Hardening Chromium

March 31, 2021

Flags

You can modify Chromium flags by visiting: edge://flags (for Microsoft Edge), and chrome://flags.

#cookies-without-same-site-must-be-secure

When web servers omit the SameSite HTTP Set-Cookie attribute, Chromium will force the HTTP cookie over TLS. NOTE: When web servers specify SameSite, TLS is enforced for that cookie.

Forces all cookies through secure connections

#same-site-by-default-cookies

When SameSite is omitted, Chromium will force the cookie to SameSite=Lax, which improves security, and prevents the cookie from being able to track you as easily.

Makes cookies more secure by default

#schemeful-same-site

This applies a stricter policy for determining the cross-site definition for an HTTP cookie. Both the scheme and the domain is used. E.g: http://example.com is considered cross-site to https://example.com. It prevents http://example.com from obtaining SameSite=Lax cookies.

#legacy-tls-enforced

Enable this flag to disable insecure versions of TLS.

#omnibox-default-typed-navigations-to-https

When you type a basic domain name like google.com into the address bar, you make a request to the HTTP version of the website instead of HTTPS. Enable this flag to force typed URLs in the address bar to use TLS.

#mixed-forms-disable-autofill

Enable this flag so Chromium automatically disables autofill for forms which submit over insecure connections.

#mixed-forms-interstitial

Enable this so you are warned if a form submits over a non-secure connection.

#treat-unsafe-downloads-as-active-content

Treat “dangerous files” (i.e: .exe, .dmg, .jar, etc) as “active mixed content” when downloading over insecure connections so Chromium blocks you from downloading it.