Securing your Mac – Safari Security

A web browser is an application we rely on a lot. From simply reading articles and catching up with news, to checking our email and banking online, it is the interface into much of what we do online.

That also means a web browser is exposed to a lot of potential security risks — and shoulders significant responsibility for keeping the stuff you do online separate, private where necessary, and safe. In this post, I’ll look at the Mac’s default browser, Safari, and some of the things you can do to enhance and ensure it is running as securely as possible.

The Big Wide World

I’ve hinted at this already, but let me reiterate — we expect browsers to handle a lot in terms of security. Every web page you visit has to be treated a potential source of threat, because, unfortunately, some web pages are. Drive-by downloads, cross-site scripting (XSS), cross-site request forgery (CSRF) and browser exploits are all frightening buzzwords, and things that browsers can potentially fall victim to. It’s not just limited to a ‘dodgy’ corner of the web, either, when legitimate sites are sometimes hijacked by the bad guys and start presenting this kind of threat.

This all sounds scary, but all I’m saying is that we need to bear in mind that whatever you do, and whatever settings you set, there will always be a certain level of risk associated with using the web. It’s like crossing the street — potentially dangerous, but a calculated risk we take in order to get to the other side.

Keeping Up-to-Date

One of the buzzwords I mentioned earlier was ‘browser exploits’. So what does this mean? Well, programmers, unfortunately, make mistakes. These mistakes can introduce vulnerabilities into the applications we use, and these vulnerabilities can mean someone with malicious intent can get your browser to do something it wasn’t designed or expecting to do — which could crash your browser, reveal information that it shouldn’t be able to, or in the worst cases, give the attacker control over your computer.

The good news is that there are good guys working just as hard as the bad guys to find these mistakes and correct them. When they do, these fixes are delivered via software updates.

Just go to the Apple menu and choose Software Update to check for any updates to Safari and the rest of Mac OS X. It’s nice and easy to do, and if you’re logged on as an Administrator, you’ll actually be notified of new updates automatically. (This advice goes for all other software as well — vulnerabilities are found in many types of applications, not just browsers! Applying security updates promptly makes a world of difference.)

Software Update

One important thing to keep in mind is: No matter which browser you use on the Mac, you need to keep Safari up-to-date. (Why? Because the WebKit engine that is part of Safari is used inside other built-in and third-party OS X apps too, like Mail, iTunes, Dashboard, the Mac App Store… the list goes on!)

Switching Things Off

If you’ve been following my Securing your Mac series from the beginning, you’ll know that one of the key principles of computer security is switching things off when you’re not using them. With this principle in mind, what preferences are set in Safari that ought not to be? Let’s take a look:

Open ‘Safe’ Files after Downloading

Open up Safari’s Preferences window by going to Safari > Preferences. On the General tab, you might notice an option that straight away sets alarm bells ringing.

Open 'safe' files after downloading

While on the face of it, allowing movies, pictures and some documents to open automatically might sound innocuous, this is a default setting in Mac OS X that makes me thoroughly uncomfortable. A website might unexpectedly begin downloading a file to your computer (known as a ‘drive-by download’) and, with this setting enabled, it might open automatically. Bear in mind that all applications can have vulnerabilities, including, for example, PDF viewers, automatically opening a drive-by downloaded malicious PDF file doesn’t sound so harmless!

This default setting even opens disk image files, which might contain an application you really don’t want on your system!

So go ahead and switch this off. I’m firmly of the belief that the extra second or two it takes to double-click a file in the Downloads window to open it manually is well worth knowing that you are the one in control of which files are opened on your computer.

The Security Tab

Security tab in Safari

OK, with that out of the way, let’s move over to the Security tab. Most people will want to leave ‘Enable plug-ins’ and ‘Enable JavaScript’ switched on. While turning these off absolutely increases your security, disabling JavaScript makes the web a lot less functional and many sites will break without telling you why. Disabling plugins might be more palatable, but sites that use Adobe Flash, for example, won’t work properly either.

Disabling Java, however (and note that Java and JavaScript are completely separate things), is something that can reduce your browsing risk and, in most cases, won’t have a huge impact. Very few websites now use Java applets, so you’re unlikely to have problems. Of course, if you do notice a site you need to use complaining at you, you might have to flip the setting back on.

You might also consider disabling ‘Location Services’ unless you know you’re using it. If a legitimate website really needs to ask for your location, then it will probably let you know you need to switch that back on.


There’s a feature of Safari (and other browsers) called AutoFill. The idea is that it can automatically fill form fields for you, and save you typing. Great idea, but a little while ago a vulnerability in the feature existed, and it was used to take people’s personal information. The vulnerability with AutoFill has since been fixed if you’ve been keeping Safari up-to-date, but if you had AutoFill switched off, you’d never have been at risk in the first place.

You might have good reason to make use of Safari’s AutoFill features, but equally, if like many people you’ve never used it, then why leave it switched on?

Safari AutoFill

Safari Extensions

Finally, a word about Safari Extensions.

Introduced with Safari 5, Extensions allow third-party developers to extend the functionality of the browser, in much the same way as Firefox Add-ons or Google Chrome Extensions. There’s a Twitter for Safari Extension, for example, so you can tweet directly from Safari.

While the Safari Extension system is designed with security in mind, do take a moment to consider the possible ramifications before installing an extension. An Extension might be able to track the sites you visit, for example. What is the Extension vendor getting out of the ‘deal’? Do you trust the vendor?

So, make sure you trust the vendors that make the Extensions you choose to install — and Extensions, like all other software, need to be kept up-to-date, too.

If you don’t use or don’t want to use any Extensions? You can switch the whole feature off using the sliding switch at the top right of the window.

Safari Extensions

Wrapping Up

So there we are — a few simple things you can switch off to significantly increase the security of your Safari browsing experience. Combine that with being savvy about software updates, and you can feel confident in your day-to-day browsing.

Is there a Mac-related security topic you’d like me to cover in a future ‘Securing your Mac’ post? Any suggestions and feedback are most welcome by leaving a comment below.

Until next time!