Unlocking properly
MetaMask requires a local password to unlock the extension/app. Choose a strong unique password and enable OS-level encryption (device PIN/biometric). Lock MetaMask after short idle times to minimize exposure when you step away from your device.
What signing requests mean
Signing a message or transaction authorizes a specific on-chain action. Read the request details carefully: which contract, which amount, and whether it’s an approval for unlimited spending. Avoid blanket approvals like “approve infinite” unless you fully trust the contract.
Approval hygiene
Use tools to review and revoke ERC-20 approvals for contracts you no longer use. Limiting allowances reduces the damage a compromised dApp can do with your tokens.