You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[Guide] macOS browser hardening: chunked privacy and performance walkthroughs for Firefox 149, Safari 26, and Chrome 147, plus companion uBlock Origin filter packs for Reddit and YouTube.
Chunked privacy and performance walkthroughs for three macOS browsers, plus companion uBlock Origin filter packs for Reddit and YouTube. Each browser guide is built from self-contained 2–10 minute "chunks" — do one per sitting, stop any time, every chunk leaves the browser in a working state.
Verified against Chrome 147.0.7727.101 (arm64) on macOS 26.3.1
Best read as: how to make Chrome as private and lean as possible —
useful as a tertiary browser for web development, Chrome-only sites,
and testing.
How to use this guide
Nine chunks, each self-contained (2–10 min). Open Chrome Settings via
cmd+, or chrome://settings.
Honest framing up front: since Manifest V3, Chrome is actively a worse
browser for ad blocking and privacy than Firefox. uBlock Origin Lite
works but is demonstrably weaker than full uBO. The goal of this guide
is to make Chrome "as good as it can be on Chrome" — not to match
Firefox. For heavy browsing, stick to Firefox.
CHUNK 1 — Sync decision [effort: 2 min]
Goal: consciously decide whether to sync to a Google account.
chrome://settings/ > "You and Google" section
Options:
A) Don't sign in at all (strongest privacy)
Best for a tertiary browser where you don't need bookmarks/tabs
synced. Your browsing stays local.
B) Sign in, sync disabled
Get services that require a Google account (e.g., Workspace access)
without sending browsing data to Google's servers.
C) Sign in, sync enabled
Bookmarks, tabs, history, passwords, extensions sync across devices.
Convenient; privacy cost is meaningful.
Recommendation: Option A for a tertiary browser. If you use a dedicated
password manager and rely on a different browser for primary browsing,
there is no real reason to sync Chrome.
If you choose B or C, at minimum:
chrome://settings/ > Sync and Google services
[ ] Allow Chrome sign-in
(If off, signing into Gmail doesn't auto-sign-you into Chrome —
cleaner boundary.)
[ ] Autocomplete searches and URLs
[ ] Help improve Chrome's features and performance
[ ] Make searches and browsing better
Done when: sync state is chosen deliberately, not by default.
Goal: run Chrome's built-in walkthroughs to baseline privacy settings.
chrome://settings/privacy
Privacy Guide — click "Get started"
Chrome walks you through:
- Safe Browsing level
- History sync
- Tracking protection / third-party cookies
- Make searches and browsing better
- Ad topics
Recommended answers:
Safe Browsing: "Standard protection"
(Enhanced sends URLs and page context to Google. Standard uses a
local hash list — much better privacy. Enhanced has slightly
better detection but the privacy cost is too high for the gain.)
History sync: Off (matches Chunk 1)
Tracking protection: "Block third-party cookies"
Make searches/browsing better: Off
Ad topics (Privacy Sandbox): Off (all three toggles)
chrome://settings/safetyCheck
Click "Check now" — addresses any flagged issues (outdated Chrome,
compromised passwords from the built-in manager, harmful extensions).
Done when: Privacy Guide walkthrough completed with the answers above.
CHUNK 3 — Cookies and tracking [effort: 3 min]
Goal: maximize cookie/tracking restrictions within Chrome's limits.
chrome://settings/cookies
Tracking protection:
(o) "Block third-party cookies"
In Chrome 147 this is the strongest non-breaking setting. "Block
all cookies" exists but breaks logins everywhere.
Send a "Do Not Track" request with your browsing traffic:
[ ] Off — DNT has no legal weight and is a minor fingerprint
vector.
Clear cookies and site data when you close all Chrome windows:
[x] ON
This is the single most useful cookie setting. Trackers and
random-site cookies get wiped when you quit Chrome entirely.
Sites that can always use cookies:
Add sites where you want to stay logged in across sessions:
- github.com
- 1password.com (if you use the web vault)
- any banking sites
- streaming services
- any dev-tool dashboards you use
Sites that always clear cookies when windows are closed:
Leave empty or add high-tracking sites you sometimes visit.
Sites that can never use cookies:
Usually empty.
Done when: third-party cookies blocked, cookies clear on close, your
allow-list for session persistence is populated.
CHUNK 4 — Privacy Sandbox [effort: 2 min]
Goal: turn off Chrome's "replace third-party cookies with something
equally invasive" system.
chrome://settings/adPrivacy
All three toggles — turn OFF:
[ ] Site-suggested ads (Topics API)
[ ] Ads suggested by sites you visit (FLEDGE / Protected Audience)
[ ] Ad measurement
Context: Privacy Sandbox is Google's replacement for third-party cookies.
