Browse more safely with Microsoft Edge

This article describes how Microsoft Edge provides enhanced security on the web.

Overview

Microsoft Edge is adding enhanced security protections to provide an extra layer of protection when browsing the web and visiting unfamiliar sites. The web platform is designed to give you a rich browsing experience using powerful technologies like JavaScript. On the other hand, that power can translate to more exposure when you visit a malicious site. With enhanced security mode, Microsoft Edge helps reduce the risk of an attack by automatically applying more conservative security settings on unfamiliar sites and adapts over time as you continue to browse.

Defense in depth

Enhanced security mode in Microsoft Edge mitigates memory-related vulnerabilities by disabling just-in-time (JIT) JavaScript compilation and enabling additional operating system protections for the browser. These protections include Hardware-enforced Stack Protection and Arbitrary Code Guard (ACG).

When combined, these changes help provide 'defense in depth' because they make it more difficult than ever before for a malicious site to use an unpatched vulnerability to write to executable memory and attack an end user. You can learn more about the experimentation results from the Microsoft Edge Security team's blog post and Introducing Enhanced Security for Microsoft Edge.

You may also be interested to learn more about the first line security protections in Microsoft Edge. Notably, you may want to learn more about how Microsoft Edge SmartScreen protects users from phishing scams and malware downloads.

What's new in Microsoft Edge security settings

With Enhance your security on the web, Microsoft Edge gives you an extra layer of protection when browsing the web.

Use the following steps to configure added security.

1. In Microsoft Edge, go to Settings and more > Settings > Privacy, search, and services.
2. Under Security, verify that Enhance your security on the web is enabled.
3. Select the option that's best for your browsing.

The following toggle settings are available:

• Toggle Off (Default): Feature is turned off
• Toggle On – Balanced (Recommended): Microsoft Edge will apply added security protections when users visit unfamiliar sites but bypass those protections for commonly visited sites. This combination provides a practical level of protection against attackers while preserving the user experience for a user's usual tasks on the web.
• Toggle On – Strict: Microsoft Edge will apply added security protections for all the sites a user visits. Users may report some challenges accomplishing their usual tasks.

The following screenshot shows the "Enhance your security on the web" configuration page, with Balanced security mode enabled and set to provide Balanced security.

How "Balanced" mode works

Balanced mode is an adaptive mode that builds on user's behavior on a particular device, and Microsoft's understanding of risk across the web to give sites that users are most likely to use and trust full access to the web platform, while limiting what new and unfamiliar sites can do when visited.

How "Strict" mode works

As the name suggests, Strict Mode applies these security protections to all sites by default. However, you can still manually add sites to the exception site list and enterprise admin configuration will still apply, if present. Strict mode isn't appropriate for most end users because it may require some level of configuration for the user to complete their normal tasks.

Enhanced security sites

In Balanced and Strict mode, you can also create exceptions for certain familiar websites that you trust or wish to enforce these modes on. Use the following steps to add a site to your list.

1. In Microsoft Edge, select Settings and more > Settings > Privacy, search, and services.
2. Verify that Enhance your security on the web is turned on.
3. Under Enhance your security on the web, select Manage enhanced security for sites.
4. Select Add a site, type in the full URL, and then select Add.

The next screenshot shows the settings page for security exceptions.

Enterprise controls

Enterprise Admins can configure this security feature using Group Policy settings, including creating "Allow" and "Deny" lists to explicitly enhance security for their users when visiting certain sites, or disable the mode for others. For a complete list of policies, see the Microsoft Edge browser policy documentation.

User experience with enhanced security mode

An easy way to check if Enhanced Security Mode is enabled on your site is to open the Site Trust flyout. Select the lock icon to open the next flyout.

Select Enhanced security is active for this site to open the next flyout that shows the security settings for the current site. It gives you the option to turn security on or off using the Use enhanced security for this site toggle. If you turn the toggle off, Microsoft Edge adds this site to the exception site list.

Site with enhanced security turned off

When enhanced security is turned off for a site, the following message is displayed.

When you select Enhanced security is not active for this site, the next screen opens and there's the option to toggle enhanced security on.

Send us feedback

We want to get your feedback on our next iteration to improve "enhanced security mode". If something doesn't work the way you expect, or if you have feedback to share on these changes, we want to hear from you. You can reach out to Microsoft Support to report issues or feedback. You can also leave feedback in our TechCommunity forum.

See also

• Video: Secure browsing on Microsoft Edge
• Super Duper Secure Mode
• Microsoft Edge Enterprise landing page