Apple’s hardware and software protects user privacy more than Google’s. That applies to Apple’s browser, Safari, compared to Google’s Chrome. However, that doesn’t mean that you should simply accept the default Safari settings on your Mac, iPhone, or iPad. There are changes you can make to increase the security and privacy of the Safari browser.
This guide covers the full, desktop version of the Safari browser. The settings and steps are similar to the Safari mobile app.
For some settings, I don’t have a recommendation related to security or privacy, so I don’t describe them in this guide. For those, feel free to keep the default, or choose based on your preferences.
This guide was last updated for Safari 13.0 on a MacBook Pro. The settings and steps may differ based on the version of macOS, iOS, and device.
Note: this page contains affiliate links. Please see Affiliate Disclosure.
Improve Safari Security And Privacy Using Safari Settings
From the macOS menu bar, click Safari, then Preferences. The Preferences screen will appear, with several tabs of settings. We’ll go through the settings in the order they appear. You can click the question mark button in the bottom right corner of any screen to learn more about the settings on that screen.
Autofill
I recommend disabling (unchecking) all the options on this tab. I recommend using a password manager such as LastPass instead.
LastPass helps you remember and manage your secure passwords all in one place. Never forget a password again.
Search
Search engine: You can consider using a search engine that respects user privacy, such as DuckDuckGo. Unfortunately, in my experience, none of the privacy-respecting alternatives provides results as good as Google.
Include search engine suggestions: “Ask the search engine for search suggestions based on search terms you enter. The search engine may record your search terms.” I recommend disabling, to give the search engine less of your data. But, if you’re using DuckDuckGo, you can leave this checked, because DuckDuckGo doesn’t collect user data anyway.
Include Safari Suggestions: “Get Safari Suggestions as you type in the Smart Search field. Safari search includes suggestions from the Internet, Music, the App Store, movie showtimes, locations nearby, and more.” I recommend disabling, to give Apple less of your data.
Enable Quick Website Search: “Record information about your searches within a website to expedite later searches on that site.” I recommend disabling, so that less of your search activity is stored.
Preload Top Hit in the background: “Start to load a webpage as soon as it’s determined to be a top search hit based on your bookmarks and browsing history.” I recommend disabling, so that you have more control over what pages are loaded.
Security
Warn when visiting a fraudulent website: I recommend enabling, because the security benefit outweighs the minimal data that’s shared. Apple says, “Before visiting a website, Safari may send information calculated from the website address to Safe Browsing providers to check if the website is fraudulent.”
Privacy
Prevent cross-site tracking: “Some websites use third-party content providers. A third-party content provider can track you across websites to advertise products and services. With this option turned on, tracking data is periodically deleted unless you visit the third-party content provider.” I highly recommend enabling.
Manage Website Data: clicking this shows all the sites that are storing cookies, cache, or local storage. To remove any, select one or several and then click Remove, or click Remove All to delete stored data from all sites.
Allow websites to check if Apple Pay is set up: “When you are on a website that uses Apple Pay, the website can check if you have Apple Pay set up on that device. If you are using a Mac to which a card cannot be added, the website can check if you have Apple Pay set up on an iPhone or Apple Watch.” If you don’t use Apple Pay, you may as well disable this. If you use Apple Pay, you can decide if you like this convenience.
Websites
On the left side, click through Camera and Microphone. For each, review the sites that are allowed to use these. Change the settings for any that shouldn’t have access.
Click Location. In the bottom right, set When visiting other websites to Deny. Review the list of websites above that, and change them as necessary.
Extensions
Review the installed extensions. For any that you don’t truly need, click Uninstall.
Safari Privacy And Security: Using Apple Safari Safely
Safari’s address bar (which it calls the “Smart Search Field”) will display “Not Secure” warn you when the site you’re on isn’t using an encrypted HTTPS connection. Don’t enter sensitive info (financial, medical, personally-identifiable) in pages that show “Not Secure” rather than the padlock icon.
However, not all sites that use HTTPS are legitimate! Malicious sites, such as phishing and scam sites, frequently use HTTPS. So you should still ensure that the site you’re on is legitimate, regardless of whether it uses HTTPS.
Install extensions only from the Safari Extensions in the App Store, and only install extensions from outside it if you truly trust them. Before installing any extension, check its ratings and reviews, and search online for reviews from reputable tech sites.
Safari 13 added support for FIDO2-compliant USB security keys with the Web Authentication standard, so you can finally use hardware tokens like Yubikey for two-factor authentication!
Private Browsing
Like many browsers, Safari has a private browsing mode that limits the amount of data the browser stores about the browsing you do in that mode. From the macOS menu bar, click File, then New Private Window. Safari briefly explains that “Safari will keep your browsing history private for all tabs in this window. After you close this window, Safari won’t remember the pages you visited, your search history, or your AutoFill information.” Learn more about private browsing.
Safari Security & Privacy Extensions
There aren’t as many security and privacy extensions available for Safari as for Firefox and Chrome.
If you use a password manager, such as LastPass (my favorite), install it.
I use DuckDuckGo Privacy Essentials, an extension that blocks third-party trackers and shows a privacy grade for websites. If you notice that it prevents a website from working properly, you can whitelist that site, temporarily or permanently.
Another option is Ghostery Lite, which lets you block trackers in 8 categories. I check all the boxes except Advertising because I don’t want to hurt sites that rely on ad revenue. You can also individually trust websites, to allow all trackers from a particular site to load.
LastPass helps you remember and manage your secure passwords all in one place. Never forget a password again.
Keeper is a top-rated password manager for protecting you, your family, and your business from password-related data breaches and cybersecurity threats.
1Password remembers all your passwords, so you can easily log in to sites with a single click.
Dashlane fills all your passwords, payments, and personal details wherever you need them, across the web, on any device.
It’s a great day!! Safari 13 (Late Sep 2019) now supports Fido2 and WebAuthn! Now I don’t have to switch to Chrome. Please do a how-to for a YubiKey in Safari.
Thanks for pointing that out, Frank! I just checked the Safari 13 Release Notes and tested with my YubiKey. I updated this guide.
Safari for me is good enough not to consider another browser. I was considering Brave as a option, but decided Safari offered me enough in privacy and security. I do use Brave on my Windows PC and agree Chad none of the alternative more private search engines work well enough for me yet. But I keep trying DDG on occasion to see how they are doing.
JohnIL, I’m glad for the steps Apple has taken to increase Safari’s security and privacy, especially because it’s the default browser for Apple devices, which many people use. For search, I’ve been pretty happy with Startpage, which delivers Google search results in a private way. The results aren’t quite as good as Google.com, and it lacks some features, but it’s the best alternative I’ve found.