Google markets it as "privacy-preserving," but it still builds interest
profiles on-device and shares them with ad networks. Turning it off
doesn't break browsing — you just don't participate in the ad-targeting
graph.
Done when: all three Privacy Sandbox toggles are off.
CHUNK 5 — Site permissions [effort: 3 min]
Goal: set reasonable defaults so sites don't nag for permissions.
chrome://settings/content
Permissions — change defaults:
Location: "Don't allow sites to see your location"
(Or "Sites can ask for your location" if you use any map sites.)
Camera: "Don't allow sites to use your camera"
Microphone: "Don't allow sites to use your microphone"
Notifications: "Don't allow sites to send notifications"
(This alone eliminates 80% of notification-permission popups.)
Motion sensors: "Don't allow sites to use motion sensors"
Sound: "Sites can play sound" (changing this breaks media sites)
Pop-ups and redirects: "Don't allow sites to send pop-ups or redirects"
Intrusive ads: "Block ads on sites that show intrusive or misleading
ads" (built-in minimal ad blocking, keep on)
Additional content settings:
[ ] Preload pages
Off = Chrome doesn't pre-fetch pages you might click. Small
privacy/bandwidth win, trivial performance cost.
Done when: camera, mic, notifications, and location default to blocked
or ask.
CHUNK 6 — Autofill (disable in favor of a password manager) [effort: 2 min]
Goal: prevent Chrome from competing with your dedicated password manager.
chrome://settings/autofill
Addresses and more:
[ ] Save and fill addresses
Payment methods:
[ ] Save and fill payment methods
[ ] Allow sites to check if you have payment methods saved
Passwords (Google Password Manager):
chrome://settings/passwords
[ ] Offer to save passwords
[ ] Auto Sign-in
Clean up any saved passwords if you want, or leave them (Chrome won't
save new ones with "Offer to save" off).
Note: even with "Offer to save" off, a third-party password manager
extension (e.g., 1Password, Bitwarden) still autofills, since it
operates on page content, not Chrome's internal API.
Done when: all three categories (addresses, payments, passwords) are
set to not offer saving.
CHUNK 7 — Install uBlock Origin Lite [effort: 5 min]
Goal: the strongest ad-blocker available on Chrome post-Manifest V3.
Install:
Chrome Web Store > search "uBlock Origin Lite"
Publisher MUST be "Raymond Hill (gorhill)" — there are knockoffs
Add to Chrome
Configure:
Click the uBO Lite toolbar icon > gear icon (Dashboard)
Filtering mode (site mode via popup, not dashboard):
- Basic — network filtering only
- Optimal — adds generic cosmetic filtering
- Complete — adds specific cosmetic + scriptlets (requires site
permission)
Recommendation:
Default: Optimal
Reddit / any site with remaining ads: set to Complete via the
uBO Lite popup (you'll get a permission prompt once)
Dashboard > Filter lists — enable:
[x] uBO Lite — Main filters (default)
[x] uBO Lite — Annoyances (most important for UI cruft)
[x] AdGuard — Annoyances
[x] EasyList Cookie Notices
[x] EasyPrivacy
[x] Peter Lowe's Ad and tracking server list
[x] Online Malicious URL Blocklist
[x] uBO Lite — Quick fixes
Important limitations of uBO Lite vs full uBlock Origin:
No custom filter rules
No element picker with full fidelity (basic picker in recent builds)
No dynamic per-request filtering UI
Filter lists update only with extension updates (days behind full uBO)
These are Manifest V3 constraints, not developer choice. If any of these
limitations matter, use Firefox for that browsing.
Done when: uBO Lite installed with Annoyances + Privacy lists enabled,
and set to Optimal or Complete for sites you care about.
CHUNK 8 — Other extensions [effort: varies]
Goal: install only what you'll use. Extensions are a fingerprint and
attack surface.
Recommended additions:
A dedicated password manager (e.g., 1Password, Bitwarden)
Install from the Chrome Web Store and authenticate via the
manager's desktop app or vault sign-in.
Old Reddit Redirect (if you use Reddit)
Auto-redirects reddit.com to old.reddit.com.
SponsorBlock (if you watch YouTube)
Skips sponsored segments. Crowdsourced, works well.
Consider:
ClearURLs
Strips tracking parameters from URLs. Low-footprint, useful.
Refined GitHub (for dev work)
UI improvements for GitHub. Well-maintained.
React Developer Tools / Vue DevTools / etc.
Install only what matches your dev stack.
