Optimizing your browser’s settings is a critical step in using the Internet securely and privately. Today’s popular browsers include built-in security features, but users often fail to optimize their browser’s security settings on installation. Failing to correctly set up your browser’s security features can put you at a higher risk for malware infections and malicious attacks. This installation of our “Cybersecurity 101” series provides our tips for securing several of today’s most popular browsers, including Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer. While it is impossible to guarantee complete protection from cyber threats, following these tips will greatly increase the security of your web browser.

Tips for Secure Browsing with Google Chrome

Chrome Settings for Private and Secure Web BrowsingThese settings can be accessed through Chrome’s “Advanced Settings” menu or by navigating to “chrome://settings/."

  • Enable phishing and malware protection: Make sure that Chrome’s phishing and malware protection feature is enabled under the “Privacy” section. This feature will warn you if a site you’re trying to visit may be phishing or contain malware.
  • Turn off instant search: The Instant search feature should be turned off for optimal security. While it offers some convenience in searching, having this feature enabled means that anything you type in the address bar is instantly sent to Google.
  • Don’t sync: Disconnect your email account from your browser under the “Personal Stuff” tab. Syncing your email account with your Chrome browser means that personal information such as passwords, autofill data, preferences, and more is stored on Google’s servers. If you must use sync, select the “Encrypt all synced data” option and create a unique passphrase for encryption.
  • Configure content settings: Click “Content settings” under the “Privacy” section and do the following:
    • Cookies: Select “Keep local data only until I quit my browser” and “Block third-party cookies and site data.” These options ensure that your cookies will be deleted upon quitting Chrome and that advertisers will not be able to track you using third-party cookies.
    • JavaScript: Select “Do not allow any site to run JavaScript.” It is widely recommended that JavaScript be disabled whenever possible to protect users from its security vulnerabilities.
    • Pop-ups: Select “Do not allow any site to show pop-ups.
    • Location: Select “Do not allow any site to track my physical location.”
  • Configure passwords and forms settings: Disable Autofill and deselect “Offer to save passwords I enter on the web” under the “Passwords and forms” section. Doing so will prevent Chrome from saving your logins, passwords, and other sensitive information that you enter into forms.

Tips for Secure Browsing with Mozilla Firefox

firefox-privacy-settingsThese settings can be accessed through the “Options” menu.

  • Configure privacy settings: Under the “Privacy” tab, complete the following steps. These measures ensure that Firefox is storing only as much of your information as it needs to function normally.
    • Select “Use custom settings for history.”
    • Deselect “Remember my browsing and download history.”
    • Deselect “Remember search and form history.”
    • Deselect “Accept third-party cookies.”
    • Set cookie storage to “Keep until I close Firefox.”
    • Select “Clear history when Firefox closes.”
  • Configure security settings: Under the “Security” tab, choose the following settings. These steps prevent Firefox from saving your passwords and keep you from visiting potentially harmful sites.
    • Verify that “Warn me when sites try to install add-ons,” “Block reported attack sites,” and “Block reported web forgeries” are all selected.
    • Deselect “Remember passwords for sites.”
  • Disable javaScript: Deselect “Enable JavaScript” under the “Content” tab. JavaScript is notorious for containing security vulnerabilities and it is recommended that users only enable it for trusted sites.
  • Enable pop-up blocking: Verify that “Block pop-up windows” is selected under the “Content” tab. This feature should be turned on by default as it protects users from unwarranted advertisements and windows.
  • Don’t sync: Avoid using Firefox Sync. By doing so you prevent Firefox from storing your logins, passwords, and other sensitive information.
  • Turn on automatic updates: Verify that “Automatically install updates” is selected in the “Update” tab under “Advanced.” Doing so will ensure that your browser receives critical security updates. Verify that “Automatically update Search Engines” is selected as well.
  • Use secure protocols: Verify that “Use SSL 3.0” and “Use TLS 1.0” are selected in the “Encryption” tab under “Advanced.”

Tips for Secure Browsing with Microsoft Internet Explorer 10

internet-explorer-privacyThese settings can be accessed through the “Internet Options” menu.

