Hardening macOS pt.3: Browsers compartmentalisation

February 10, 2026 17 minute read

Sorry, I am a bit late.

I had to fight some script kiddies and unneeded scrapers. But that’s food for other thoughts, today we’ll play with the Browsers!

Previous posts on this series

macOS Hardening: a new series
First hardening of the network layer
Introduction

Apart from the Operating System, the application people use the most is the web browser. If we look at the numbers, Chrome dominates — so chances are it’s the most used program on any given machine, period. I’ve never dug too deep into the exact statistics, but common sense and a quick glance at any analytics dashboard will tell you the same story.

My personal experience points to a different direction: many pentesters find Firefox more convenient when working (if you’re wondering, this has to do with the proxy settings: Firefox lets you configure proxy settings per-profile without touching the system — Chrome doesn’t). I am no exception. But I recognise that Google Chrome is a great ~~piece of spyware~~ browser, indeed.

What does this mean for us? That we need to give special attention to this layer. And in fact, to me browsers constitute a layer by themselves, so they deserve a special hardening treatment.

We already assessed some threats connected to the usage of browsers. We know who the potential enemies are:

Advertising industry — Google, Meta, and the whole adtech ecosystem. Their business is us. Tracking is no accident - tracking is their product.
Data broker — Acxiom, Oracle Data Cloud, LexisNexis. They buy, aggregate, and sell profiles (also behavioural profiles!). You don’t know they exist. They know all about you.
Browser’s vendors — Google for Chrome, but also Microsoft when it comes to Edge. Who knows about Safari and Apple?
Governments, agencies — non Mossad-level (again, none of us is Mr. Snowden). Nevertheless there is a certain level of passive surveillance. ISP forced by law to log, service providers may be obliged to give data.
your company — If you use the corporate browser, your traffic may be intercepted. MDM, corporate proxies, root certificates.
Script kiddies and other criminals — phishing, malvertising, watering hole attacks. Browsers are a great entry point!

Now, let’s leave your company aside - after all, it’s just traffic you’d generate on someone else’s machine so you shouldn’t expect any privacy. The rest are not nice enemies to have - think about it.

Data brokers/Adtech

Data brokers/Adtech corporations mainly focus on your behaviour, using «innocent» technologies (javascript, cookies, tracking pixels) to create a model of you and your habits. Don’t underestimate this - your behaviours are part of what you are, because behaviour is, by definition, something you do — it’s not metadata, it’s you. I am appalled that nobody has fought to have behavioural data classified as biometric data. The problem is that people profit from you, quite often exploiting your brain’s vulnerabilities. It’s a soft attack — like being tortured with a cotton ball — nothing painful or worrisome at first, but in the long run it hurts.

Browsers vendors

No browser is your friend. Some may be less hostile than others, but none of them are “good”. The choice is not “which browser is the most secure” but “what gives me more tools to defend myself”.

Let’s have a look at the major vendors.

Google Chrome

Everything is synced to Google, by default. History, passwords, bookmarks. Even open tabs. The average user does not even know that these defaults can be changed with settings.
Topics Api (FLoC’s successor, which itself replaced third-party cookies). This is somewhat outrageous: Google has killed third party cookies to replace them with Google’s profiling system directly integrated in the browser. Talk about letting the fox guard the henhouse…
Every search on the omnibar passes through Google, including metadata. If suggestions are active, every character is a Google query.
Chrome checks every visited URL with Google (Safe browsing). Useful for security? Sure. But Google sees where I go. Do I like this? Personally, no.
clientID and channel in HTTP requests sent by Chrome, in default configurations. Meh.

Microsoft Edge

Bwhahahahah - hahahahahhaahha - please stop, it hurts.

Ok, I can do it.

Well, Edge is a Chromium Fork, with layers of Microsoft telemetry on top. It reminds me of “Ashura’s Mazinger”: the worst of two worlds.
“Shopping assistant”, “Copilot”, “Follow creators”. On by default. Everything calls back home. Your grandma’s dream come true: “you never write, you never call”.
On Windows, Edge reinstalls itself with every major update, and nags you to become the default browser.
It’s Microsoft, you can figure out what their priorities are.