Do NOT install:
Any "all-in-one privacy" extension (Ghostery, DuckDuckGo Privacy
Essentials) — overlaps with uBO Lite, adds fingerprint surface
Shopping / coupon / cashback extensions — uniformly selling your
browsing data
A second password manager
Tab managers that require broad permissions (OneTab etc.) unless
you genuinely need them
Audit regularly:
chrome://extensions
Remove anything you installed for a one-time task. Inspect
permissions on each — "read and change all your data on all websites"
is the norm but should still be justified per extension.
Done when: extension list is lean and every item justified.
CHUNK 9 — Performance [effort: 2 min]
Goal: make Chrome less of a battery/memory hog.
chrome://settings/performance
Memory Saver:
[x] On
Mode: "Moderate" (balanced) or "Maximum" (aggressive tab unloading)
Chrome unloads tabs you haven't used recently. Tabs reload when you
return to them — slight delay but significant RAM savings.
Add exceptions for tabs you want to keep active (music players,
dashboards, etc.).
Energy Saver:
[x] On
Choose:
(o) "Turn on when my computer is unplugged"
(Only reduces performance on battery — good default.)
( ) "Turn on when my battery is at 20%"
What it does: reduces background activity, throttles animations,
slows some scripts.
Preloading pages (revisit even if you turned it off in Chunk 5):
(o) "No preloading"
Confirms Chrome doesn't pre-fetch.
Done when: Memory Saver and Energy Saver are on.
OPTIONAL — Appearance [effort: 2 min]
chrome://settings/appearance
[x] Show home button
Set to blank page (chrome://newtab or about:blank)
[x] Show bookmarks bar — personal preference
[x] Show full URLs
Default Chrome hides "https://" and "www." — turning this on shows
the real URL, important for security (spotting phishing).
Font size: Medium
Page zoom: 100%
Theme: stock or a minimal theme. Chrome themes rarely have telemetry
concerns but some custom ones do — stick to Google's or well-known
developers'.
Done when: Show full URLs is on.
OPTIONAL — Search engine [effort: 1 min]
chrome://settings/searchEngines
Search engine used in the address bar:
DuckDuckGo, Kagi, or whatever you prefer.
Manage search engines and site search:
Chrome lets you define custom keyword searches — e.g., type "gh"
in the URL bar to search GitHub directly. Worth setting up for
sites you search frequently.
Done when: default engine set.
OPTIONAL — chrome://flags (advanced, use with care)
chrome://flags is experimental. Nothing here is guaranteed stable. Only
flip flags you understand. Changes require Chrome restart.
Worth considering:
#block-insecure-private-network-requests
Enabled — blocks public websites from probing your private network
(e.g., a router admin page). Especially relevant if you run any
LAN-only services.
#enable-quic
Enabled — HTTP/3 support. Default on in recent Chrome but verify.
#strict-origin-isolation
Enabled — stronger site isolation, small perf cost.
Nothing else on chrome://flags is worth touching for a tertiary browser.
If you're deep enough to want more, you're probably better off switching
to Brave (Chromium with privacy defaults) or going back to Firefox.
Done when: any flag you flipped is set; you've restarted Chrome.
REFERENCE — Where things live in Chrome 147
chrome://settings/
You and Google — sync, Google services
Autofill and passwords
Privacy and security — the big one
- Safety Check
- Privacy Guide
- Send "Do Not Track" request
- Clear browsing data
- Third-party cookies / Tracking protection
- Site settings
- Ad privacy (Privacy Sandbox)
Performance — Memory Saver, Energy Saver, Preloading
Appearance
Search engine
Default browser
On startup
Languages
Downloads
Accessibility
System
Reset settings
chrome://extensions — installed extensions, permissions
chrome://flags — experimental features (advanced)
chrome://version — Chrome version info
chrome://settings/help — check for updates
NETWORK-LEVEL DNS AND HTTPS BEHAVIOR
DNS: Chrome respects the system resolver unless you explicitly
change it. If you run a local DNS sinkhole (Pi-hole, AdGuard Home,
Blocky), it will see Chrome's queries.
DNS-over-HTTPS in Chrome:
chrome://settings/security > "Use secure DNS"
Turn OFF if you want a local DNS sinkhole to receive Chrome's
queries. Otherwise Chrome sends DNS to its configured DoH provider
and bypasses the sinkhole.
HTTPS-First Mode (Chrome's equivalent of Firefox HTTPS-Only):
chrome://settings/security > "Always use secure connections"
Turn ON. Chrome upgrades HTTP to HTTPS where possible and warns
before loading HTTP.
Localhost is exempted by default. For internal hostnames without
real TLS, Chrome doesn't offer a persistent exception UI like
Firefox; expect a warning and a "Continue to site" prompt each
time. Stops once your internal services serve real certs (e.g.,
via Caddy + Let's Encrypt or an internal CA).
