Browser Security Settings: The Complete Hardening Guide for Chrome, Firefox, and Safari

Why Browser Security Settings Matter

Your browser handles your banking, your email, your medical records, and your social media — all in a single application that runs untrusted code from thousands of different websites every day. Default browser settings prioritize convenience over security. Advertising networks can track your every click. Malicious extensions can read every password you type. Compromised websites can silently access your camera and microphone. Taking 20 minutes to lock down your browser settings is one of the highest-leverage security actions you can take.

This guide covers the three most widely used browsers — Chrome, Firefox, and Safari — with specific menu paths for each setting. Follow these in order from most critical to incremental improvements.

Chrome: Critical Security Settings

Chrome has the largest user base and is frequently the most targeted browser. These settings address the highest-risk defaults:

Enable Enhanced Safe Browsing: Go to Settings → Privacy and security → Security → select "Enhanced protection." This checks URLs against Google's real-time database of malicious sites (standard protection uses a cached list that can be hours old). Enhanced protection also scans downloads before you open them. The tradeoff: Google receives the URLs you visit in real-time. For most users, this is an acceptable privacy tradeoff for meaningfully better protection against phishing.

Enable DNS-over-HTTPS: Settings → Privacy and security → Security → Advanced → Use secure DNS. Select "With" and choose a provider (Cloudflare 1.1.1.1 or Google 8.8.8.8). Standard DNS requests are unencrypted — your ISP can see every domain you visit. DNS-over-HTTPS encrypts these lookups, preventing ISP snooping and blocking DNS hijacking attacks used in some phishing campaigns.

Disable dangerous permissions: Settings → Privacy and security → Site settings. Set the following to "Don't allow sites to ask":

• Location — grant only when specifically needed, per-visit
• Camera and Microphone — grant only to trusted video conferencing sites
• Notifications — one of the most abused permissions; disable globally, enable only for apps you choose
• Pop-ups and redirects — should already be blocked; verify it's set to "Blocked"
• Ads — if you see this option, it controls intrusive ad formats; set to blocked

Manage extensions aggressively: Go to chrome://extensions and audit everything installed. Remove any extension you don't actively use. Each extension has access to read and modify content on every website you visit — that's a significant trust grant. Check the permissions of remaining extensions by clicking "Details." Extensions that need "Read and change all your data on all websites" should be scrutinized carefully; legitimate extensions usually scope permissions tightly.

Firefox: The Privacy-First Browser Configuration

Firefox has stronger default privacy settings than Chrome and offers more granular control. Here's how to maximize it:

Set Enhanced Tracking Protection to Strict: Settings → Privacy & Security → Enhanced Tracking Protection → select "Strict." This blocks trackers, cross-site cookies, cryptominers, and fingerprinters. Note: Strict mode may occasionally break some site functionality; if a site doesn't work, click the shield icon in the address bar to temporarily disable protection for that site.

Enable HTTPS-Only Mode: Settings → Privacy & Security → HTTPS-Only Mode → "Enable HTTPS-Only Mode in all windows." Firefox will refuse to load any page over plain HTTP and will show a warning instead of silently downgrading. This is one of the most important settings in Firefox — it prevents attackers on your local network from intercepting your traffic.

Disable Firefox telemetry: Settings → Privacy & Security → Firefox Data Collection and Use → uncheck all boxes. Firefox collects crash reports and usage statistics by default. Disabling this reduces your data footprint without affecting functionality.

Configure DNS-over-HTTPS: Settings → General → scroll to Network Settings → click Settings → enable "Enable DNS over HTTPS" → choose a provider. Same benefit as Chrome: encrypted DNS lookups.

about:config hardening: Type about:config in the address bar. These specific settings improve security:

• privacy.firstparty.isolate → true (isolates cookies per domain, prevents cross-site tracking)
• security.ssl.require_safe_negotiation → true (rejects connections with weak SSL)
• dom.battery.enabled → false (prevents battery status API fingerprinting)

Safari: Hardening Apple's Browser

Safari on macOS and iOS has strong baseline privacy defaults, but several settings are worth explicitly configuring:

Enable Fraudulent Website Warning: Safari Preferences → Security → check "Warn when visiting a fraudulent website." This enables Google Safe Browsing lookups (with privacy protections — Apple proxies the requests to prevent Google seeing your IP).

Block all cookies (optional, stricter approach): Preferences → Privacy → "Block all cookies." This breaks some legitimate sites but maximizes privacy. A more practical setting: leave "Prevent cross-site tracking" enabled (default) and leave same-site cookies allowed — this blocks most tracking while maintaining site functionality.

Disable location, camera, microphone for all websites: Preferences → Websites → for Location, Camera, Microphone, and Notifications — set "When visiting other websites" to "Deny" or "Ask." This forces per-site prompts rather than silent access.

Check Safari extensions: Preferences → Extensions → review every installed extension. Safari extensions are sandboxed more tightly than Chrome extensions, but still warrant regular audits. Remove anything unused.

Enable Private Relay (iCloud+ subscribers): This is Apple's two-hop proxy system that masks your IP address from websites and DNS providers. Enable it in System Preferences → Apple ID → iCloud → Private Relay. It's not a full VPN replacement but adds a meaningful layer of IP anonymity for everyday browsing.

Universal Settings for All Browsers

Regardless of which browser you use, these practices apply universally:

• Keep your browser updated: Browser vulnerabilities are discovered and patched constantly. Enable automatic updates. Check your version: Chrome: chrome://settings/help, Firefox: Help → About, Safari: System Preferences → Software Update.
• Use a password manager instead of browser-saved passwords: Browser password storage is convenient but has weaker security than a dedicated password manager. If someone gains access to your browser profile (via malware, physical access, or a compromised sync account), they get all your passwords. Use our free password generator and store results in a password manager.
• Audit saved passwords regularly: If you do use browser-saved passwords, check them periodically for breaches. Chrome: passwords.google.com → Check passwords. Firefox: about:logins → Firefox Monitor. Safari: Passwords section in Settings → look for compromised password warnings.
• Be skeptical of "Allow Notifications" prompts: Notification permission abuse is rampant. Malicious sites use push notifications to deliver spam and phishing links that appear to come from your operating system. When any site you don't explicitly trust asks for notification permission, click Block.

Browser Security Checklist

Setting	Chrome	Firefox	Safari
HTTPS enforcement	Enhanced Safe Browsing	HTTPS-Only Mode ✅	Fraudulent site warning
DNS-over-HTTPS	Settings → Security	Network Settings	N/A (use system DNS)
Tracking protection	Basic (3rd party cookies blocked)	Strict ETP ✅	Cross-site tracking blocked ✅
Permissions default	Must configure manually	Ask on first use	Ask on first use
Extension sandboxing	Moderate	Moderate	Strong ✅

Recommended Tools

For storing the passwords you generate, we recommend NordPass (zero-knowledge encryption, free tier available) or 1Password for family or team use.

See our full security tools guide for more recommendations.