Safari

Apple’s marketing says “privacy by design”. Partially true — Intelligent Tracking Prevention is quite good.
Telemetry is opaque, at best. You cannot audit what it sends - closed source. You must trust Safari.
Safari sends queries to Apple for Safe Browsing (through OHTTP — Oblivious HTTP — which should prevent Apple from linking queries to your identity). Better than Google? Likely. Verifiable? Nope — closed source.
Limited extensions functionalities — Apple hides behind security when it comes to extensions - and I largely agree. Nevertheless, one cannot install the full uBlock Origin. Strange, innit?
iCloud syncs tab and history — You on iCloud? Then Apple knows where you go.

Firefox

With a bleeding heart:

Firefox is not bad at all, but as any Burp Suite users would say: ~~take your telemetry and stick it wher..~~ too much telemetry.
Mozilla bought Pocket. And now it is there. A cumbersome, useless presence.
Anno Mundi 2017. Mr. Robot. Broken trust. 7 words to say it all.
Economic dependence on Google. The “default search engine” deal with Google is Mozilla’s main source of income. The browser spearheading privacy protection funded by the company whose main interest is monetising your privacy.

We shall use Aikido, not Krav Maga. We need browsers — there’s no way around it. We can’t rewrite them, we can’t replace them, and we certainly can’t fight the corporations behind them.

But nobody stops us from misusing their products — twisting them away from their intended purpose, stripping their telemetry, compartmentalising their reach, and turning their own features into our defensive layers.

There are a few more browsers to introduce.

Brave

Chromium based, but with aggressive tracking protection. The trade-off: Chrome’s compatibility with a substantial part of the telemetry stripped out. But I still remember 2020, the crypto referral links injected automatically. Good product, but shattered trust.

Mullvad Browser

The hybrid child of the Tor Project and Mullvad VPN collaboration. A Tor browser without Tor. Serious anti-fingerprinting approach - all users share the same fingerprint. But try surfing «that website» or «that social» you’ll see things break. You cannot stay logged in for some time anywhere.

LibreWolf

Perhaps the best browser around. Firefox without all that stuff that makes Firefox an unpleasant golem. No telemetry, no Pocket. uBlockOrigin installed by default. Unfortunately, it is not notarised, so to use it you first need to install it via Homebrew:

3gnever@0xREVENG3 distribution % brew install --cask librewolf  

Warning: librewolf has been deprecated because it does not pass the macOS Gatekeeper check! It will be disabled on 2026-09-01.

and then strip the quarantine attribute:

xattr -cr /Applications/LibreWolf.app

After 2026-09-01, we’ll frigging compile it from scratch!

Not-arization

Government and Agencies

This is a delicate topic, and not easy to touch. This blog doesn’t do politics, and therefore doesn’t cover this kind of surveillance either, but in the heart of my hearts I am sympathetic to the Cypherpunk philosophy. I won’t say much - but if you want a hint: strong encryption is your friend.

Script Kiddies, Cybercriminals, and all those people

To cyber-nuke their butts, you first have to cover yours, and browsers are one of the weakest pieces of software in your stack. But even if you don’t wanna cyberwhatever them, you still need to think about a few things. JavaScript, for instance, is an open wound in your security posture. You’d be utterly stupid to visit the dark web with a JS-enabled browser.

You received a lovely business card with a QR code? you saw the QR code in the toilet of that pub in Canary Dwarf (yes, I know it’s Canary Wharf, but…)? Santa Claus brought you a QR Code as a present for X-mas? Well, business cards do great in your fireplace. Santa is a dictator that enslaves elves and therefore should not be trusted. Who in this world would scan a QR code in a toilet? - seriously: you can’t see where it leads, so why would you go?

The point is: you must protect your browser. Use the latest versions, keep an eye on the CVE lists, don’t install extensions you don’t know. The first layer of protection is, unsurprisingly, yourself.

Compartmentalisation

Using a single browser for everything is the perfect recipe for disaster. You have multiple browsers? Well, then use them for multiple purposes.