ANTI-RECOMMENDATIONS
Don't:
Turn on "Enhanced Safe Browsing" unless you accept that your URLs
and page context are sent to Google for real-time analysis
Install Google Translate extension (it's built into Chrome)
Use Chrome's built-in password manager while running 1Password
Leave "Make searches and browsing better" on — it sends URLs to
Google
Use Chrome for sensitive browsing (banking, personal email,
anonymous Reddit). Use Firefox profiles/containers or a separate
browser for those.
HONEST SUMMARY
Chrome on macOS 26 after this guide:
Better than default Chrome
Worse than Firefox or Brave for privacy/blocking
Appropriate for web development and Chrome-only sites
Not appropriate as a primary daily driver if privacy matters
If you find yourself reaching for Chrome more often than "dev work and
edge cases," consider Brave (Chromium, better privacy defaults, full
uBO via their Shields system) as a replacement.
Verified against Firefox 149.0.2 (aarch64) on macOS
Extensions assumed installed: a dedicated password manager
(e.g., 1Password / Bitwarden), uBlock Origin
(Privacy Badger: see Chunk 1 — recommend uninstalling)
How to use this guide
Ten chunks, each self-contained. Do them in order, one sitting per chunk
(most take 5–10 minutes). After each chunk you'll have a working, improved
browser — nothing is left in a half-configured state. Stop any time.
When a setting path shows "Settings > Privacy & Security > X", open it via
cmd+, or the hamburger menu > Settings.
Goal: remove redundancy so uBlock Origin can do its job cleanly.
Uninstall Privacy Badger. It duplicates what uBO does, adds overhead, and
complicates debugging broken sites. uBO with EasyPrivacy enabled (Chunk 4)
covers the same ground more thoroughly.
Steps:
about:addons (or menu > Add-ons and themes)
Find Privacy Badger > three-dot menu > Remove
Keep: your password manager, uBlock Origin.
Done when: only your password manager and uBlock Origin remain in Extensions.
Strict mode (per Mozilla's current documentation) blocks:
Social media trackers
All cross-site cookies
Tracking content in all windows
Cryptominers
Fingerprinters (known)
Site breakage in Strict mode is rare in 2026. If a specific site breaks,
click the shield icon in the URL bar and toggle protection off for that
site only — it creates a per-site exception.
Done when: the Strict radio button is selected.
CHUNK 3 — Privacy signals and telemetry [effort: 3 min]
Goal: enable the one privacy signal that has legal weight, and turn off
Firefox's data collection.
Still in Settings > Privacy & Security, scroll down:
Website Privacy Preferences:
[x] "Tell websites not to sell or share my data"
(This is the Global Privacy Control signal; it has legal force in
California, Colorado, Connecticut, and a growing list of states.)
[ ] "Send websites a Do Not Track signal" — leave UNCHECKED
(DNT has no legal weight and is a minor fingerprinting vector.)
Firefox Data Collection and Use:
Uncheck everything. None of it benefits you.
Done when: GPC is checked, DNT is unchecked, all telemetry boxes unchecked.
CHUNK 4 — Configure uBlock Origin [effort: 5 min]
Goal: turn uBO from "fine defaults" into a well-configured blocker.
Open uBO dashboard: click uBO icon in toolbar > gear icon (Dashboard).
Filter lists tab — enable these (leave defaults on, add these):
[x] EasyList (default)
[x] EasyPrivacy
[x] uBlock filters – Badware risks (default)
[x] uBlock filters – Privacy
[x] uBlock filters – Annoyances
[x] Cookies
[x] Social
[x] Overlays
[x] AdGuard – Annoyances
[x] Peter Lowe's Ad and tracking server list
[x] Online Malicious URL Blocklist
Don't enable every regional list. More lists = more overhead and more
false positives, not more protection.
Click "Apply changes" (top of page) when done.
Settings tab:
[x] "I am an advanced user" (unlocks per-site dynamic filtering)
[x] "Block remote fonts"
(small fingerprinting win; occasional typography breakage)
[x] "Disable pre-fetching (to prevent any connection for blocked
network requests)"
[x] "Block CSP reports"
Done when: filter lists applied, advanced user mode on, the four
Settings boxes above are checked.
CHUNK 5 — HTTPS-Only Mode [effort: 3 min]
Goal: force HTTPS everywhere, with exceptions for any internal-only
hostnames that don't yet have real TLS.
Settings > Privacy & Security > HTTPS-Only Mode:
(o) "Enable HTTPS-Only Mode in all windows"
About localhost:
Firefox does NOT upgrade loopback addresses (localhost, 127.0.0.1, ::1)
by default. The pref dom.security.https_only_mode.upgrade_local is
false by default — leave it. Nothing to do for localhost.
