Toggle on button with a shield indicates selecting safety.

Browsers are slowly replacing operating systems as the central interface for devices. Already, they are the primary application on most computers. Similar to how our smartphones have become our cameras, music players, and flashlights, browsers now function as our mail, chat, and office programs.

[Stay up to date with the latest in online privacy and security. Sign up for the ExpressVPN newsletter.]

Browsers act as transit programs. All our personal data flows through them, which is why it’s essential to use them carefully. In this guide, we take a comprehensive look at how to browse securely, taking into consideration everything from your device and browser to your passwords and accounts.


Part 1: Protect your devices
Part 2: Safeguards for your browser
Part 3: Protect your accounts

Also read: The mobile safety guide


Part 1: Protect your devices

A phone with a shield symbol toggled on.

Securing your online experience starts with your device: the desktop, laptop, tablet, or smartphone you use to browse the web. A compromised device could allow an intruder to access all data stored on it, perform actions on your behalf, and circumvent any security measures on your browser or your accounts. Here are ways to protect it.

Use factory reset for a clean slate

Your device is generally considered secure if you unpacked it from its original packaging or installed the operating system yourself. While there have been cases where laptops were shipped with vulnerabilities and spyware, this is rare. When in doubt, install your own operating system or perform a factory reset. This is especially important for devices that you loaned out or purchased on the second-hand market.

Update your programs

All software has vulnerabilities. The vast majority of the time, they are unintentionally introduced as the program is written and only surface through external scrutiny. Enterprises and freelance researchers constantly search for such vulnerabilities, which can be sold to criminals.

When useful vulnerabilities are discovered, they are often used against high-value targets first. As soon as a vulnerability is reported to the vendor or becomes publicly known, it will be fixed. Then, as there is no longer an incentive to keep the vulnerability a secret, it suddenly becomes attractive to exploit against anybody who hasn’t updated their device.

To protect against this, updates should always be installed as soon as they become available, ideally through an automatic process on your device. Look in the settings of your device to see if there are updates available and if automatic updates are enabled.

Install software with care

Most malware does not come in the form of viruses or trojans but is installed unknowingly by the user, for example, because it comes bundled with other software.

Only download software from reputable sources, ideally only from the software maker’s official website. Verify the signatures if available, and avoid pirated software (off BitTorrent, for example).

Also be careful of phishing messages, such as emails or web pop-ups urging you to install updates. Acquire the updates only through the appropriate repositories (e.g., the App Store, Google Play, or official websites). Malicious software can also come in the form of plugins and extensions. Only install reputable plugins delivered via official channels.

Use passwords and encryption on your device

Always set a password to access your device. A password should also be required for installing software or updating your operating system. This prevents people who have temporary access to your device from installing tracking software or otherwise altering the behavior of the computer.

When your device is turned off, its data may also be vulnerable to manipulation and theft. To protect against this, your device should be fully encrypted (including the operating system itself). This prevents alterations to the code and switching to the operating system to a counterfeit.

Configure private DNS and a firewall (or use a VPN)

One of the easiest ways for a government or advertiser to get a list of sites you visit is to simply ask your DNS provider for it. Every time you open a page, your computer will forward part of the URL to the DNS provider, which will resolve it to an IP address that your computer can use to connect to the site’s server. You can read more about DNS here.

By using a privacy-conscious DNS provider such as LibreDNS, you have the promise that your requests are not logged. Many VPN providers (including ExpressVPN) also run their own DNS services and do not log DNS requests.

You should also have a firewall enabled on your machine or at least work behind one. In the simplest terms, your router at home will serve as a firewall and block eventual incoming connections to your computer. Running a VPN can also act as a firewall.

Don’t share devices

Ideally, avoid sharing devices. But if you have to share, it should be with someone you trust not to spy on you and who is savvy enough to recognize and defend against threats.

Part 2: Safeguards on your browser

A browser window with a shield symbol toggled on.

Select the right browser

Making the right choice for your browser is important. While modern browsers all share key features such as tabs, search, and bookmarks, they differ slightly in their customizability and navigation. There are plenty of browsers to choose from, but few focus on privacy by default. Here are the ones that stand out.