Before I tell you how to harden them, let me show you my setup. You can take inspiration, but don’t follow it blindly. My setup mirrors my needs, not yours. For instance: I am not into online gaming, but if online gaming were my hobby, I would dedicate a browser exclusively to that.

Read the following paragraph keeping in mind that:

I do penetration testing, so for me having a plethora of browsers is normal
Sometimes I need to access… questionable websites. Questionable here is not a synonym of piracy - quite the opposite: sometimes I need to follow tracks. Well, it’s complicated.
Sometimes I need to visit the dark web. Same reasons, actually.
I sometimes need to use Safari (captive portals are not great friends of the other guys)
I am forced to use some social networks. Obtorto collo.
I have businesses in a few countries - I need to access Government web pages.
Gabriel’s setup

I modelled my needs as follows:

Browser	Use Case	Reason
Mullvad	Casual browsing, research, news, downloads	Uniform fingerprint, no persistence. You’re nobody.
Firefox (hardened)	Social media	Compartmentalised containers
Safari	Banking, government, Apple ecosystem, captive portals	Sandboxed, vanilla, least likely to break on “serious” sites.
Brave	Amazon. Nothing else	I like the icon :) Good out-of-the-box privacy, Chrome compatibility. No identity
LibreWolf	Pentesting, development, technical work	Serious Firefox. Works fine!
Firefox on VM	Dark web, Questionable sites	I restore the VM after every usage to a stable snapshot
Chrome on VM	Dark web, Questionable sites	I restore the VM after every usage to a stable snapshot

Notice the last two rows. For truly risky browsing, a different browser is not enough — you need a disposable environment. The snapshot is the real protection, not the browser.

We will not discuss the OS of my burner machines - suffice it to say that I enjoy Security Through Obscurity implemented with FreeBSD. But sometimes you can find me playing with Linux or other BSD flavours. I am more a BSD guy, though - systemd and I are not good friends.

The last suggestion: don’t copy me - it’s masochistic and futile. But spend some time deciding which browsers you want to use. Draft a table like the one above, write reasons and use cases. Have a map - it’ll become a habit sooner than you’d expect.

Hardening

Now let’s roll up the sleeves, time to get dirty.

Not all of this will apply to your case, and blah blah blah. I hope it’s clear you need to have your own setup.

Hardening Safari

In the macOS ecosystem, Safari is “the good guy”. Looks like the good choir boy, the naive one. Hardening it becomes mandatory.

Safari has some killing features that are implemented quite well:

each tab is isolated (good sandboxing)
great integration with Passwords/iCloud Keychain
Intelligent Tracking Protection (ITP) active by default.

Other aspects need some tweaking. Open Safari settings (⌘,).

General tab

Here’s the General tab:

Safari Defaults - General tab

Notice the option Open safe files after downloading. This is blasphemy. Uncheck that box!

The remaining options are not security-relevant.

Autofill tab

For your convenience, here’s what the tab look like:

Safari Defaults - Autofill

I give you my (almost mandatory) suggestions, then make your bed and sleep in it:

Using information from your contacts - the browser does not really need to know who you know to fill in a form. On the other hand, a malicious site could leak your contacts through autofill injection. What to do? I disable it. But if you hate your contacts, you may want to keep it enabled.
Credit cards. Your browser does not really need to know your credit card number. And you should also start using virtual (one off) credit cards. The day Revolut sponsors me, I’ll be happy to suggest them.
Other forms. It’s kind of opaque, isn’t it? So… I disable it.
Passwords - up to you. If you use a password manager (and you should!), disable this option. If you only use the Apple Passwords utility - well, you lose functionality without a real alternative.

Search tab

This is how it looks like:

I won’t fight the search engine crusade, but consistency suggests to choose the engine wisely. If possible, I’d use Startpage - proxies google, with its quality, without Google.

No matter what, turn off the following options:

Include search engine suggestions: every key pressed is a query to the search engine
Include Safari Suggestions - same, but with Apple
Preload Top Hit in the background - Safari visits the website before you do. It’s unauthorised traffic.

Remaining default options are ok.