About internal hostnames without real certs (e.g., *.lan, *.home):
Firefox has no wildcard exception mechanism. Two options:
Option A — Passive (recommended):
First visit to any http://foo.lan gives you a warning page.
Click "Continue to HTTP Site" — the exception saves permanently
for that hostname. After a week of normal usage, every internal
service you touch will be in the list.
Option B — Bulk-add if you have a known list:
Settings > Privacy & Security > HTTPS-Only Mode > Manage Exceptions…
Paste each http://foo.lan URL, click Allow. Save Changes.
Later, once internal services serve real certs (e.g., via Caddy +
Let's Encrypt with DNS-01, or an internal CA), return to Manage
Exceptions and clear the list.
Done when: HTTPS-Only is enabled for all windows. (Exception list can
grow organically.)
CHUNK 6 — DNS: defer to your system resolver [effort: 2 min]
Goal: stop Firefox from bypassing your local resolver via DNS-over-HTTPS.
Settings > Privacy & Security > DNS over HTTPS:
(o) "Off"
Why: Firefox's default DoH sends DNS queries directly to Cloudflare,
routing around any local resolver (Pi-hole, AdGuard Home, Blocky, a
corp split-DNS setup). That defeats network-level blocking and
internal hostname resolution for Firefox traffic. Turning DoH off makes
Firefox use the system resolver instead.
(If you travel and want DoH on untrusted networks, switch to "Default
Protection" temporarily, then back to Off at home.)
Done when: the "Off" radio is selected.
CHUNK 7 — History, cookies, and form data [effort: 5 min]
Goal: keep browsing history (useful), stop retaining form/search typing,
clear cache and logins on quit, selectively preserve cookies.
[x] Remember browsing and download history
[ ] Remember search and form history
(Your password manager handles forms; Firefox's form history
is a leak.)
[x] Clear history when Firefox closes
Click "Settings…" next to "Clear history when Firefox closes":
[x] Browsing & download history
[x] Active Logins
[x] Form & Search History
[x] Cache
[ ] Cookies (managed separately — see below)
[ ] Site Preferences (don't reset per-site camera/mic perms)
[ ] Offline Website Data
Settings > Privacy & Security > Cookies and Site Data:
[x] "Delete cookies and site data when Firefox is closed"
Click "Manage Exceptions…" and add "Allow" entries for sites you
want to stay logged into between sessions. Examples to consider:
- github.com
- reddit.com (and old.reddit.com if you use Old Reddit)
- banking / financial sites
- streaming services (Netflix, YouTube, etc.)
- your password manager's web vault (if applicable)
Settings > Privacy & Security > Logins and Passwords:
[ ] "Ask to save logins and passwords for websites" — UNCHECK
(A dedicated password manager handles this; Firefox's prompt
fights with it.)
Done when: custom history is set with the boxes above, cookies delete
on close with your chosen exceptions, and Firefox's password prompt is
disabled.
CHUNK 8 — Address bar cleanup [effort: 2 min]
Goal: stop sponsored suggestions and keystroke telemetry in the URL bar.
Note: these settings moved. In Firefox 149 they live under Search, not
Privacy & Security.
Settings > Search > Address Bar — Firefox Suggest:
Keep on:
[x] Browsing history
[x] Bookmarks
[x] Open tabs
[x] Shortcuts
Turn off:
[ ] Suggestions from the web
[ ] Sponsored suggestions
[ ] Search engine suggestions (optional — off means fewer keystrokes
sent to the search engine in real time, at the cost of losing
typeahead suggestions)
Settings > Search > Default Search Engine:
Consider switching to DuckDuckGo or Kagi. Google is fine if you prefer
it — just be aware every URL bar query you type goes there.
Done when: sponsored and web suggestions are off in Search settings.
CHUNK 9 — New tab and home page [effort: 2 min]
Goal: remove sponsored content from your home and new tab pages.
Settings > Home > Firefox Home Content:
[ ] Sponsored shortcuts
[ ] Recommended stories
[ ] Sponsored stories
Optional, for a truly blank new tab:
Settings > Home > Homepage and new windows: "Blank page"
Settings > Home > New tabs: "Blank page"
Done when: no sponsored content appears on new tabs.
Goal: isolate cookie jars per browsing context (Reddit ≠ Google ≠ work).
This is the single biggest workflow and privacy upgrade available in
Firefox, and most people never set it up.
Pin the toolbar icon if it isn't visible (right-click toolbar >
Customize Toolbar, drag the icon in).
Create containers:
Click the containers icon > Manage Containers > New Container
A typical starter set:
- Personal (blue)
- Work (orange)
- Google (red) — contain all Google sessions here
- Shopping (green) — Amazon, etc.
- Reddit (purple) — useful if you want Reddit isolated
- Internal (gray) — for any .lan / internal dashboards
How to use:
Long-press the "+" new tab button to pick a container for a new tab
Right-click any link > "Open Link in New Container Tab"
Right-click any tab > "Reopen in Container"
Auto-assign sites so they always open in the right container:
Visit the site (e.g., reddit.com) in the container you want
Caveat: containers are disabled in Private Browsing windows and if you
switch History to "Never remember history" — you're using Custom history
(Chunk 7), so you're fine.
Done when: 5–6 containers exist and your main daily sites are
auto-assigned to one of them.
Skip unless you want to squeeze out extra privacy. Type about:config in
URL bar, accept the warning, search for each pref, double-click to
toggle. All of these are safe but some have minor UX costs (noted).
With care:
media.peerconnection.enabled → false
(Disables WebRTC entirely — prevents IP leaks via STUN but breaks
any browser-based video calling. Only do this if you don't use
Firefox for Zoom/Meet/Jitsi in-browser.)
Power-user (expect minor site breakage):
privacy.resistFingerprinting → true
(Strongest anti-fingerprint measure; clamps timezone, randomizes
canvas/font data. Breaks some sites. Turn off if problems arise.)
Done when: you've flipped the ones you want. Restart Firefox for WebRTC
and resistFingerprinting changes to fully take effect.
Only install what you'll actually use. Bloat = fingerprint surface.
Strong recommendations:
Old Reddit Redirect
Sends reddit.com links to old.reddit.com automatically.
Pairs well with a Reddit-isolation container.
SponsorBlock
Skips sponsored segments in YouTube videos. Crowdsourced, works.
Consider:
Temporary Containers (pairs with Multi-Account Containers)
Auto-opens every new tab in a throwaway container. Nuclear
anti-tracking. Some workflow friction — evaluate after you're
comfortable with regular containers.
LibRedirect
Redirects YouTube/Twitter/Reddit to privacy-friendly frontends
(Invidious, Nitter, Redlib). Instances can be flaky; enable
selectively.
Tree Style Tab or Sidebery
Vertical tab management. Only worth it if you routinely run 30+
tabs.
Do NOT install:
Ghostery, DuckDuckGo Privacy Essentials, any "all-in-one privacy"
extension. They overlap with uBO and add fingerprint surface
without adding protection.
A second password manager alongside your primary one.
If you serve internal services over HTTP, the long-term fix is real
TLS — typically Cloudflare Tunnels + Caddy + Let's Encrypt, or any
internal CA you trust. Once that's in place:
Caddy (or equivalent) handles ACME with the DNS-01 challenge
against your DNS provider for *.lan.yourdomain.com
Split-horizon DNS on your local resolver: internal clients
resolve lan.yourdomain.com to private IPs; keeps traffic off the
public tunnel for LAN access
The reverse proxy auto-renews certs and serves them to both
internal and tunnel-routed traffic
Return to Chunk 5 (HTTPS-Only Mode exceptions) and clear the
exception list — every internal service now speaks real HTTPS
Nothing to do in Firefox for this; it's a server-side change.
Verified against Safari 26.3.1 (macOS 26.3.1) on Apple Silicon
Useful framing: Safari is strong as a secondary browser on macOS
for battery life, native integration, iOS/iPad handoff, and quick
reading; pair it with Firefox + uBlock Origin for heavier privacy.
How to use this guide
Eight chunks, each self-contained (2–10 min). Open Safari Settings via
cmd+, or Safari menu > Settings. Settings are organized as tabs across
the top of the Settings window.
Safari's strength on macOS is native integration and dramatically better
battery/thermal performance than any Chromium browser. It's never going
to match Firefox + uBlock Origin for blocking, but with a content blocker
and the right toggles it gets close enough for a secondary browser.
CHUNK 1 — General [effort: 3 min]
Goal: set reasonable startup, homepage, and download behavior.
Safari > Settings > General:
Safari opens with: "A new window"
(Not "All windows from last session" — it preserves tracking cookies
and open pages across restarts.)
New windows open with: "Empty Page" or "Start Page"
(Start Page shows Favorites + Privacy Report — useful. Empty Page
if you prefer zero distraction.)
New tabs open with: "Empty Page"
Homepage: about:blank
(Or any page you like. Empty is fastest.)
Remove history items: "After one month" (personal preference; After
one year also fine)
Remove download list items: "Upon successful download" or "When Safari
quits"
File download location: Downloads (default is fine)
Open "safe" files after downloading: [ ] UNCHECK
Auto-opening downloaded files is a long-standing macOS attack vector
(e.g., the historic Safari zip auto-open issues). Always keep off.
Done when: startup, new tabs/windows, and download auto-open are set.
