Securing Safari: How to run Apple's Web browser securely

Installation choices

During the Safari for Windows installation process, Apple gives you the option to install the Bonjour networking service and a software update utility that helps with the patching/updating process.

For security reasons, uncheck the Bonjour service installation. There have been serious code execution holes found in this service.

Install the Apple Software Update tool to ensure you receive fixes and security patches automatically.

Pop-up blocking

This screen is taken from Safari on the Mac but it also applies to the Windows version.

On Safari for Windows, choose Edit and ensure that Block Pop-up Windows is checked.

The shortcut for this is Ctl+Shift+K.

This option will prevent sites from opening another window through the use of scripting, or active content.

You should be aware that while pop-up windows are often associated with advertisements, some sites may attempt to display content relevant to your usage of the site in a new window.

Therefore, setting this option may disable the functionality of some sites.

Source: CERT/CC (Computer Emergency Response Team Coordination Center).

Downloading and opening files

On the Mac OS (screenshot), choose Safari > Preferences. On Safari for Windows, choose Edit > Preferences

In the General tab, you can set up many options such as Save downloaded files to: and Open "safe" files after downloading.

CERT/CC recommends that you save downloaded files to a temporary folder that you create for downloading files.

For security reasons, be sure to uncheck the Open "safe" files after downloading option.

Beware the auto-fill feature

Move next to the AutoFill tab to select what types of forms your browser will fill in automatically.

In general, CERT/CC recommends against using AutoFill features because if someone can gain access to your computer, or to the data files, then the AutoFill feature may permit them even easier access to other sites that they would not otherwise have the ability to access.

However, if used with appropriate protective measures, it may be acceptable to enable AutoFill.

On the Mac, use filesystem encryption software such as OS X FileVault to provide additional security for files that reside your home directory.

Plug-ins, JavaScript and cookies

The Security tab includes the most important settings to help reduce the risk of drive-by downloads.

The Web Content section permits you to enable or disable various forms of scripting and active content. CERT/CC recommends disabling the first three options in this section, and only enabling them when you require the functionality of these features.

You should select the Block Pop-up Windows to prevent sites from opening another window through the use of scripting, or active content. However, be aware that while pop-up windows are often associated with advertisements, some sites may attempt to display content relevant to your usage of the site in a new window. Setting this option may therefore disable the functionality of some sites.

Use Safari without plug-ins and Java by disabling the options Enable plug-ins and Enable Java.

It is also safer to disable JavaScript. However, many web sites require JavaScript for proper operation.

You can also disable cookies and view or remove cookies that have been set.

CERT/CC recommends disabling cookies and enabling them only when you visit a site that requires their use. At this point, you should determine if the site is trustworthy (i.e., contains no malicious content and is securely designed) and determine whether you want to allow cookies to access the site’s content. After you are finished visiting the site, we recommend disabling cookies until you need to access a site that requires cookies.

You can limit cookies to the sites that you navigate to by selecting the option Only from sites you navigate to. This will permit sites that you visit to set cookies, but not third-party sites. Finally, we recommend selecting the Ask before sending a non-secure form to a secure website option. This will alert you when data is sent to a secure web site over an insecure channel.

Source: CERT/CC.

Private Browsing

Safari (on Mac and Windows) offers a feature called Private Browsing.

You can turn this on via the Edit drop-down on Windows or from Safari on the Mac.

When Private browsing is turned on, Safari won’t store your Google searches, your cookies, the history of sites you’ve visited, your download history, or information from online forms you’ve filled out.

If you’ve been browsing without private browsing turned on, just use Privacy Reset to empty your cache and clear Safari of your browsing, forms, and search history.