Websites tab

Here’s the Websites tab:

Safari Defaults - Website tab

Observe how you can fine-tune some “entitlements” for the websites. I strongly suggest checking that all websites you visit have the Location, Microphone, and Camera properties always set to Ask.

Privacy tab

Default options are fine, but check that Prevent cross-site tracking and Hide IP address from trackers are enabled.

Safari Defaults - Privacy tab

Advanced tab

Show full website address is not security, per se, but seeing the full URL helps spotting out phishing.

Change Use advanced tracking and fingerprinting protection to in all browsing.

Safari Defaults - Advanced tab

I also tend to check the Show features for developers checkbox, which unveils another menu, Feature Flags. We won’t touch Feature Flags here, but it’s good to know it exists — and it may come in handy in the manual.

Last notes

if you haven’t set a homepage, when you open a new browser window you see a brief privacy report:

Safari Defaults - Privacy Report

Observe that 38 websites out of 100 contain/contact trackers. This is how pervasive the phenomenon is. (yes, those are my bookmarks. no, I don’t apologise. yes, I am trying to learn German)

you can also access this report from the Safari menu.
However, if you run Safari through amiunique.org you have a good posture. It’s also confirmed by coveryourtracks.
- nevertheless, you are unique among more than four million probes.

Safari - coveryourtracks

Hardening Firefox

If Safari was the choir boy, Firefox is the real badass. There is a lot more to tweak, so let’s start with a fresh test:

Firefox - coveryourtracks

This already makes me think. This is not really a vanilla Firefox: I did some tweaking before I thought about testing for uniqueness, therefore I expected some more resistance to profiling. I was wrong.

Settings UI

Open a new Firefox window and navigate to about:preferences

General

Set a blank homepage — Firefox defaults are sponsored content. Also, avoid checks for default browsers. They’re boring.

Home

Firefox Home Content: set everything off. Adds no value.

Search

If privacy is your concern, whenever you read «Google» next to anything, disable it. Here’s my setup — emulate it (you can replace StartPage with DuckDuckGo)

Firefox - search tab

Privacy & Security:

Enhanced Tracking Protection: switch to Strict
Tell websites not to sell or share my data: switch on
Passwords: switch everything off
Payment methods: switch everything off.
Addresses: switch everything off.
Permissions: usually Firefox behaves well and asks you for permissions to use resources. Check if you have any permission already set by default.
Block pop-ups and third-party redirects: must be on
Warn when web sites try to install extensions: must be on
Firefox Data Collection and Use: they must be joking, right? Switch everything off.
Security: switch everything on.
Send websites a Do Not Track request: some say this option makes you more identifiable. I am not 100% sure, so I keep this thing off.
Cookies and Site Data: Delete cookies and site data when Firefox is closed switch it on
History - Use custom settings for history set it to clear history when Firefox closes
HTTPS-Only Mode: Enable in all windows
DNS over HTTPS: if you did your homework and have your NextDNS account, then select Enable DNS over HTTPS using Max Protection

Sync

If you don’t use Sync, Kudos! this tab is really useless for you. If you do, know that Mozilla sees your synced data.

The Slaughterometry - how to get rid of telemetry

This is going to be a very long list, so I’ll keep comments to a minimum. The right arrow (→) stands for set the value to.

Browse to about:config. Accept the risk and continue.

Firefox - telemetry

You wouldn’t imagine how many telemetry settings there are, would you? Don’t worry, sharpen your axe. The mayhem begins.

1 - Switch off core telemetry

toolkit.telemetry.enabled → false 
toolkit.telemetry.unified → false 
toolkit.telemetry.archive.enabled → false toolkit.telemetry.newProfilePing.enabled → false 
toolkit.telemetry.shutdownPingSender.enabled → false toolkit.telemetry.updatePing.enabled → false 
toolkit.telemetry.bhrPing.enabled → false 
toolkit.telemetry.firstShutdownPing.enabled → false

2 - Switch off data reporting

datareporting.healthreport.uploadEnabled → false 
datareporting.policy.dataSubmissionEnabled → false

3 - Switch off studies and experiments

app.shield.optoutstudies.enabled → false
app.normandy.enabled → false
app.normandy.api_url → "" //cancel everything. Empty string