  • Configure security settings: Under the “Security” tab, do the following:
    • Set security zones: IE offers the option to configure different security settings for different “zones,” including the Internet, local intranet, trusted sites, and restricted sites. Set up the zones for Intranet, Trusted Sites, and Restricted sites to your desired security level.
    • Set Internet zone security to “Medium High” or higher. This blocks certain cookie types, enables ActiveX filtering, and implements several other default settings for increased security.
    • Disable javaScript: Click “Custom Level,” locate the “Active Scripting” setting, and select “Disable.” It is recommended that users disable JavaScript because of the high amount of vulnerabilities it contains.
  • Automatically clear history: Select “Delete browsing history on exit” under the “General” tab. Clearing your history at the end of each session helps to limit the amount of information IE saves when you browse.
  • Configure privacy settings: Under the “Privacy” tab, complete the following steps:
    • Privacy setting: Set the Internet zone privacy to “Medium High” or higher. This blocks certain cookie types to prevent sites from tracking or contacting you without your consent.
    • Location: Select “Never allow websites to request your physical location.”
    • Pop-up Blocker: Double check that Pop-up Blocker is enabled.
  • Configure Advanced Security settings: Scroll down to the “Security” section under the “Advanced” tab and do the following:
    • Ensure that all default settings are in place. If you aren’t sure, click “Restore advanced settings” before making any other changes.
    • Select “Do not save encrypted pages to disk.” This will delete files cached from HTTPS pages when the browser is closed.
    • Select “Empty Temporary Internet Files folder when browser is closed.” This prevents IE from storing your personal info (logins, passwords, activity, etc) beyond your browsing session.
    • Turn off autoComplete: The AutoComplete feature should be turned off for forms and usernames/passwords. Keeping AutoComplete turned off ensures that your sensitive information isn’t being stored unnecessarily.
  • Tracking protection: IE’s Tracking Protection feature keeps your browsing private from specified third-party websites. This feature can be accessed through IE’s “Safety” menu. In order to use Tracking Protection you will need to provide a Tracking Protection List that names all of the sites you don’t want your information being sent to. You can create a list yourself or download lists online.

Which is the Most Secure Browser?

Nominating one browser as the most secure is difficult. Since each browser is regularly updated with security patches, the rankings for most secure browser could change at any time. As of today, Veracode recommends Google Chrome as the most secure browser.

Cybersecurity 101 Series

Nate joined Veracode as a marketing specialist in early 2012. He is one of Veracode’s first co-ops from Northeastern University, where he is majoring in entrepreneurship and new venture management while minoring in music. He has various responsibilities at Veracode, including blogging, SEO, and infographic design.

Comments (20)

Brian | March 24, 2013 8:55 am

I think you have confused java and javascript. They are not the same thing.

sue | March 24, 2013 8:40 pm

thank you for all the great info i recently installed firefox browser my chrome will not work so i uninstalled it. i only have ie 8 browser installed my software of windows xp does not let me install ie10. the only reason i even tried google chrome was because i keep getting messages on ie8 that google mail would no longer work etc.etc. i really like ie but oh well. and i really liked chrome. untill it messed up and am no longer able to use it have not had firefox long enough to know. i tried to retreive my gmail it keept saying my cookies were not ennabled. that is what led me to ur page i had all my setting set the oppisete what this says. so i changed them all. so thank u so much. i have a android smartphone now for the last couple yrs. so im not on my pc dest top too much but there is times when i need to print out coupons etc. from my mail. so any hoo thanks again im disabled and cant afford for this pc to crash. so far just crased on me once only 2 wks after warrenty. the guy i took it too increased y space etc. and that was in 06? so i try my best to be very cautious...

NLord | March 25, 2013 10:38 am

@Brian - My recommendations regarded JavaScript, not Java. I advised that users disable JavaScript because so many web attacks rely on JavaScript exploits to run malicious code in users' browsers. Once JavaScript has been disabled for all sites, users can begin enabling for trusted sites on a case-by-case basis. This way makes it possible to use JS-provided features safely while avoiding the risk of having JS enabled on dangerous or illegitimate sites. You bring up a good point though - it is widely recommended that users disable Java whenever possible for many of the same reasons. Brian Krebs has a great post on the topic from earlier in the year: http://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exploit/

@Sue - I'm glad you enjoyed the guide. Hopefully FireFox works out for you, feel free to write us back if you have any questions about its settings.

mv | March 27, 2013 9:53 pm

Too many websites 'require' JS, although some will run in a degraded mode without it.

The 'NoScript' extension for Firefox allows fine grained control to selectively enable JS per page, session, site, etc.

Mr.h | April 27, 2013 5:56 am

What about "enhanced protected mode" in Internet explorer 10.

NLord | April 30, 2013 9:45 am

@Mr. H - Enhanced protected mode is a new feature in IE 10 that is designed to prevent attackers from installing software or altering your system settings in the event of an exploit. Enhanced protected mode accomplishes this by restricting IE's access privileges and capabilities. You can activate this feature by selecting "Enable Enhanced Protection Mode" under the "Advanced" tab of the Internet Options menu.

For more info, check out this post on the Windows Internet Explorer Engineering Team Blog: http://blogs.msdn.com/b/ie/archive/2012/03/14/enhanced-protected-mode.aspx

J.Ortiz | June 7, 2013 4:44 pm

A test conducted by NSSLabs clearly shows that Internet Explorer’s 10 security features offers the best malware protection among the top five web browsing programs. Internet Explorer 10 managed to block 99.96% of socially engineered malware attacks. http://pcmechanicfl.com/computer-security/how-safe-is-your-web-browser/

Lenny | June 13, 2013 3:39 pm

Hi Nate,
I am trying to locate advice concerning the best or optimum settings to use in the Security section of IE 10. That's how I got to your site from Google.

After reading your explanation and the comments, I'm sorry to say I do not have a crystal clear picture of what settings required change from the original IE default settings.

One of the misconceptions net writers seem to be addicted to is using words that are not the exact words that app or programs use. The reason for this is unimportant now; what is important is that it doesn't help the me the reader to understand the precise step that requires a precisely placed finger to hit a key or button or box.