CHUNK 2 — Tabs [effort: 1 min]
Goal: set tab behavior that matches how you actually work.
Safari > Settings > Tabs:
Tab Layout: "Separate" or "Compact"
Separate = traditional tab bar (recommended for a secondary browser
where you'll have few tabs). Compact merges URL bar and tabs — saves
space but can be confusing.
Show color in the tab bar: personal preference (purely cosmetic)
[x] Show website icons in tabs
[x] Open pages in tabs instead of windows: "Automatically"
[x] When a new tab or window opens, make it active
[x] Use Command+1 through Command+9 to switch tabs
Done when: layout chosen and tab-switching shortcuts on.
CHUNK 3 — AutoFill + Passwords [effort: 3 min]
Goal: disable Safari's built-in autofill/password features if you
use a third-party password manager. Running both causes prompt
conflicts and splits credential data across two vaults.
Safari > Settings > AutoFill:
[ ] Using information from my contacts
[ ] User names and passwords
[ ] Credit cards
[ ] Other forms
All four should be UNCHECKED. Your password manager handles everything
here.
Safari > Settings > Passwords:
Install the Safari extension for your password manager if you haven't
(see Chunk 7). You don't need to change Keychain-level settings here;
just avoid saving new passwords to Keychain via Safari. When prompted,
choose "Never for this website."
Tip: if you have historic passwords in Keychain/iCloud Passwords, most
modern password managers (1Password, Bitwarden, etc.) support
importing them directly.
Done when: all four AutoFill boxes are unchecked.
CHUNK 4 — Search [effort: 2 min]
Goal: reduce keystroke telemetry; pick a default engine.
Safari > Settings > Search:
Search engine: DuckDuckGo (recommended) or Kagi if you subscribe
Standard options: Google, Yahoo, Bing, DuckDuckGo, Ecosia
Private browsing search engine: same as above, or a different one
(Safari 26 supports a separate engine for private windows — useful
for keeping, e.g., Google for identified searches and DDG for
private.)
[ ] Include search engine suggestions
Off = no keystrokes sent to the engine in real time; on = typeahead.
Trade privacy for convenience.
[x] Include Safari Suggestions
Apple-side suggestions (Knowledge, Maps, App Store). Relatively
privacy-respectful — Apple doesn't tie queries to your Apple ID
long-term. Leave on unless you want minimal signal.
[x] Enable Quick Website Search
[ ] Preload Top Hit in the background
Off = Safari doesn't pre-fetch pages you might click. Small privacy
win, negligible performance cost.
[x] Show Favorites
Done when: default engine set, search suggestion toggle decided, Preload
Top Hit off.
CHUNK 5 — Privacy [effort: 5 min]
Goal: the core privacy settings. This is the most important chunk.
Safari > Settings > Privacy:
Website tracking:
[x] Prevent cross-site tracking
Core ITP (Intelligent Tracking Prevention). Always on. This is
Safari's equivalent of Firefox's tracker blocking — not as
aggressive as uBO but solid at the network layer.
Advanced tracking and fingerprinting protection:
(o) "in all browsing" ← recommended
( ) "in Private Browsing"
( ) "Off"
Default on macOS 26 is "in Private Browsing." Change to "in all
browsing" — it blocks connections to known fingerprinting and
data-collection domains during normal use, not just private windows.
Hide IP address:
If you have iCloud+:
(o) "From trackers and websites" ← strongest option, routes through
iCloud Private Relay
( ) "From trackers only"
( ) "Off"
If you don't have iCloud+:
(o) "From trackers only"
This uses Apple's standard IP-hiding for known trackers without
Private Relay.
Note: Private Relay routes traffic through two hops (Apple + a partner
CDN), which can slow things down slightly and breaks some IP-based
geofencing. Turn off temporarily if a site misbehaves.
Cookies and website data:
[ ] Block all cookies
Leave UNCHECKED. Blocking all cookies breaks login on almost every
site. ITP already handles the tracking-cookie problem.
Manage Website Data…
(Optional now; cleanup tool for later.)
Web Advertising:
[x] Allow privacy-preserving measurement of ad effectiveness
Apple's on-device measurement API (Private Click Measurement).
Anonymized — no tracking identifiers. Leave on; it's the "this is
what privacy-preserving ads should look like" feature and disabling
it doesn't help you, it just hurts the incentive to build more of
these.
Done when: Prevent cross-site tracking on, advanced protection set to
"in all browsing," Hide IP set per your iCloud+ status.
CHUNK 6 — Security [effort: 1 min]
Goal: enable fraud/malware warnings (on by default, verify).
Safari > Settings > Security:
Fraudulent sites:
[x] Warn when visiting a fraudulent website
Both should be on. These use Apple's fraud-warning database (similar to
Google Safe Browsing but via Apple's servers).
