI-style pinning for Google, GitHub, Microsoft, Anthropic, OpenAI domains |
| Screenshot Redaction | Auto-redacts password fields, credit cards, CVV, SSN, API keys in screenshots |
| Cross-Platform Permissions | Secure file permissions on Linux, macOS, and Windows (icacls) |
Traditional encryption will be broken by quantum computers. This fork uses hybrid encryption:
ML-KEM-768 (Kyber) + ChaCha20-Poly1305
- ML-KEM-768: NIST-standardized post-quantum key encapsulation
- ChaCha20-Poly1305: Modern stream cipher (immune to timing attacks)
Even if one algorithm is broken, the other remains secure.
| Timeline | Threat |
|---|---|
| 2024-2030 | "Harvest now, decrypt later" attacks - adversaries collecting encrypted data today |
| 2030-2035 | Early cryptographically-relevant quantum computers expected |
| 2035+ | Current RSA/ECC encryption potentially broken |
Your browser credentials stored today could be decrypted in 10 years. This fork protects against that future threat now.
Recommended for production environments.
# Clone and start
git clone https://github.com/Pantheon-Security/chrome-mcp-secure.git
cd chrome-mcp-secure
docker-compose up -d# Copy example config
cp env.example .env
# Edit for your environment
vim .env
# Start with custom config
docker-compose up -d# SIEM Integration
COMPLIANCE_LOG_FORMAT=cef # cef, syslog, jsonl, json
SYSLOG_HOST=siem.company.com # Remote syslog server
SYSLOG_PORT=514
# Encryption (REQUIRED for production)
CHROME_MCP_ENCRYPTION_KEY=$(openssl rand -base64 32)
# Session Security
CHROME_MCP_SESSION_MAX_LIFETIME=28800000 # 8 hours
CHROME_MCP_SESSION_INACTIVITY=1800000 # 30 minutesLogs are written to ./logs/compliance/ in your chosen format:
# View compliance logs
tail -f logs/compliance/compliance-2025-12-16.cef
# Forward to Splunk via syslog
docker-compose logs chrome-mcp | nc -u siem.company.com 514See env.example for all configuration options.
Linux / macOS:
git clone https://github.com/Pantheon-Security/chrome-mcp-secure.git
cd chrome-mcp-secure
./setup.shWindows (PowerShell):
git clone https://github.com/Pantheon-Security/chrome-mcp-secure.git
cd chrome-mcp-secure
.\setup.ps1This will:
- Install dependencies and build the project
- Register the MCP server with Claude Code
- Start Chrome with remote debugging
- Create an isolated Chrome profile
npm install && npm run build
claude mcp add chrome-mcp-secure --scope user -- node /path/to/chrome-mcp-secure/dist/index.js
google-chrome --remote-debugging-port=9222 --user-data-dir=~/.chrome-mcp-profile| Platform | Setup Script | Chrome Profile Location |
|---|---|---|
| Linux | ./setup.sh |
~/.chrome-mcp-profile |
| macOS | ./setup.sh |
~/.chrome-mcp-profile |
| Windows | .\setup.ps1 |
%USERPROFILE%\.chrome-mcp-profile |
./setup.sh --start-chrome"Check Chrome connection with health tool"
"Navigate to https://example.com"
"Take a screenshot"
"Store a credential for my GitHub account"
"Navigate to github.com/login"
"Use secure_login with the stored credential"
| Tool | Description |
|---|---|
health |
Check Chrome connection and version |
navigate |
Navigate to URL |
get_tabs |
List all Chrome tabs |
click_element |
Click element by CSS selector |
click |
Click at coordinates |
type |
Type text at cursor |
get_text |
Extract text from element |
get_page_info |
Get URL, title, interactive elements |
get_page_state |
Get scroll position, viewport size |
scroll |
Scroll to coordinates |
screenshot |
Capture page screenshot |
wait_for_element |
Wait for element to appear |
evaluate |
Execute JavaScript |
fill |
Fill form field |
bypass_cert_and_navigate |
Navigate with HTTPS cert bypass |
| Tool | Description |
|---|---|
store_credential |
Store encrypted login credentials |
list_credentials |
List stored credentials (no passwords shown) |
get_credential |
Get credential metadata |
delete_credential |
Remove a stored credential |
update_credential |
Update an existing credential |
secure_login |
Auto-fill login forms using stored credentials |
get_vault_status |
Check vault encryption status |
Store a credential for my Google account:
- Name: "Google Work"
- Type: google
- Email: [email protected]
- Password: mypassword123
- Domain: google.com
1. Navigate to https://accounts.google.com
2. Use secure_login with the credential ID from list_credentials
The secure_login tool will:
- Retrieve and decrypt the credential from the vault
- Auto-fill the username/email field
- Auto-fill the password field
- Click the submit button
- Wipe credentials from memory after use
| Data | Protection |
|---|---|
| Login credentials | Post-quantum encrypted at rest |
| Passwords in memory | Auto-wiped after 5 min TTL |
| Log output | Credentials auto-masked |
| Chrome profile | Isolated from default browser |
| Audit trail | Hash-chained for tamper detection |
# Chrome connection
CHROME_HOST=localhost
CHROME_PORT=9222
CHROME_PROFILE_DIR=~/.chrome-mcp-profile
# Encryption (recommended for production)
CHROME_MCP_ENCRYPTION_KEY=<base64-32-bytes>
CHROME_MCP_USE_POST_QUANTUM=true
# Credential vault
CHROME_MCP_CONFIG_DIR=~/.chrome-mcp
CHROME_MCP_CREDENTIAL_TTL=300000 # 5 minutes
# Logging
LOG_LEVEL=info
AUDIT_LOGGING=trueopenssl rand -base64 32See SECURITY.md for complete configuration reference.