  • Firefox
    Mozilla’s Firefox is the most well-known fully open-source browser. It is financed by the Mozilla Foundation, a not-for-profit dedicated to promoting open-source software. As such, it doesn’t have a business model and does not belong to any of the large advertising companies. Firefox can natively be configured to block trackers and will alert you about fingerprinting (more below) by default. It can be customized with add-ons for a more granular private browsing experience. In Firefox you can use uBlock Origin to block advertisements (and increase your browsing speed) and use EFF’s Privacy Badger to further control which sites you are connecting to and which are allowed to set cookies. Duckduckgo’s Privacy Essentials is a bundle with these and other useful browser extensions.
  • Brave
    Brave is a relatively new browser that markets itself specifically to a privacy-conscious audience. Brave has an interesting business model, in which you can choose to see some advertisements as long as they don’t track you. You can also choose to get a tiny reward (like a frequent-flyer point) for the advertisements you see. Brave has been criticized for its practice of injecting its own ads into other sites, but it has also made significant advancements in rethinking online marketing.
  • Tor
    The Tor Project is not just a browser but a network of hidden services spanning the globe. Based on Firefox, it is by far the most privacy-conscious browser out there. All your data is routed through the free and encrypted Tor network by default, allowing you to access censored sites and escape the prying eyes of your local government or ISP—even without a VPN. The Tor browser is optimized for privacy without the need for extensions. The downside is slow speeds, and some sites may appear buggy. You might see more Captchas than usual when using the Tor browser.

Know your browser settings

Before getting started with any browser, we recommend you take a moment and go through the settings to familiarize yourself with what options are available or enabled.

Keep your browser up to date

Just like your operating system, your browser needs to be continuously updated to plug security holes and mitigate against new threats. Modern browsers can do this automatically in the background, though they may need to be manually restarted once in a while for the changes to take effect.

Firefox goes as far as making itself unusable as soon as an update is ready to be loaded, requiring a restart of the browser. While this may be a nuisance at times, your tabs are saved, and the process takes just a few seconds.

Use HTTPS when available

HTTPS is a technology that allows you to connect to any server privately and securely. It ensures that all data is encrypted in transit and that you connect to the correct server. A secure HTTPS connection is typically indicated by a lock icon in your browser’s address bar. Connections not made over such a channel lack this lock or are marked “Not Secure.”

Ideally, use only HTTPS connections (rather than HTTP). You can also use an extension like EFF’s HTTPS Everywhere to automatically use an HTTPS connection when one is available.

Use the right search engine

Google is the world’s most popular search engine, but it records your searches. Your best alternatives are DuckDuckGo and Startpage, privacy-conscious search engines that do not create user profiles to sell to advertisers. In Firefox, you can make one your default search engine under Preferences > Search.

Disabling Search Suggestions will also prevent your browser from sending all your keystrokes to the search engine before you click send.

Be selective about storing cookies

Cookies are tiny files that sites store on your computer. These files help websites identify you. This helps you stay logged in with your settings saved, for instance.

But cookies can also be intrusive as they make it possible for a site to correlate your separate visits. When used by advertising networks, cookies can track you across websites. The most common trackers are from Facebook and Google, which are found on most sites.

You can configure Firefox to block tracking cookies (see above) or all third-party cookies. Alternatively, you can use the Privacy Badger browser add-on to choose how you connect to third-party domains:

  • Allow no connections at all
  • Allow connections, but not allow cookies
  • Allow connections and cookies

This is especially convenient if you want to maximize your privacy without breaking the sites that you need to function.

Know what incognito mode does (and doesn’t do)

Incognito or private mode is available in many browsers, but its purpose as a privacy feature is overstated. In short, when you use an incognito window, your browsing history is not recorded, and all cookies stored during this session are deleted when you close the window.

Another related and convenient tool is Firefox’s “forget” button. You can add it to your toolbar under Preferences > Customize. This button will delete only the past few minutes from your browsing history, including cookies. However, it’s not limited to a single tab, and it will close all sessions.

Block ads

While your browser and the Privacy Badger can help you escape advertisement trackers online, you can increase your privacy even further by blocking all ads. This has the positive side effect of helping you speed up your browsing and prolong your battery life, as advertisements often need to load large images and videos.

You can use Ublock Origin to block advertisements. It comes with continuously updated block lists and can be further customized.

Know about browser fingerprinting

Browser fingerprinting is a technique sites can use to identify you. It involves recording details about your site visits such as the browser you’re using, your operating system, the languages you prefer, your screen size and resolution, and the fonts you have installed. Putting this information together may help sites track your online activity.

Browser fingerprinting is still in its early days of deployment and research, and there is no definite way to detect it or protect against it. Tor Browser has a long history of fighting browser fingerprinting and Firefox somewhat attempts to limit the amount of data that a site can gather about you, and some browser plugins promise to randomize or standardize the most common form of browser fingerprinting: the canvas.

A canvas fingerprint exploits the fact that many users will have a different screen size and resolution, and that their graphic cards might render the same objects (such as an “8”) slightly differently. By getting a user’s browser to “draw” a standardized image and observing the slight differences in outcome, a site can identify repeat visitors.

