Browser Hardening: Locking Down Chrome and Edge
Think about where attacks actually reach you these days. Not through open ports — through the browser. Phishing pages, malicious ads, poisoned search results, rogue extensions, drive-by downloads: nearly all of it arrives in the one program you run all day with access to your passwords, your sessions, and your webcam permission prompts. Hardening the browser does more for your real-world security than almost anything else you can do in an afternoon, and it costs nothing.
This is a working tour of the settings that matter in Chrome and Edge, why each one matters, and the trade-offs the settings pages don't explain.
Start with the extensions — they ARE the threat model
An extension with "read and change all your data on all websites" permission is exactly as powerful as malware, with a nicer install page. Extensions also get sold: a safe extension you installed years ago can change owners and turn hostile in a routine update. So the audit is not a one-time event.
Open chrome://extensions (or edge://extensions) and apply three tests to each entry:
- Do I remember installing it, and do I still use it? No → remove. Every extension is standing attack surface.
- Does its permission level match its job? A weather extension wanting data on all sites is a mismatch. Click Details and check.
- Can it run on fewer sites? Details → "Allow this extension to read and change all your data on websites you visit" → switch to On click or On specific sites. This one setting converts a standing risk into an on-demand tool, and almost nobody uses it.
On ad blocking specifically: Chrome's move to Manifest V3 retired the original uBlock Origin; the maintained successor for Chrome is uBlock Origin Lite, which is what I'd install today. (On Firefox the full uBlock Origin still works — one of the reasons it remains the power-user choice.) An ad blocker is a security tool, not just a comfort feature: malvertising is a top delivery channel for scams and malware, and blocking the ads blocks the delivery.
The protection modes, and what you're trading
Chrome: Enhanced Safe Browsing
chrome://settings/security → Enhanced protection. Standard mode checks sites against a locally cached blocklist that updates periodically; Enhanced mode checks URLs against Google in real time and inspects downloads more aggressively, which catches the phishing sites that exist for only a few hours — most of them, these days. The trade is explicit: you are sending your browsing URLs to Google as you go. My take — if you're signed into Chrome with a Google account anyway, you've largely made that privacy decision already, so take the protection. If you deliberately keep Google at arm's length, stay on Standard and lean harder on the other layers here.
Edge: SmartScreen plus Enhanced Security Mode
SmartScreen (on by default — verify under Settings → Privacy, search and services) does Edge's reputation checking for sites and downloads, and it's good. The setting worth seeking out is Enhanced Security Mode (same page, under Security): it disables the JavaScript just-in-time compiler on unfamiliar sites. The JIT is historically one of the most exploited components in any browser; turning it off on sites you don't visit often removes a whole vulnerability class, at a cost of slightly slower page loads on those sites only. "Balanced" is the sensible setting. It's a genuinely underrated feature — the kind of mitigation that used to require enterprise tooling.
Both: HTTPS-only
Chrome: Security settings → "Always use secure connections." Edge: search settings for "automatic HTTPS." Either way the browser refuses to fall back to unencrypted HTTP without asking you first — which neutralizes a family of downgrade tricks and costs you nothing on the modern web, where plain HTTP is nearly extinct.
Site permissions: set the defaults to "ask," then say no
Under Privacy → Site settings (both browsers), the defaults to verify:
- Notifications → blocked or "ask" with a heavy bias to deny. Notification spam is the most common "my browser is infected" complaint, and it isn't an infection — it's a permission someone granted to a sketchy site once. While you're here, review the Allowed list and purge it.
- Camera, microphone, location → ask, and audit the allowed lists. Anything you don't recognize, remove.
- Pop-ups and redirects → blocked (default, but confirm).
The habit that beats every setting: profile separation
Browsers let you run multiple profiles — completely separate cookie jars, extensions, sessions, histories. Click your avatar → Add profile. The high-value move is a dedicated profile for banking and finance: no extensions installed in it, used for nothing else. Now a malicious extension in your everyday profile can't touch your bank session, and a phishing link you click while browsing can't ride on logged-in financial cookies, because there are none in that profile. It's the cheapest isolation technology you'll ever deploy — and the same trick, inverted, gives you a junk profile for sites you don't trust.
Passwords and sync, briefly
The built-in password manager is fine and better than reuse; a dedicated manager is better still, and either way the killer feature is the same: autofill that refuses to fire on the wrong domain, which quietly defeats most credential phishing. Add passkeys on top wherever sites offer them — I've written a full guide . If you sync your browser, protect the account doing the syncing with strong auth, because whoever controls that account controls every saved password; and consider Chrome's sync passphrase option, which encrypts synced data so even Google can't read it.
The five-minute version
Short on time? Do these and you've captured most of the value: remove every extension you don't actively use, switch the survivors to "on click," install uBlock Origin Lite, turn on Enhanced Safe Browsing (Chrome) or check SmartScreen + Enhanced Security "Balanced" (Edge), enable HTTPS-only, purge the notification allow-list, and create the no-extensions banking profile. The whole pass fits in a coffee break, and you'll feel the malvertising disappear by tomorrow.