┌─────────────────────────────────────┐
│ ML-KEM-768 Key Pair │
│ (Post-Quantum Key Encapsulation) │
└─────────────────┬───────────────────┘
│
┌─────────────────┴───────────────────┐
│ ChaCha20-Poly1305 │
│ (Symmetric AEAD Encryption) │
└─────────────────┬───────────────────┘
│
┌─────────────────┴───────────────────┐
│ Encrypted Credential Files │
│ ~/.chrome-mcp/credentials/*.pqenc │
└─────────────────────────────────────┘
- SecureCredential class: Auto-wipes credentials after TTL (5 min default)
- Zero-fill buffers: Random overwrite + zero fill prevents memory dumps
- No credential logging: Automatic masking of sensitive field names
| Property | ChaCha20-Poly1305 | AES-GCM |
|---|---|---|
| Timing attacks | Immune (constant-time) | Vulnerable without AES-NI |
| Software speed | Fast everywhere | Slow without hardware |
| Complexity | Simple | Complex (GCM mode) |
| Adoption | Google, Cloudflare TLS | Legacy systems |
# Full setup
./setup.sh
# Check status
./setup.sh --check
# Uninstall from Claude Code
./setup.sh --uninstall
# Start/stop Chrome
./setup.sh --start-chrome
./setup.sh --stop-chrome┌─────────────┐ ┌──────────────────┐ ┌─────────────┐
│ Claude/ │────▶│ MCP Server │────▶│ Chrome │
│ AI Agent │ │ (This Fork) │ │ (CDP) │
└─────────────┘ └──────────────────┘ └─────────────┘
│
┌──────┴──────┐
│ Security │
│ Layers │
└─────────────┘
• PQ Encryption
• Credential Vault
• Memory Wipe
• Audit Logs
• Rate Limits
• Input Validation
chrome-mcp-secure/
├── src/
│ ├── index.ts # MCP server entry point
│ ├── cdp-client.ts # Persistent CDP WebSocket client
│ ├── tools.ts # Browser automation tools
│ │
│ │── # Core Security (v2.1.0)
│ ├── credential-vault.ts # Encrypted credential storage
│ ├── credential-tools.ts # Credential MCP tools
│ ├── crypto.ts # Post-quantum encryption (ML-KEM-768 + ChaCha20)
│ ├── secure-memory.ts # Memory protection utilities
│ ├── security.ts # Input validation, rate limiting
│ ├── logger.ts # Logging with auto-masking
│ ├── errors.ts # Typed error classes
│ │
│ │── # Advanced Security Modules (v2.2.0+)
│ ├── secrets-scanner.ts # Credential leak detection (25+ patterns)
│ ├── response-validator.ts # Prompt injection detection
│ ├── session-manager.ts # Session lifecycle management
│ ├── mcp-auth.ts # Token-based MCP authentication
│ ├── cert-pinning.ts # Certificate pinning for sensitive domains
│ ├── screenshot-redaction.ts # Auto-redact sensitive fields
│ └── file-permissions.ts # Cross-platform secure file permissions
│
├── dist/ # Compiled JavaScript
├── setup.sh # Linux/macOS setup
├── setup.ps1 # Windows setup
├── SECURITY.md # Security documentation
├── CHANGELOG.md # Version history
├── CLAUDE.md # Claude Code integration guide
└── README.md
| Feature | lxe/chrome-mcp | This Fork |
|---|---|---|
| Chrome automation | ✅ | ✅ |
| Persistent WebSocket | ✅ | ✅ |
| Cross-platform | ✅ | ✅ |
| Post-quantum encryption | ❌ | ✅ |
| Secure credential vault | ❌ | ✅ |
| Memory scrubbing | ❌ | ✅ |
| Audit logging | ❌ | ✅ |
| Auto log masking | ❌ | ✅ |
| Profile isolation | ❌ | ✅ |
| Secrets scanner | ❌ | ✅ |
| Prompt injection detection | ❌ | ✅ |
| Session management | ❌ | ✅ |
| MCP authentication | ❌ | ✅ |
| Certificate pinning | ❌ | ✅ |
| Screenshot redaction | ❌ | ✅ |
- All file operations use centralized
file-permissions.ts - Proper Windows ACL support via
icacls - Consistent 0o700/0o600 permissions on Unix
Six new security modules totaling 3,000+ lines of security hardening:
- Secrets Scanner - Detects leaked credentials in page content using patterns from TruffleHog, GitLeaks, and MEDUSA
- Response Validator - Blocks prompt injection attacks in scraped content
- Session Manager - Auto-expires credential sessions after configurable timeouts
- MCP Authentication - Protects the MCP server itself with token-based auth
- Certificate Pinning - Validates TLS certificates for sensitive domains
- Screenshot Redaction - Overlays sensitive fields before screenshots
See CHANGELOG.md for full version history.
curl http://localhost:9222/json
# If no response, start Chrome:
./setup.sh --start-chrome- Check if you changed machines (machine-derived key won't work)
- Set
CHROME_MCP_ENCRYPTION_KEYto the same key used to encrypt - Credentials may need to be re-stored if key is lost
Use get_page_info to see available elements
Use wait_for_element for dynamic content
# Install dependencies
npm install
# Development mode (auto-reload)
npm run dev
# Type checking
npm run typecheck
# Build for production
npm run build
# Run built version
npm startFound a security issue? Do not open a public GitHub issue.
Email: [email protected]
- Original Chrome MCP: lxe - chrome-mcp
- Security Hardening: Pantheon Security
- Security Patterns: Adapted from notebooklm-mcp-secure
- Post-Quantum Crypto: @noble/post-quantum
MIT - Same as original.
Security hardened by Pantheon Security