Install: Mac App Store > search "StopTheMadness Pro"
Recommended pairing: AdGuard for Safari + StopTheMadness Pro.
After installing, enable in:
Safari > Settings > Extensions
[x] AdGuard for Safari (and any sub-toggles for filter lists)
[x] StopTheMadness Pro
Safari > Settings > Websites > Content Blockers
Allow: "All Websites" for the installed blockers
Also install your password manager's Safari extension:
Mac App Store > [your manager] for Safari (1Password, Bitwarden, etc.)
Safari > Settings > Extensions > enable it
(Authenticate via the manager's desktop app.)
Optional quality-of-life extensions:
Hush Nag Blocker (free) — blocks cookie banners specifically
Super Agent — same, configurable consent responses
Vinegar — replaces YouTube's HTML5 player with the native one
(better AirPlay, no pre-roll hassle, small fee)
Baking Soda — same approach for Twitter/other sites
Done when: a content blocker is installed and enabled, plus your
password manager's Safari extension.
CHUNK 8 — Profiles [effort: 10 min]
Goal: separate browsing contexts (like Firefox's containers, but
heavier — each profile has its own cookies, history, extensions,
Favorites, Tab Groups).
Safari > Settings > Profiles:
Click "Start Using Profiles" if you've never set them up.
Then "New Profile" for each.
Suggested profile set for a secondary browser:
Personal (default)
Work (keeps work Google/Microsoft sessions isolated)
Testing (throwaway for one-off logins, signup forms, etc.)
Each profile has:
Separate cookies and website data (this is the privacy win)
Separate history
Separate Favorites / Start Page
Separate extensions (you can enable AdGuard in all, or selectively)
Its own icon color and symbol
How to switch profiles:
Click the profile icon in the toolbar (top-right)
Or use the Safari > File menu > New [Profile] Window
How profiles compare to Firefox containers:
Firefox containers: lightweight, same window, per-tab
Safari profiles: heavier, separate windows, per-window
Safari profiles are better for strong separation (Personal vs Work)
Firefox containers are better for fine-grained per-site isolation
For most users (Safari as a secondary browser), 2–3 profiles is
plenty. Don't overdo it.
Done when: at least Personal and one other profile exist.
OPTIONAL — Advanced [effort: 5 min]
Safari > Settings > Advanced:
Accessibility:
[ ] Never use font sizes smaller than [n] — personal preference
Smart Search Field:
[x] Show full website address
Default in Safari is to only show the domain (e.g., "example.com"
instead of "https://example.com/some/long/path"). Turning this on
shows the full URL — important for security (you can verify the
actual path you're on before entering credentials).
Web content:
[x] Enable JavaScript (needed for most of the modern web)
Reading list:
[x] Save articles for offline reading automatically (optional)
Advanced:
Default encoding: Western (ISO Latin 1) — leave default
[x] Show features for web developers
Adds the Develop menu to the menu bar. Useful even for non-devs:
lets you reload without cache (cmd+option+R), toggle user agent,
etc.
[ ] Use Keyboard Navigation to highlight each item on a webpage
(Optional accessibility feature. Useful if you prefer keyboard
browsing — tab through links.)
Toolbars or "browser enhancers" that aren't clearly scoped
(they rarely exist for Safari, but when you find one, pass)
Don't turn on:
"Block all cookies" — breaks logins everywhere
"Warn when visiting a website with a non-HTTPS URL"
(Not present in macOS 26 Safari; if you see it on an older version,
leave it off — too noisy for daily use if you have any internal
hostnames that don't yet serve real TLS.)
NETWORK-LEVEL DNS AND HTTPS BEHAVIOR
A local DNS sinkhole (Pi-hole, AdGuard Home, Blocky) blocks at the
network DNS layer before Safari sees a request. Safari doesn't have
a DoH-bypass setting enabled by default on macOS (it respects system
DNS), so the sinkhole "just works" for Safari.
iCloud Private Relay (Chunk 5 — Hide IP address "From trackers and
websites") DOES route DNS through Apple, bypassing any local
resolver for Safari traffic. Trade-off: stronger IP privacy on
untrusted networks, but the local sinkhole's blocklists won't apply
to Safari queries while Private Relay is active. Pick: "Trackers
only" keeps the sinkhole in the loop; "Trackers and websites" gives
stronger IP privacy but bypasses it.
For internal (.lan / .home) access: Safari has no HTTPS-Only Mode
toggle, so internal services served over HTTP work without warnings
by default. Once they serve real certs (e.g., via Caddy + Let's
Encrypt or an internal CA), Safari gets full HTTPS for free with no
config needed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
