How to Prevent AI Agents from Reading Browser Cookies and History

SafeClaw by Authensor blocks AI agents from accessing browser data — cookies, history, saved passwords, bookmarks, and session storage — by denying file reads to browser profile directories through deny-by-default action gating. These paths are blocked automatically unless you explicitly allow them. Install with npx @authensor/safeclaw and your browser data is protected from the first agent action.

Why Browser Data Is Sensitive

Browser profile directories contain some of the most valuable data on your system:

• Cookies — Session tokens for every logged-in website (Gmail, GitHub, AWS Console, banking)
• History — A complete record of every page you have visited
• Saved passwords — Stored credentials (often encrypted, but decryptable with user access)
• Bookmarks — Reveal projects, clients, and tools you use
• Local storage / IndexedDB — Application state for web apps

Step 1: Install SafeClaw

npx @authensor/safeclaw

Works with Claude, OpenAI, and all agent frameworks. Zero dependencies, MIT licensed.

Step 2: Block Chrome Profile Access

# safeclaw.policy.yaml
rules:
  # macOS Chrome
  - action: file.read
    path: "~/Library/Application Support/Google/Chrome/**"
    effect: deny
    reason: "Block access to Chrome profile data"

# Linux Chrome
  - action: file.read
    path: "~/.config/google-chrome/**"
    effect: deny
    reason: "Block access to Chrome profile data on Linux"

# Windows Chrome (WSL path)
  - action: file.read
    path: "/mnt/c/Users//AppData/Local/Google/Chrome/*"
    effect: deny
    reason: "Block Chrome profile access from WSL"

Step 3: Block Firefox Profile Access

rules:
  # macOS Firefox
  - action: file.read
    path: "~/Library/Application Support/Firefox/Profiles/**"
    effect: deny
    reason: "Block access to Firefox profile data"

# Linux Firefox
  - action: file.read
    path: "~/.mozilla/firefox/**"
    effect: deny
    reason: "Block Firefox profile data on Linux"

Step 4: Block Safari and Other Browsers

rules:
  # Safari
  - action: file.read
    path: "~/Library/Safari/**"
    effect: deny
    reason: "Block Safari profile data"

- action: file.read
    path: "~/Library/Cookies/**"
    effect: deny
    reason: "Block macOS cookie storage"

# Edge
  - action: file.read
    path: "~/Library/Application Support/Microsoft Edge/**"
    effect: deny
    reason: "Block Edge profile data"

- action: file.read
    path: "~/.config/microsoft-edge/**"
    effect: deny
    reason: "Block Edge on Linux"

# Brave
  - action: file.read
    path: "~/Library/Application Support/BraveSoftware/**"
    effect: deny
    reason: "Block Brave profile data"

# Arc
  - action: file.read
    path: "~/Library/Application Support/Arc/**"
    effect: deny
    reason: "Block Arc browser data"

Step 5: Block Database Query Tools

Browser data is stored in SQLite databases. An agent might try to query them directly:

rules:
  - action: shell.execute
    command_pattern: "sqlite3 Cookies"
    effect: deny
    reason: "Block querying cookie databases"

- action: shell.execute
    command_pattern: "sqlite3 History"
    effect: deny
    reason: "Block querying history databases"

- action: shell.execute
    command_pattern: "sqlite3 Login Data"
    effect: deny
    reason: "Block querying saved password databases"

- action: shell.execute
    command_pattern: "sqlite3 Web Data"
    effect: deny
    reason: "Block querying autofill databases"

Step 6: Block Copy Attempts

An agent might try to copy browser databases to a different location and then read them:

rules:
  - action: shell.execute
    command_pattern: "cp Chrome *"
    effect: deny
    reason: "Block copying Chrome profile files"

- action: shell.execute
    command_pattern: "cp Firefox *"
    effect: deny
    reason: "Block copying Firefox profile files"

- action: shell.execute
    command_pattern: "cp Safari *"
    effect: deny
    reason: "Block copying Safari profile files"

Step 7: Test and Audit

npx @authensor/safeclaw --simulate

Check the hash-chained audit trail:

npx @authensor/safeclaw audit --filter "reason:browser"

Every attempt to access browser data is recorded in the tamper-proof log.

SafeClaw is open-source with 446 tests and works with both Claude and OpenAI providers.

Related Pages

• How to Prevent AI Agents from Accessing macOS Keychain or Windows Credential Manager
• How to Prevent AI Agents from Reading Dotfiles (.bashrc, .zshrc, .gitconfig)
• Threat: Credential File Read
• How to Stop AI Agents from Leaking Keys