Keeping Your Browser Up to Date
This is an obvious one, and browser developers make it incredibly easy to stay up to date. Updates are automatically downloaded and installed when the browser restarts, so if you keep your update settings at their defaults, you won't have a problem. However, if you like to experiment with alternative forks of Chromium and Firefox, this is where issues can arise. Because these forks are often maintained by just one or a few developers, they frequently lag behind on security patches. For example, the Pale Moon browser is based on Firefox 52, a release that is over nine years old, and lacks critical, modern security features like process sandboxing and site isolation. Similarly, the Thorium browser (which is Chromium-based) is currently on version 138, while the main Chromium build has already reached version 150 in beta.
Extensions
Browser extensions can be extremely useful and powerful. Ad blockers are a great example of extensions that provide real benefits. However, that same level of access can also be abused. Malicious extensions can track users, steal credentials, inject ads, redirect traffic, or collect sensitive browser data.
My approach to browser extensions is simple: be very careful about what gets installed.
One extension I do highly recommend is an ad blocker. For Firefox, I recommend uBlock Origin. For Chrome and Edge, uBlock Origin Lite is a good option due to Manifest V3 limitations. Ad blockers improve the web browsing experience by reducing ads, pop-ups, tracking, and malicious scripts. They can also help protect users from malvertising, where attackers use online ads to deliver scams or malware. Even the FBI has recommended using an ad blocker as part of staying safer online. The Brave browser is also worth considering because it includes built-in ad and tracker blocking, so you can get similar protection without installing a separate ad-blocking extension.
Only install extensions that are well-known, highly reviewed, and verified by the browser’s extension store. In the Chrome Web Store, look for extensions marked as Featured. In Firefox, look for extensions marked as Recommended. Firefox has a much shorter list of recommended extensions, so if you are considering a non-recommended extension, check how many users have installed it, read through the reviews, and do your own research before installing it.
For users who do not trust themselves to make that judgment, or for anyone managing browsers for kids, family members, employees, or non-technical users, I recommend using an extension allowlist/blocklist. This lets you control exactly which extensions are allowed while blocking everything else by default.
Below are official resources for managing extensions in Chrome, Edge, and Firefox using Group Policy or the Windows Registry.
Google Chrome : Windows Registry
https://support.google.com/chrome/a/answer/9131254?hl=en
Google Chrome : Group Policy
Microsoft Edge : Windows Registry and Group Policy
https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies
Firefox : Group Policy
https://firefox-admin-docs.mozilla.org/reference/policies/extensionsettings/
Here is a helpful overall reference that covers extension deployment across Chrome, Edge, and Firefox:
https://help.trelica.com/hc/en-us/articles/11065625692317-Browser-extension-deployment-reference
Site Permissions/Notifications/Third Party Cookies
Websites can request access to sensitive browser permissions such as location, camera, microphone, clipboard, pop-ups, automatic downloads, and background activity. These permissions should be restricted by default and only allowed for trusted websites that genuinely need them. Periodically review your browser’s site permissions and remove anything you no longer recognize or use.
At minimum, I recommend blocking approval for location, camera, microphone, notifications, pop-ups and redirects, automatic downloads, and clipboard access, unless it's a site you absolutely trust and need these permissions.
Browser notifications are widely abused by scammers as a vector for malvertising. Attackers frequently use these pop-ups to market overpriced, deceptive software or push fake tech support scams. To mitigate this risk, the safest approach is to disable browser notifications entirely by default, maintaining a strict allowlist only for trusted websites.
Third-party cookies are commonly used to track users across different websites. Most users should block third-party cookies or use the browser’s strongest available cookie protection mode. This improves privacy and can reduce some cross-site tracking risks, although a few older websites may require exceptions.
HTTPS-Only Mode
Man-in-the-middle (MITM) attacks on public Wi-Fi networks remain a primary vector for credential harvesting. While over 95% of the web utilizes secure, encrypted connections, modern browsers will still fall back to unencrypted HTTP if you click a legacy link or type an older URL. This leaves an opening for local network attackers to intercept your traffic or inject malicious resources into your session. To eliminate this fallback risk, you should explicitly force your browser to use encryption everywhere.
Chrome & Edge: Navigate to your Security settings and toggle on "Always use secure connections" (or Automatic HTTPS).
Firefox: Scroll down in your Privacy & Security preferences and select "Enable HTTPS-Only Mode in all windows."
Once enabled, your browser will automatically upgrade every connection to HTTPS. If a website fails to support modern encryption, the browser will drop the connection and show a clear, full-screen warning before exposing your data.
Built-in Tracking Protection
While using a robust ad-blocking extension is crucial, you should also maximize your browser’s native defenses against tracking scripts. By default, major browsers are set to a "Standard" tier of tracking protection. This standard baseline is a compromise designed to favor ad-tech networks; it permits a significant number of cross-site tracking scripts, fingerprinters, and analytical scripts to execute in the background.
You can instantly close this gap by hardening the built-in tracking preferences:
Firefox: Switch your Enhanced Tracking Protection from Standard to Strict. This aggressively blocks known fingerprinters, cross-site trackers, and hidden cryptocurrency miners at the engine level before they can touch your system.
Edge: Navigate to Privacy, Search, and Services and change your Tracking Prevention setting to Strict.
Note: While a Strict profile block can occasionally cause an older website to render incorrectly, the security and performance payoff is well worth the occasional manual site exception.
If you notice that Google Chrome completely lacks a native option to switch tracking protection to "Strict" (unlike Firefox or Edge), it is because it's a fundamental conflict of interest with their revenue model. However, Google does provide a protection called Safe Browsing, that will help secure your browsing experience. It has two protection options.
Standard Protection: This is the default mode. To preserve a layer of privacy, Chrome doesn't send your exact URLs to Google. Instead, it converts the URL into an obfuscated cryptographic hash, passes it through a blind privacy server to hide your IP address, and checks it against a local list of known bad sites. It blocks standard threats well, but it struggles to stop brand-new malicious domains in real time.
Enhanced Protection: This mode gives you much faster, AI-driven proactive security against zero-day threats, malicious extensions, and complex scams. However, the trade-off is your privacy. When Enhanced Protection is turned on, Chrome streams your raw browsing data—including the full URLs you visit, a small snippet of page content, your system information, and download samples—directly to Google's servers to analyze them.
Takeaway: Google Safe Browsing is an effective shield against malware, dangerous downloads, and malvertising. However, it is a security engine, not a privacy tool. While it's likely it will keep you from getting infected, it achieves this by collecting and analyzing your browsing behavior—the exact opposite of what local tracker blocking tries to achieve.
Secure DNS (DNS-over-HTTPS)
Every time you type a web address, your browser asks a DNS resolver to translate that domain name into an IP address. By default, these DNS queries are sent in plain, unencrypted text. This means your local Internet Service Provider (ISP), network administrators, or a rogue device on a public hotspot can easily log every single website you attempt to visit, or execute a DNS hijacking attack to covertly redirect you to a phishing clone.
To protect your browsing history from local network spying, you should enable Secure DNS (also known as DNS-over-HTTPS, or DoH). This setting wraps your domain lookups inside an encrypted tunnel. Within your browser’s security settings, turn on Secure DNS and choose a trusted, custom provider that actively filters out malicious domains at the network boundary:
Cloudflare (Malware Filtering Only): Select Cloudflare or use their security endpoint (https://security.cloudflare-dns.com/dns-query) to automatically drop connections to known malware hosts.
Quad9 (Malware & Phishing Protection): Use Quad9 (https://dns.quad9.net/dns-query)for a highly secure, privacy-first option that blocks malicious links before the browser even attempts to load the page.