Make use of bookmarks

Bookmarks might seem an archaic tool from a time when search engines were inefficient, but they do still provide a valuable service to security and privacy.

By using bookmarks to visit sites you frequent or sites where security is essential (e.g., your bank), you are far less likely to fall for a phishing link or be redirected through a proxy serving malware.

As a bonus, you don’t have to remember the URLs of these sites, and you can bookmark their login page directly, rather than having to navigate to it. It also means you no longer show your intention to visit the site to a search engine.

Be careful with WebRTC

WebRTC is a technology embedded in browsers that lets you access your camera, microphone, or capture your screen and share it with others. This is a great tool that allows you to enjoy peer-to-peer video conferencing, but it can also be used to de-anonymize you.

Make sure that only sites that you trust can access your camera or microphone. Ideally, sites should have to ask you every time they request such access. In Firefox, you can see if any sites are whitelisted under Preferences > Permissions.

It’s also important to be aware that due to the peer-to-peer nature of WebRTC, your conversation partner may be able to see your IP address and make guesses about your identity and location. To mitigate this issue, stay connected to a VPN when using WebRTC. You can see which sites are allowed to access your location, camera, etc., in your settings.

You can block WebRTC from exposing your local IP address using the ExpressVPN browser extension for Chrome, Firefox, or Edge.

Part 3: Protect your accounts

A profile picture with a shield symbol toggled on.

In addition to your privacy, you should also check the safety of your personal data and account ownership.

Protect email and phone access

Most of your accounts are connected to either an email address, a phone number, or both. In case you forget your password, there are often mechanisms that allow the user to reset their credentials using this email or phone number.

This makes it dangerously easy for someone to take over your accounts—all they would need is access to just your phone or email. A technique called SIM swapping, for example, allows an attacker to not only transfer your phone number to them but also lock you out of mobile internet and telephone access altogether, making it hard for you to regain access to your accounts.

To protect yourself against SIM swapping, ask your mobile phone operator what it would take to port your number or clone a SIM card. You might be able to place additional restrictions on your account, such as passwords or a “do not port” policy that is intentionally difficult to override.

Do not use your phone number as two-factor authentication (more below), and ideally don’t provide your phone number to anyone unnecessarily. You can use a secondary, prepaid SIM card for cases where it is absolutely necessary to hand out your phone number, but you need to remember to keep this number active and charged, or it might be given out to somebody else.

Get a password manager

Password reuse—the practice of using the same password on various sites—is highly risky. A site you used a while ago might get hacked or acquired by malicious actors, and then the password becomes known to hackers. They can use your email and password combination to attempt to log in to multiple sites and, if you use the same combination elsewhere, will gain access.

If the attackers are creative or have the resources, knowing just one of your passwords makes it easy to guess the passwords for other platforms, as you are likely to have established patterns or reused parts of the password.

The best way forward is to use a password manager (such as our partner LastPass). Install one as a separate application on your computer or as a plug-in to your browser. A password manager will not only generate a long and unique password, but it will also remember it securely with your credentials and other associated information, such as security questions.

Some password managers will also (to an extent) protect you from phishing (see below). Password managers are a great example of technology that makes life both more convenient and more secure.

Use two-factor authentication

In case an attacker gains knowledge of your password, you can employ a second line of defense called “second factor” or “two-factor authentication (2FA).”

It is common to implement 2FA by having a code sent to your phone. But, as explained above, we do not recommend this. Instead, use an authenticator app or a hardware token (U2F).

An authenticator app can be installed on your phone or as a browser extension. When you set up your accounts with 2FA, you will have to pair it with this application once. It will then generate a new code intermittently, to be used when logging in to your account.

A hardware token typically looks like a USB stick and needs to be inserted into your computer or phone when prompted. Some models can also function over NFC (near-field communication). Unlike the authenticator app, this standard is only available on a few high-value sites like Google, Facebook, Twitter, and Github, but it provides the strongest level of protection.

Beware of phishing

Phishing is a popular technique to “fish” for credentials via email, instant messaging, social media, or hyperlinks. It can be used to trick victims into installing malware.

Typically, a phishing email will disguise itself as a legitimate email from your email provider, bank, or social media platform and ask you to verify your account or confirm a suspicious login. When following the provided link, you will be directed to a login form disguised as the website you expect. When entering your credentials, you unwittingly pass them on to the attackers, who can use the information to pose as you on the real site.

Ideally, never click on links in emails unless you were expecting the email. Using a password manager can also help you in these situations, because it is supposed to verify the domain before filling in your username and password. A hardware 2FA token will also protect you from this threat by verifying that the site you are entering the token is the same site used at setup.