Update 29 Oct 2015: My colleague Mike West packaged up these settings as a Chrome extension. So, now you can just install that rather than noodling through all these settings.
Also, be aware that Chromeâs Settings UX has changed a bit since I wrote this.
Chrome has a lot of handy privacy and security options, but it isnât always obvious how to use them. In this post Iâll demonstrate my favorites, and try to explain a bit about what they do.
My goal with these configuration changes is to get Chrome to expose less attack surface to potentially malicious web pages, and to be less chatty on the network. I definitely canât and donât guarantee that they will work for you or solve any particular problem you have. But maybe youâll find this to be a fun learning experience. (Also, although I work for Google on the Chrome Security team, I am not blogging in any official capacity, and I donât have an omniscient view of Chrome security.)
Chrome has a feature that allows you to create multiple âprofilesâ, each with their own distinct settings. Because we want to change the settings in a way that will make some web sites work less well (or even not at all), we wonât want to be locked in that mode. Therefore, we need to create a new, distinct profile to use as the private/secure mode. That way, you can always go back to a regular profile easily, to get normal web functionality.
First, create a new profile:
After creating the new profile, you get a new window running that profile (note the cat icon in the upper right corner):
In this privacy- and security-sensitive special profile, do not sign in to Chrome. Signing in to Chrome, also known as Chrome Sync, is a convenient feature that syncs all your settings across all your signed-in Chrome profiles on all your devices, and makes it easier to log in to Google services. You might like it in your regular mode profile, but we want this profile be more loosely coupled to the cloud.
Go to the Settings page in the new profileâs window, and click on âShow advanced settings...â (shown here at the bottom):
Scroll down to the Privacy section of the Settings page, and check or un-check the various options as you see fit. Hereâs how I set them for this profile:
These options (except for Do Not Track) cause Chrome to send extra traffic on the network (some of that traffic is encrypted), and is a prime candidate for un-checkingâââespecially if you intend to use Chrome with Tor. For more information, see the Chrome Privacy Whitepaper. (In particular, think carefully about disabling phishing and malware protection; see its section in the privacy whitepaper.)
Click on that Content settings... button here in the Privacy section, as well:
Iâve changed the Cookies and site data settings, as you can see: âBlock third-party cookies and site dataâ means that when you are reading e.g. http://blog.example.com, an ad included  in the page from http://ad-company.com cannot set new cookies or site data. âKeep local data only until I quit my browserâ means that Chrome will clear the locally-stored data (like cookies and HTML5 LocalStorage) when you quit. (This is similar to, but not exactly the same as, what Chromeâs Incognito mode provides.)
Scroll down and you will see many more options for Content settings. Iâll highlight some that are particularly important. First, block JavaScript by default:
However, you can optionally re-enable JavaScript in HTTPS pages:
I like to do this so that I can get rich JavaScript functionality in web sites like Twitter and Gmail that go to the trouble of authenticating themselves (and their code) using HTTPSâââbut sites serving unauthenticated junk cannot run JavaScript. Itâs interesting how many sites still work without JavaScript. (Sometimes they even work slightly better.)
Next, we disallow external protocol handlers, and we block all plug-ins:
Important note about blocking plug-ins: The âClick to playâ option means that plug-ins are disabled by default, but that you can (left-)click on their area on the screen to run them. However, that left-click is clickjackable. Itâs better to select âBlock allâ, which is really âright-click to playââââyes, you can still run plug-ins when you want to. To run plug-ins, right-click on their screen area, which brings up a native-type (operating system) context menu, and select Run This Plug-in:
Thus, you can be ensured that plug-ins run only when you want them to.
Next, we disable location services and notifications:
Disallow sites from taking over the mouse or capturing data from media sensors:
Turn off un-sandboxed plugins and donât allow automatic downloads:
Do not remember passwords or form field entries:
Tell Chrome not to auto-detect what language the page is in, to ask where to place each download, and not to fetch certificate revocation data:
Note that you can still use Google Translate by right-clicking on a page and selecting Translate to English (or whatever your native language is). Un-checking âOffer to translate...â disables the automatic language detection functionality.
We leave certificate revocation disabled by default because the protocol that does it can leak information about your browsing to a server.
Finally, visit chrome://plugins and affirmatively disable the ones you donât need, for good measure:
Have fun!