4 - Switch off pings and beacons

beacon.enabled → false

5 - Switch off Activity stream (new tab telemetry)

browser.newtabpage.activity-stream.feeds.telemetry → false 
browser.newtabpage.activity-stream.telemetry → false

6 - Switch off Pocket

extensions.pocket.enabled → false

7 - Switch off Crash reporter

browser.tabs.crashReporting.sendReport → false 
browser.crashReports.unsubmittedCheck.autoSubmit2 → false

Now it’s a good time to quit Firefox and restart it. It shouldn’t change much, but just in case…

8 - More telemetry

Navigate to about:config and delete the following entries:

toolkit.telemetry.cachedClientID
toolkit.telemetry.cachedProfileGroupID
toolkit.telemetry.dap.helper.url → "" //cancel everything. Empty string
toolkit.telemetry.dap.leader.url → "" //cancel everything. Empty string

9 - Fingerprinting

privacy.resistFingerprinting → true

A word of caution: the above setting “breaks things”. Timezone, canvas, window size, and other settings are uniformed to a default value. Some websites “break”.

10 - leaking-info API

dom.battery.enabled → false
geo.enabled → false
media.navigator.enabled → false

and the most important one:

media.peerconnection.enabled → false

If set to true, the browser exposes the real IP address, also with VPN enabled. WebRTC leak. This will break Google Meet, Zoom web, and Teams. If you need them, leave it on and use a dedicated browser.

11 - Referer

network.http.sendRefererHeader → 2
network.http.referer.XOriginPolicy → 1

12 - Prefetching (unwanted connections)

network.prefetch-next → false
network.dns.disablePrefetch → true
network.predictor.enabled → false
network.http.speculative-parallel-limit → 0

13 - Extra hardening

// Disable DRM (if you don't use Spotify/Netflix in your browser)
media.eme.enabled → false

// Clipboard API
dom.event.clipboardevents.enabled → false

// WebGL (fingerprinting vector)
webgl.disabled → true
// WARNING: breaks Google Maps

// Resist MIME sniffing
security.mixed_content.block_active_content → true
security.mixed_content.block_display_content → true

Now we’re done with the Slaughterometry. Phew.

Extensions

When it comes to extensions, you need to keep something in mind: they’re often written by ~~shitty~~ ehm, ~~python~~, umphf independent developers. Some may not be very good at writing code, therefore you need to consider extensions as an expansion of your attack surface. In other words: keep the number of extensions to the bare minimum.

I suggest you use:

uBlock Origin
Multi Account Containers
Temporary Containers

Good time to restart Firefox and run the fingerprinting tests again.

Firefox - Cover your tracks after hardening

We’ve done quite a job. Strong protection, but still a unique fingerprint.

Mullvad, Librewolf and Brave

Mullvad, LibreWolf, and Brave come pre-hardened — that’s their point. The work we did on Safari and Firefox is what those browsers do out of the box. They still need the same operational discipline as everything else, but choose your battles.

Quick recap - amiunique

The numbers represent the sample size at the time of testing. In all cases, the browser fingerprint was unique — meaning identifiable among millions.

Browser	Before hardening	After hardening
Safari	4810671	4810666
Firefox	4810701	4811104
Brave	4811462	4811462
Mullvad	4811462	4811462
Librewolf	4811461	4811461
non-hardened Google Chrome	4811469	n/a

This is the hardening paradox: the more you tweak, the more you stand out. This is precisely why Mullvad is my daily driver — when everyone looks the same, nobody stands out.

Conclusion

Browsers are the most exposed layer in your stack. We hardened Safari and Firefox, introduced compartmentalisation as a strategy, and discovered an uncomfortable truth: hardening can make you more unique, not less.

The real defence is not a single hardened browser — it’s using the right browser for the right context. Mullvad when you want to be nobody. Firefox when you choose to be someone. Safari when the system demands it.

In the next post, we’ll tackle secrets management — passwords, passkeys, and how to make stolen data useless.

Stay paranoid, but have fun!

References

Wanna interact?

Then come visit me on mastodon

Share on

X Facebook LinkedIn Bluesky

Gabriel Biondo