Apple Safari Security & Privacy Guide

Apple’s hardware and software protects user privacy more than Google’s. That applies to Apple’s browser, Safari, compared to Google’s Chrome. However, that doesn’t mean that you should simply accept the default iOS settings. There are changes you can make to increase the security and privacy of the Safari browser.

This guide covers the full, desktop version of the Safari browser. The settings and steps are similar for the Safari mobile app.

For some settings, I don’t have a recommendation related to security or privacy, so I don’t describe them in this guide. For those, feel free to keep the default, or choose based on your preferences.

This guide was last updated for Safari 13.0 on a MacBook Pro. The settings and steps may differ based on version of macOS, iOS, and device.

Note: this page contains affiliate links. Please see Affiliate Disclosure.

Safari Settings

From the macOS menu bar, click Safari, then Preferences. The Preferences screen will appear, with several tabs of settings. We’ll go through the settings in the order they appear. You can click the question mark button in the bottom right corner of any screen to learn more about the settings on that screen.

Autofill

I recommend disabling (unchecking) all the options on this tab. I recommend using a password manager such as LastPass instead.

Search

Search engine: You can consider using a search engine that respects user privacy, such as DuckDuckGo. Unfortunately, in my experience, none of the privacy-respecting alternatives provides results as good as Google.

Include search engine suggestions: “Ask the search engine for search suggestions based on search terms you enter. The search engine may record your search terms.” I recommend disabling, to give the search engine less of your data.

Include Safari Suggestions: “Get Safari Suggestions as you type in the Smart Search field. Safari search includes suggestions from the Internet, Music, the App Store, movie showtimes, locations nearby, and more.” I recommend disabling, to give Apple less of your data.

Enable Quick Website Search: “Record information about your searches within a website to expedite later searches on that site.” I recommend disabling, so that less of your search activity is stored.

Preload Top Hit in the background: “Start to load a webpage as soon as it’s determined to be a top search hit based on your bookmarks and browsing history.” I recommend disabling, so that you have more control over what pages are loaded.

Security

Warn when visiting a fraudulent website: I recommend enabling, because the security benefit outweighs the minimal data that’s shared. Apple says, “Before visiting a website, Safari may send information calculated from the website address to Safe Browsing providers to check if the website is fraudulent.”

Privacy

Prevent cross-site tracking: “Some websites use third-party content providers. A third-party content provider can track you across websites to advertise products and services. With this option turned on, tracking data is periodically deleted unless you visit the third-party content provider.” I highly recommend enabling.

Manage Website Data: clicking this shows all the sites that are storing cookies, cache, or local storage. To remove any, select one or several and then click Remove, or click Remove All to delete stored data from all sites.

Allow websites to check if Apple Pay is set up: “When you are on a website that uses Apple Pay, the website can check if you have Apple Pay set up on that device. If you are using a Mac to which a card cannot be added, the website can check if you have Apple Pay set up on an iPhone or Apple Watch.” If you don’t use Apple Pay, you may as well disable this. If you use Apple Pay, you can decide if you like this convenience.

Websites

On the left side, click through Camera, Microphone, and Location. For each, review the sites that are allowed to use these. Change the settings for any that shouldn’t have access.

Extensions

Review the installed extensions. For any that you don’t truly need, click Uninstall.

Using Apple Safari Safely

Safari’s address bar (which it calls the “Smart Search Field”) will display “Not Secure” warn you when the site you’re on isn’t using an encrypted HTTPS connection. Don’t enter sensitive info (financial, medical, personally-identifiable) in pages that show “Not Secure” rather than the padlock icon.

However, not all sites that use HTTPS are legitimate! Malicious sites, such as phishing and scam sites, frequently use HTTPS. So you should still ensure that the site you’re on is legitimate, regardless of whether it uses HTTPS.

Safari 13 added support for FIDO2-compliant USB security keys with the Web Authentication standard, so you can finally use hardware tokens like Yubikey (Amazon aff. link) for two-factor authentication)!

Private Browsing

Like many browsers, Safari has a private browsing mode that limits the amount of data the browser stores about the browsing you do in that mode. From the macOS menu bar, click File, then New Private Window. Safari briefly explains that “Safari will keep your browsing history private for all tabs in this window. After you close this window, Safari won’t remember the pages you visited, your search history, or your AutoFill information.” Learn more about private browsing.

Safari Security & Privacy Extensions

There aren’t as many security and privacy extensions available for Safari as for Firefox and Chrome.

If you use a password manager, such as LastPass (my favorite), install it.

I use DuckDuckGo Privacy Essentials, an extension that blocks third-party trackers and shows a privacy grade for websites. If you notice that it prevents a website from working properly, you can whitelist that site, temporarily or permanently.

Another option is Ghostery Lite, which lets you block trackers in 8 categories. I check all the boxes except Advertising, because I don’t want to hurt sites that rely on ad revenue. You can also individually trust websites, to allow all trackers from a particular site to load.