Hardening Chromium
Flags
You can modify Chromium flags by visiting: edge://flags (for Microsoft Edge), and chrome://flags.
#cookies-without-same-site-must-be-secure
When web servers omit the SameSite
HTTP Set-Cookie attribute, Chromium will force the HTTP cookie over TLS. NOTE: When web servers specify SameSite
, TLS is enforced for that cookie.
Forces all cookies through secure connections
#same-site-by-default-cookies
When SameSite
is omitted, Chromium will force the cookie to SameSite=Lax
, which improves security, and prevents the cookie from being able to track you as easily.
Makes cookies more secure by default
#schemeful-same-site
This applies a stricter policy for determining the cross-site definition for an HTTP cookie. Both the scheme and the domain is used. E.g: http://example.com
is considered cross-site to https://example.com
. It prevents http://example.com
from obtaining SameSite=Lax
cookies.
#legacy-tls-enforced
Enable this flag to disable insecure versions of TLS.
#omnibox-default-typed-navigations-to-https
When you type a basic domain name like google.com
into the address bar, you make a request to the HTTP version of the website instead of HTTPS. Enable this flag to force typed URLs in the address bar to use TLS.
#mixed-forms-disable-autofill
Enable this flag so Chromium automatically disables autofill for forms which submit over insecure connections.
#mixed-forms-interstitial
Enable this so you are warned if a form submits over a non-secure connection.
#treat-unsafe-downloads-as-active-content
Treat “dangerous files” (i.e: .exe
, .dmg
, .jar
, etc) as “active mixed content” when downloading over insecure connections so Chromium blocks you from downloading it.