Setting Up a New macOS

I predominantly use Apple products, and when transitioning to a new device within the Apple ecosystem — such as a fresh MacBook — I find myself in the familiar routine of reinstalling all the essential software and tools I rely on every day.

This article is my own go-to checklist when setting up a new laptop. It can also serve as inspiration for anyone looking to build a privacy-conscious developer environment, with the tools I consider essential.

macOS Privacy & Security Settings

Start by updating macOS to the latest version, then walk through the following:

• Change Privacy & Security Advanced settings on Mac.
• Turn on FileVault to encrypt your disk.
• Configure a firmware password.
• Enable Secure Keyboard Entry in the Terminal.

For a thorough deep-dive, review the drduh/macOS-Security-and-Privacy-Guide repository.

Application Firewall & Monitoring

A host-based firewall lets you see and approve every outbound connection your applications make. Two solid options:

• LuLu — free and open-source, from Objective-See.
• Little Snitch — paid, with more granular rules and a richer interface.

In addition, install BlockBlock to monitor for processes attempting to install themselves persistently — useful for catching malware that wants to survive a reboot.

Xcode Command Line Tools

xcode-select --install

Homebrew

Install Homebrew, then opt out of analytics:

brew analytics off

Command-Line Tools

cURL — install the Homebrew version (newer than the system one):

brew install curl

Make the brewed version take precedence over the system one by adding it to your PATH (see the Shell section below). Optionally, force Homebrew itself to use this version:

export HOMEBREW_FORCE_BREWED_CURL=1

For HTTP/3 support, see HTTP3 (and QUIC) — quiche is the recommended backend.

git, Python, Node.js:

brew install git python@3.13 node

Python cleanup script: clean_python_env.sh. When developing in Python, use virtual environments.

Cloudflare Wrangler CLI

Wrangler is the CLI for building on Cloudflare Workers. It must be installed via npm — the Homebrew formula named wrangler is an unrelated Erlang tool and has been disabled.

npm install -g wrangler

Developer Apps

Install via Homebrew casks:

brew install --cask visual-studio-code
brew install --cask github       # GitHub Desktop
brew install gh                  # GitHub CLI
brew install --cask ghostty      # Modern, GPU-accelerated terminal
brew install --cask claude-code  # Anthropic's terminal coding agent
brew install --cask codex        # OpenAI's terminal coding agent

Networking & Security Apps

brew install --cask wireshark-app
brew install --cask silentknight

Wireshark is the standard network protocol analyser. SilentKnight automatically checks the state of macOS firmware and security systems on each launch.

Shell

Open ~/.zshrc and set up the PATH so Homebrew binaries — including the brewed curl — take precedence over the system equivalents:

export PATH="/opt/homebrew/bin:/opt/homebrew/opt/curl/bin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin:$PATH"

Then reload:

source ~/.zshrc

Keeping Everything Updated

A single command to refresh Homebrew, all packages, and npm:

brew update && brew upgrade && brew autoremove && brew cleanup && brew doctor && npm install -g npm@latest && npm update -g

Browser: Brave

Install Brave via Homebrew:

brew install --cask brave-browser

Brave Shields blocks ads and trackers by default. If you prefer Firefox or another privacy-respecting browser, install uBlock Origin (or uBlock Origin Lite) as an add-on.

Switch your default search engine to DuckDuckGo, Startpage, or Ecosia.

Encrypted DNS

Follow the guide on connecting to 1.1.1.1 with DoH. Alternatively, configure DoH directly in your browser, or use a managed secure public WiFi profile.

Email, Calendar, Drive, VPN, Password Manager

Sign up for the Proton suite for end-to-end-encrypted Mail, Calendar, Drive, VPN, and Pass. Use my invitation link if you’d like.

Alternatives worth considering:

• Cloudflare Zero Trust (free tier) — WARP VPN client, Gateway filtering, and Email Routing.
• NextDNS (free tier) — encrypted DNS with custom blocklists.

Useful Tools & Bookmarks

A curated list of browser-based tools I keep bookmarked for security research, web debugging, and OSINT work.

General Toolkit

• CyberChef — the Swiss army knife for encoding, encryption, and data analysis.
• CanaryTokens — generate honeytokens that alert when triggered.
• Wayback Machine (save URL) — view or archive any page in time.
• Have I Been Pwned — check if your email or passwords have leaked.
• Privacy.com — generate virtual cards for online purchases.

Website Tech Stack

• BuiltWith
• Wappalyzer
• W3Techs
• SSL Certificate Chain Lookup

URL & Site Scanning

• urlscan.io
• Cloudflare Radar URL Scanner
• VirusTotal
• URLhaus
• Web Check
• Security Headers
• Redirect Detective

DNS

• Google Dig
• 1.1.1.1 — Purge Cache · Help
• dns.google/cache
• DNSDumpster

IP Intelligence

• ipinfo.io
• AbuseIPDB
• Shodan
• Censys
• GreyNoise
• IntelX

Image Forensics

• FotoForensics
• TinEye — reverse image search
• Content Credentials
• Jimpl — EXIF metadata viewer

AI Content Detection

• GPTZero — AI-generated text
• AI or Not — AI-generated images

Malware Analysis

• Joe Sandbox
• Hybrid Analysis
• ANY.RUN

Threat Intelligence

• CVE.org
• Exploit-DB
• AlienVault OTX
• MISP Global Search

Data Breaches

• BreachDirectory
• OCCRP Aleph — public records and leaks

Web Performance

• PageSpeed Insights
• WebPageTest
• DebugBear Website Speed Test

More

Enable Hot Corners to instantly lock the screen — handy when stepping away briefly.

Further reading:

• A Journey into Digital Privacy & CyberSec — companion article.
• DavidJKTofan/CyberSec-resources — more commands and examples.
• ataumo/macos_hardening — manual policy checks, see the policy list.

Disclaimer

Educational purposes only.

This blog post is independent and not affiliated with, endorsed by, or necessarily reflective of the opinions of any entities mentioned.