Safari's Dangerous Defaults

Safari's Dangerous Defaults image

While Safari is generally considered a secure option for browsing the web, there are some default settings that users should be aware of; especially those which may compromise your privacy and security.

Here’s five default Safari settings that may be compromising your privacy.

  1. Search engine suggestions send web addresses to Google
  2. Safari’s Start page may leak information
  3. ‘Ad Effectiveness’ doesn’t help you
  4. Auto-Fill can leak your personal information
  5. ‘Pre-load top hit’ loads pages you may not visit

Search engine suggestions send web addresses to Google

In Safari, the “Search engine suggestions” feature is designed to provide autocomplete suggestions when you start typing a web URL into the Safari address bar.

However, incomplete web address text is sent to Google servers to generate these search suggestions. Therefore any manually typed addresses, and much of your browsing behaviour, is transmitted to Google. Additionally any misspelt URLs you enter into the Safari address bar automatically triggers a redirect to a Google search page, allowing further profiling of your web browsing behaviour.

The data sent to Google includes your IP address, browser type and version, language preferences, and the query text itself. Google uses this data to generate search suggestions, create user profiles and improve its search engine results.

It is important to note that this feature is turned on by default in Safari, and most users may not realize that much of their browsing data is being sent to Google. To prevent this, turn off the “Search engine suggestions” feature in Safari’s settings or use an alternate search engine that does not track user data.

Safari’s Start page may leak information

Safari’s Start page, which automatically displays when you open a new window or tab, can leak information about your behaviour.

This is due to Safari retrieving and displaying both a default and frequently visited set of websites to show on the Start page. While this feature is designed to provide convenience, it also potentially allows websites to track your browsing history and interests.

According to research conducted by Douglas J. Leith from Trinity College, Safari’s default Start page prefetches pages from multiple third parties including Facebook and Twitter – sites that are not well known for being privacy friendly. Potentially allowing these sites to load pages containing user identifiers into your browser cache.

The Start page in Safari may also make a connection to Apple or third-party servers each time it is opened, which may allow Apple and others to collect data on browser usage and behaviour, potentially violating your privacy.

To mitigate this issue, Safari provides a setting to disable the display of Frequently Visited websites on the Start page. However, this feature remains enabled by default, meaning you may be unknowingly exposing your browsing behaviour to third-party sites.

A simple solution for Apple to implement, would be for Safari to cache the set of thumbnails and frequently accessed information when those pages are actually visited (instead of retrieving this information unexpectedly in the background when opening a new tab). This would stop additional web requests and reduce the potential leakage of your information.

‘Ad Effectiveness’ doesn’t help you

By default, Safari is setup to enable ad networks to measure the effectiveness of their ads while attempting to maintain user privacy.

The “Allow privacy preserving measurement of ad effectiveness” setting works by using differential privacy, a technique that adds random noise to data, to obfuscate individual user information while still providing useful aggregate data to ad networks.

With this enabled, Safari will send information about your ad clicks and conversions to the ad network, but with added random noise. The noise ensures that the data sent to the ad network cannot be used to identify any individual user, but it still provides useful information about the performance of the ad.

The existing default behaviour benefits advertisers more than users and as a default, we believe, this feature should be disabled.

Apple should also prompt users on the first run of Safari if they wish for this feature to be enabled (as they do for App Tracking Transparency on iOS). In the meantime, you can manually disable this feature in Safari settings.

Auto-Fill can leak your personal information

Auto-fill is a convenient feature that allows Safari (and other browsers) to automatically fill in form fields with previously entered information, such as your name, address, and phone number.

However, this same feature could potentially be used by malicious websites to extract personal information without your consent.

When you visit a website that includes a form, Safari may offer to automatically fill in the form with data from your contacts, which could include sensitive information. In some cases, the website may use hidden form fields to trick the browser into automatically filling in additional data, which could include even more sensitive information.

To mitigate this risk, Safari has a number of safeguards in place. For example, Safari will only fill in form fields if the user clicks on the field or presses the tab key to move to the field. Additionally, Safari will not fill in fields that are hidden from the user or have unusual names. Finally, Safari will ask the user for permission before filling in credit card information or passwords.

While these mitigations reduce the risk of auto-fill being used to breach a user’s privacy, there is still the potential for this feature to be exploited.

You should be cautious when accepting auto-fill suggestions and consider disabling the feature if you are concerned about your privacy.

‘Pre-load top hit’ loads pages you may not visit

“Preload Top Hit in the background” is a Safari setting that, when enabled (as in a default setup), preloads the website that is predicted to be your next web destination using a hidden request in the background.

This feature is designed to speed up your browsing experience by loading the next page before you’ve actually tapped on it.

However, this can cause privacy issues because it effectively sends a request to the predicted website before you even choose to visit it. This can reveal to the website your browsing behaviour and potential interest, even if you ultimately choose not to visit that site. Additionally, if the site in question is malicious or contains tracking code, the preload could allow it to collect information about your browsing behaviour without your knowledge or consent.

Although providing a perceived speed increase in page loading, if you’re concerned about your privacy, you may want to disable this setting in Safari.


In the digital age, privacy is a fundamental right and companies like Apple have a responsibility to protect your data.

Although Safari has made strides in safeguarding your privacy, more can be done. Apple could increase privacy by raising awareness of the default settings’ downsides and enhancing privacy controls in future updates.


Thoughts on privacy, tracking and advertising on the internet.

View all insights