# How to Make Browsing Safer: A Practical Checklist *Published:* 2026-01-11 *Author:* Stephan Baugh Browser security advice from 2022 mostly told you to use a VPN and install an ad-blocker, which is a fine first instinct and a wildly incomplete answer. The threats that affect normal browsing now are session-token theft, AI-generated phishing pages, and malicious browser extensions, and a VPN does nothing about any of them. The U.S. Cybersecurity and Infrastructure Security Agency publishes a free Secure Our World checklist that aligns with these recommendations. Below is the current checklist we run on a fresh device before we sign in to anything important. It works on Chrome, Edge, Firefox, and Brave on Android, and the same advice maps to desktop. ### TL;DR **The pick:** **The single best move:** turn on passkeys for your Google, Apple, and bank accounts and stop typing passwords. **Runner-up:** **Runner-up:** install uBlock Origin Lite (Chrome MV3) or uBlock Origin (Firefox) and remove every other extension you do not actively use. **Skip if:** Skip the “privacy browsers” that ship with built-in crypto wallets or rewards programs; the surface area is larger, not smaller. Why the 2022 advice is incomplete --------------------------------- VPNs hide your IP from a website. They do not stop a phishing page from harvesting your password, they do not stop a malicious extension from reading every site you visit, and they do not prevent token theft on a public Wi-Fi network that is using TLS anyway. A VPN is one tool, not the strategy. The 2026 threat model for a normal user is: AI-built phishing pages that look indistinguishable from real ones, browser extensions that quietly turn malicious after an ownership change, and session cookies stolen from leaked databases. Three different tools fix three different problems. Use passkeys, not passwords --------------------------- Every major identity provider now supports passkeys. They are tied to your device’s secure enclave, they cannot be phished, and they remove the password from the attacker’s reach entirely. Turn them on for Google, Apple, your primary email, your bank, and Amazon as the first move. Keep a hardware security key as a backup if you travel without your phone. YubiKey 5C NFC is the standard pick and works with [Android phones](https://bestforandroid.com/ "best for android") as a USB-C device. Slim the extension list ----------------------- Every browser extension can read every page you load. The single most common compromise in 2025 was a popular screenshot extension that changed hands and pushed a malicious update. Remove every extension you do not use weekly. For the ones you keep, check the developer name, the last update date, and the reviews from the past month. If you only keep one, make it uBlock Origin Lite on Chrome or uBlock Origin on Firefox. Both block ads, trackers, and a wide list of known malicious domains. Lock down DNS and updates ------------------------- Use a filtering DNS like NextDNS or Cloudflare 1.1.1.1 for Families. Set it system-wide on Android via Private DNS in Settings, so the protection applies to every browser and every app. Set your phone to auto-install OS updates and turn on Play Protect. Most browser exploits land on devices that are two patch cycles behind, not on the latest build. ### Which protection should you set up first? - **Highest impact for ten minutes of work:** Turn on passkeys for your primary Google account. - **Highest impact for general browsing:** Install uBlock Origin Lite and audit your extension list. - **Highest impact for the household:** Set Private DNS to a filtering resolver. - **Highest impact if you travel:** Add a hardware security key as a backup factor. **Important:** If a site asks you to install a browser extension to view content, leave the site. That request pattern is the most common 2026 vector for extension-based credential theft, and no legitimate news, video, or shopping site needs an extension to render a page. FAQ --- ### Do I still need a VPN? A VPN helps on untrusted Wi-Fi and for geographic content access. It is not a security cure-all, and a free VPN that monetises by selling traffic data is worse than none at all. ### Is incognito mode actually private? Incognito stops your browser from storing the history locally. It does not hide you from websites, your network, or your employer. Treat it as a privacy-from-housemates feature, not a privacy-from-attackers one. ### Should I use Tor for normal browsing? Probably not. Tor is slow, breaks many sites, and is overkill for the threats most readers face. The checklist above covers the realistic risks. The verdict ----------- Safer browsing looks like this: passkeys on the accounts that matter, two extensions instead of fifteen, a filtering DNS, and an OS that updates itself. A VPN is a useful supplement, not the centrepiece. Do the four things above this weekend and your personal threat model improves more than any subscription bundle will. #### How we put this guide together The picks and steps in this guide reflect what works on current Android builds. Our editors test [apps](https://bestforandroid.com/best/apps-android/ "Best Apps Category") on Pixel 8a and Galaxy S24 hardware running Android 15 and Android 16, cross-check against vendor documentation, and update each guide when behavior changes. ### Related on BestForAndroid - [How to make your Android phone secure: 12 settings that actually matter](https://bestforandroid.com/secure-your-android-device/) - [How Safe is BlueStacks in 2026? Is It Legal?](https://bestforandroid.com/bluestacks/) - [How to Secure Employee Smartphones (BYOD Playbook for SMBs)](https://bestforandroid.com/secure-your-employee-smartphones/) - [Most Games Rot Your Brain: Online Backgammon Sharpens It](https://bestforandroid.com/play-online-backgammon/)