In your case, there is no "JavaScript" mentioned in the Security menu. So when I look for this word and it doesn't exist, what do I do? What I don't do is make assumptions and start pressing keys. I learned that critical rule a few decades ago.

Additionally, the lack of clarity by a writer in one particular area is viewed by me the reader as lack of clarity in all other areas of the communication. Call it loss of credibility if you will.

So, from my standpoint, clarity is associated with credibility and that produces confidence in a writer's advice and recommendations. But as I suggested, I did not hit my goal with your explanation.

Hope this helps.


I thought this might help

tim | June 14, 2013 8:14 am

Does anyone know if Internet Explorer can be configured to have different security settings for each site visited? I have a customer who accesses several web-based applications and some sites need custom settings (including enabling of all active X settings)while other sites require different settings that may conflict with the previous site. I am looking to be able to configure theses security settings specific to the site visited

NLord | June 14, 2013 9:39 am

@Lenny - Thanks for your feedback. I agree with your stance here and used the exact names/labels for each menu setting whenever possible in my post. While the word "JavaScript" is not mentioned in the Security menu, the instructions following the "Disable Javescript" bullet in my post should provide explicit instructions for what clicks you need to make. If you want to disable JavaScript in IE 10, open the "Internet Options" menu, click on the "Security" tab, click "Custom Level," locate the "Active Scripting" setting under the "Scripting" section, and select "Disable."

NLord | June 14, 2013 9:48 am

@Tim - Look into IE's "Zones" feature under the "Security" tab. Your customer could create custom settings for sites that need extended privileges under the "Trusted Sites" section and custom settings for sites that need limited privileges under the "Restricted Sites" section.

v ingram | June 16, 2013 12:32 pm

I cannot believe that you are suggesting that people disable Java and Javascript. You might as well just tell them to un-install their browser(s). JavaScript and Java are used extensively on millions of sites on the Internet. In developing sites I find JavaScript a useful alternative to Adobe flash for many special effects.

V Ingram

EdG | June 24, 2013 4:42 pm

Disabling Java, JavaScript, and Flash are sane things to do. Many malware attacks exploit their weaknesses to attack your computer. It's a shame that unscrupulous people have ruined Internet browsing.

Chris | October 8, 2013 9:36 am

Thats one way to add security, disable all useful features, but its not a viable way.

Disabling javascript renders far too many sites non functioning or malfunctioning not reccomended unless you want a lesson in frustration.

Also 90% of whats listed here is just about disabling persistent data, thats only a security issue if you share your pc and dont trust the person you share with. Disabling https caching, stored cookies etc. will mean logging into sites every new session, lost site configs, slower https browsing etc.

Steve | January 25, 2014 6:14 am

Does Disabling Active Scripting prevent a user from accessing online games, such Hearts or Spades in the Yahoo games pages?

Vijay | April 3, 2014 10:13 am

Can you please help me to find out why chrome restricted settings page to be opened in protected mode?

anu | April 30, 2014 9:09 am

I cant access my email ([email protected] through firefox but if I go through google or internet explorer I can. what is the problem. it worked before

t-cubed | March 1, 2016 5:50 am

I'm sorry but suggesting to disable javascript is just plain and simple stupid. 99% of all sites on this planet rely on javascript and most of them don't even bother to write a noscript.

Also disabling 3-rd party cookies is probably the worst mistake in web since flash. Yes it dithers advertisers from tracking you... for a whole of 5 minutes. Then they will start filling your urls with variables you don't know anything about and when you bookmark those or pass the links along the variables are there and you can still be tracked. Many sites have already implemented session variables that javascript can read and pass along and match to the 3rd party session. Or even safer they accept external session parameters that they pass along to any and all urls, if it is injected it will be passed along everywhere else it will be generated or ignored.

Also based on said session variables your site may not even work when you try to manually take them out as they may actually be the session id.

There are so many ways to circumvent all those "security features" it is insane. And what exactly are you blocking and advertizer from knowing if he's spending his money correctly? If he's providing you with interesting buying options? The marketer will go to extreme lenghts to protect his investment, circumventing ANY such attempt.

It is just like with addblockers, you block adds you just deny the site you CHOSE to visit revenue, you do that he is going to find creative ways to circumvent your addblockers or ask for money for any content he provides to you.

What you encourage with this article is more agressive integration between marketers and sites and hiding the banners, hiding the tracking in links and such...

Have to ask yourself is this the malicious behavior you want to stop? Is this destroying your browsing experience??

Lois | May 3, 2016 2:53 pm

When I set it for don't allow any site to track my location I couldn't use the internet. If it conflicts with wifi what's the point?

Lois | May 3, 2016 2:57 pm

Google and other browsers are configured as they're SUPPOSED to be in my opinion. That's why it says recommended. If I were you guys I'd leave everything as is and get a good AV like Avast!, Kasperky or Bitdefender. I also hear Blur is good for halting tracking. I'm not about to tamper with the way my browser is set up and cause more conflicts and issues than I need.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu