Mozilla Firefox is arguably the best browser available that combines strong privacy protection features, good security, active development, and regular updates. The newest version of Firefox is fast, light-weight, and packed full of great settings to protect your privacy.
It is for this reason that I consider Firefox to be the best all-around browser for privacy and security. It remains a solid alternative to some of the other options, such as Google Chrome, Microsoft Edge, and Safari.
Another great aspect of Firefox is that it is highly customizable, which is the point of this guide. Below we will go over how you can customize Firefox to give you the security and privacy you desire, while still working well for day-to-day browsing.
But before we jump in, let’s cover some important details.
Important considerations
There are many factors to consider when configuring Firefox to meet your needs, including your threat model and browsing preferences. In other words, there is no “one-size-fits-all” configuration that will work for everyone. This guide is a basic overview covering some of the different configurations options.
Before you start configuring Firefox and installing a bunch of add-ons, it’s important to consider browser fingerprinting.
Browser fingerprinting
The issue of browser fingerprinting (or device fingerprinting) is a big topic that covers all the different ways you can be tracked and identified by your system and various settings. All of the different add-ons you install and preference modifications you make to Firefox are inputs that can potentially be used to identify and track you.
Herein lies the catch-22: the more browser add-ons you install and settings you modify, the more unique you will be and thereby easier to track and identify. I discuss this problem in-depth – and also provide a solution – in the browser fingerprinting guide.
And that leads us to the second point that…
More is not always better
When it comes to browser add-ons and modifications, you don’t want to be like that kid who puts every topping imaginable on his ice cream. More is not better with ice cream toppings or with Firefox browser add-ons.
Aside from the issue of browser fingerprinting, having too many add-ons may also slow down performance. Many of the popular Firefox add-ons also fulfill the same functions and are redundant when used together.
Therefore it is best to strike a balanced approach. Install and modify only what you think will be useful and necessary for your specific situation, and nothing more.
Proceed with caution
Modifying some of these settings may interfere with your browsing and break some websites (the website won’t load properly). Therefore taking an incremental approach may be the best way to proceed. You can continue to install add-ons and adjust your settings as you see what works with the websites you regularly visit.
This allows you to modify the settings, create exceptions, or add sites to a whitelist.
Firefox privacy settings
Before you get going with Firefox you may want to adjust the following settings for better privacy.
Note: if you are a Mac OS user, you will see the word “Preferences” in your menu rather than “Options” as it is listed below.
Disable telemetry
With the latest version of Firefox, it is configured to share “technical and interaction data” with Mozilla. This includes the ability to “install and run studies” on your computer. You can learn more about these studies and data collection practices if you want, but I’d recommend disabling these settings.
To disable go to Open Menu (three bars at the top right corner of the browser) > Options > Privacy & Security > Firefox Data Collection and Use and then uncheck the boxes as you see below:
You can also disable data sharing with Firefox for Android by going to Menu > Settings > Privacy > Data Choices and then uncheck all three categories for Telemetry, Crash Reporter, and Mozilla Location Service.
Note: You can also disable this in the About:Config settings with toolkit.telemetry.enabled set to false.
Change default search engine
Firefox now uses Google as the default search engine. Since Google is recording your search queries to hit you with targeted ads, it’s a good idea to use an alternative to Google in the interest of privacy.
To do this, go to Menu > Search > Default Search Engine. Unfortunately, Firefox does not provide you with too many alternatives directly in the settings area. However, you can view more options by going down to One-Click Search Engines and then click Find more search engines to see the other alternatives.
Startpage seems to be a pretty good option that gives you good results and still respects your privacy (additional setup instructions here).
Firefox also has a guide on modifying your search engine settings.
Enable tracking protection
With the newer versions of Firefox, you can now enable tracking protection to always be active, rather than only in private browsing mode. To do this, go to Menu > Options > Privacy and Security > Tracking Protection and then click Always.
You can also enable tracking protection in Firefox for Android by going to Menu > Settings > Privacy > Tracking Protection and then click the box to enable.
This may also improve browser performance.
Do Not Track (request)
Firefox also has an option to request that websites “do not track” you online. This is simply an HTTP header field that you can easily enable. However, the key word here is request, because this is not actually blocking anything. We have also learned that many websites simply ignore these requests.
On a positive note, there are some websites respecting do not track requests (including Restore Privacy, which uses Matomo instead of Google Analytics). To enable Do Not Track simply go to Menu > Options > Privacy & Security > Tracking Protection and then under ‘Send websites a “Do Not Track” signal…’ select Always.
You can enable this in Firefox Android by going to Menu > Settings > Privacy > Do not track.
Now we will move onto the about:config settings.
Firefox About:Config settings
Aside from the general Menu settings we used above, you can also make a number of different modifications using about:config.
Note: If you made all of the changes above, you may noticed that some of these settings are already updated in about:config. We will cover the different about:config since some people prefer to modify settings in this area, rather than through the general Menu.
To access these configuration settings, simply enter about:config into the URL bar and hit enter. You will then be prompted with a warning screen stating “This might void your warranty”. Just click “I accept the risk” to continue.
After proceeding, you will see a large list of preferences, which each include a status, type, and value.
These preferences will be listed in alphabetical order and easily searchable from the search bar near the top.
Modifying preferences – You can modify any of these Firefox preferences by simply double clicking the preference name. If the preference is a “boolean” type, then double clicking will change the value to true or false. If the preference is an “integer” or “string” type, double clicking will open a box to change the value.
media.peerconnection.enabled (WebRTC)
WebRTC stands for “Web Real-Time Communication” and it allows for voice, video chat, and P2P sharing through your browser. Unfortunately, this capability can also expose your real IP address through browser STUN requests, even if you are using a VPN service.
To disable WebRTC in Firefox simply enter media.peerconnection.enabled into the search bar and then double click the value to change it to false.
Note – Aside from Firefox, the WebRTC vulnerability also affects Chrome and Opera browser. Check out the WebRTC leaks guide for steps to block or disable WebRTC in all browsers.
privacy.resistFingerprinting
Changing this preference to true will help to make Firefox more resistant to browser fingerprinting.
Note: There are many factors that go into browser fingerprinting and the ability of an adversary to identify you. Another option is to use the Tor browser, discussed further here.
privacy.firstparty.isolate
Changing this to true will isolate cookies to the first party domain, which prevents tracking across multiple domains. First party isolation also does much more than isolating cookies, it affects: cookies, cache, HTTP Authentication, DOM Storage, Flash cookies, SSL and TLS session resumption, Shared Workers, blob URIs, SPDY and HTTP/2, automated cross-origin redirects, window.name, auto-form fill, HSTS and HPKP supercookies, broadcast channels, OCSP, favicons, mediasource URIs and Mediastream, speculative and prefetched connections.
This preference was added in late 2017 as part of the Tor Uplift Project.
geo.enabled
Setting this to false will disable geolocation tracking, which may be requested by a site you are visiting. As explained by Mozilla, this preference is enabled by default and utilizes Google Location Services to pinpoint your location. In order to do that, Firefox sends Google:
- your computer’s IP address
- information about “nearby wireless access points”
- a random client identifier, which is assigned by Google
Before this data is sent to Google, you would first get a request by the site you are visiting. Therefore you do have control over this, even if geo remains enabled.
media.navigator.enabled
Setting this preference to false will block websites from being able to track the microphone and camera status of your device.
network.cookie.cookieBehavior
This is an integer type preference that you should set to a value of 1. This preference disables cookies and has the following values:
- 0 = Accept all cookies by default
- 1 = Only accept from the originating site (block third-party cookies)
- 2 = Block all cookies by default
You can get more information on this preference from the Mozilla knowledge base.
network.cookie.lifetimePolicy
This is another integer type preference that you should set to a value of 2. This preference determines when cookies are deleted. Here are the different options:
- 0 = Accept cookies normally
- 1 = Prompt for each cookie
- 2 = Accept for current session only
- 3 = Accept for N days
With a value of 2, websites you visit should work without any problems, and all cookies will be automatically deleted at the end of the session. You can get more information on this preference from the Mozilla knowledge base.
network.dns.disablePrefetch
Setting this preference to true will disable Firefox from “prefetching” DNS requests. While advanced domain name resolution may slightly improve page load speeds, this also opens you up to privacy and security threats, as described in this paper.
You can get more information on this preference here.
network.prefetch-next
Similar to prefetching DNS requests above, setting this preference to false will prevent pages from being prefetched by Firefox. Mozilla has deployed this feature to speed up web pages that you might visit. However, it will use up resources and poses a risk to privacy. This is another example of performance at the price of privacy.
You can get more information on network.prefetch here.
webgl.disabled
WebGL is a potential security risk, which is why it is best disabled by setting webgl.disabled to true. Another issue with WebGL is that it can be used to fingerprint your device.
You can get more information on the WebGL issue here and here.
A note on “safe browsing” preferences
There are many recommendations to disable the Safe Browsing feature in Firefox due to privacy concerns and potential Google tracking. However, these concerns are based on an older version of the Safe Browsing feature, which would utilize “real-time lookup” of website URLs. This method has not been in use since 2011 – explained further here.
If a URL is needed, Firefox takes the following precautions to protect user privacy, as explained by François Marier, a security engineer for Mozilla:
- Query string parameters are stripped from URLs we check as part of the download protection feature.
- Cookies set by the Safe Browsing servers to protect the service from abuse are stored in a separate cookie jar so that they are not mixed with regular browsing/session cookies.
- When requesting complete hashes for a 32-bit prefix, Firefox throws in a number of extra “noise” entries to obfuscate the original URL further.
Therefore I would conclude that disabling Safe Browsing would give you no tangible privacy benefits, while also being a security risk. That being said, if you still want to disable this feature, here’s how:
- browser.safebrowsing.phishing.enabled = false
- browser.safebrowsing.malware.enabled = false
Firefox privacy and security add-ons
There are some great Firefox browser add-ons that will give you more privacy and security.
Note: When looking for Firefox add-ons, be sure to consider what you need in relation to the preferences you modified above. Some add-ons will be redundant and not necessary depending on your Firefox preferences and the other add-ons you are using.
In combination with the preference changes above, my top three recommendations for privacy add-ons would be:
- uBlock Origin
- HTTPS Everywhere
- Decentraleyes
All three of these add-ons compliment the preferences listed above, are easy to use, and will probably not break websites you visit.
Another great add-on is Cookie AutoDelete. However, if you have already modified your cookie preferences in about:config as described above, then this add-on is not necessary.
uBlock Origin
uBlock Origin is an efficient, light-weight blocker that filters both ads and tracking. It has risen to popularity as a powerful alternative to Adblock Plus, which allows “acceptable ads” that many users disdain. One added benefit of uBlock Origin is that it can significantly improve performance and page load speed.
Another great feature with uBlock Origin is the ability to whitelist certain websites. Given that many sites will block access if they detect an ad-blocker, the ability to whitelist will come in handy. uBlock Origin is free and entirely open source.
HTTPS Everywhere
HTTPS Everywhere is a good Firefox add-on that basically forces an HTTPS connection with the websites you visit – provided HTTPS is available for the site. This gives you more security and privacy, due to encryption.
Fortunately, more and more websites are implementing HTTPS, so this is becoming less of an issue. Nonetheless, HTTPS Everywhere is still a good add-on to use with Firefox.
You can get more information on HTTPS from Electronic Frontier Foundation, which is behind the creation of this add-on.
Decentraleyes
Decentraleyes is an interesting Firefox add-on that protects you against tracking via content delivery networks that are operated by third parties. While CDNs do help improve website load time and performance, they are usually offered for free by third-parties that will use the CDN to track your browsing. These third parties include Google, Microsoft, Facebook, Cloudflare, Yandex, Baidu, MaxCDN, and others.
Decentraleyes solves this problem by hosting CDN resources locally. As described on their self-hosted GitLab repository, Decentraleyes “intercepts traffic, finds supported resources locally, and injects them into the environment” thereby preventing CDNs from tracking users.
Cookie AutoDelete
This browser add-on may not be necessary with Firefox if you have made the changes above to preferences, which will automatically erase cookies that are no longer needed for the website you are viewing.
However, if you’d rather use an add-on instead of making these about:config changes, then Cookie AutoDelete is the way to go. It erases cookies that are no longer needed, thereby protecting you from tracking.
Privacy Badger
Privacy Badger is another add-on from Electronic Frontier Foundation that blocks spying ads and trackers. One drawback with Privacy Badger is that it only blocks third-party sites. Because it considers Google Analytics first-party site, it will not be blocked. Another drawback is that it does not actually use a filter list. Instead, it basically learns as you use it.
On a positive note, Privacy badger is very easy to use and will go a long way to giving you more privacy with general browsing. It can be used in combination with uBlock Origin, although there will be some overlap in terms of functionality.
uMatrix
uMatrix is an advanced add-on that gives you control over requests that may be tracking you on the websites you visit. It is made by the same people behind uBlock Origin. One advantage with uMatrix is that it is very customizable.
One drawback with uMatrix is that it can be difficult and time-consuming to get it configured for regular, day-to-day browsing. However, if you want a very powerful blocker, and you don’t mind having to tinker with this plugin, then give uMatrix a shot.
NoScript
NoScript is a script-blocker that allows you to determine exactly which scripts run on specific websites. While it does give you control, NoScript can be a real pain to get configured properly. It breaks many websites, which requires you to tweak and configure the options. If you are already using uBlock Origin, or uMatrix, then you probably don’t need to be using NoScript.
This is definitely not an add-on for the casual user or those who don’t have the patience to devote some time into configuration.
Additional resources
Below are some additional resources for configuring Firefox to give you more privacy and security:
- user.js Firefox hardening – As explained on their GitHub page, this is a “configuration file that can control hundreds of Firefox settings. For a more technical breakdown and explanation, you can read more on the overview wiki page.” Their Wiki page is also full of great information.
- Privacy Settings – This is a Firefox add-on to give you easy access and control of the built-in privacy settings in your browser.
- Firefox Profilemaker – FFprofile helps you to create your own Firefox profile with the default privacy and security settings to fit your needs.
Firefox privacy conclusion
Firefox remains the best all-around, mainstream browser on the market for privacy.
While many of the configurations and add-ons we discussed in this article will go a long way to giving you more privacy, there is one issue that remains: concealing your IP address and location. To do this a good VPN is necessary. The Tor network also achieves this end, but it comes with the drawbacks of slow speeds and other risks (see the Tor guide for details).
Also keep in mind that a secure, privacy-focused browser is just one of many tools to keep you safe online. Check out the privacy tools page for additional tips and recommendations to restore your privacy.
Hi. Does anybody know how i can force Firefox to respect the proxy settings? This might just be an Android issue but i’m connecting to a socks5 proxy through a vpn and the connection list shows lots of connections bypassing the proxy (Not the vpn tho). They’re all labeled as ipv6 but aren’t actually in ipv6 format. Anything using ipv4 uses the proxy correctly. When i use orfox browser (set to use the same vpn proxy, not tor) everything works perfectly with only proxy connections allowed. So i’m thinking maybe it could be fixed with some preference changes in about:config? Or maybe it’s just an android issue?? Any help appreciated. Thanks
I don’t understand why would you recommend Decentraleyes?
By using this addon basically, you are giving full permission to access all your data:
“The extension can read the content of any web page you visit as well as data you enter into those web pages, such as usernames and passwords.”
You can get more info here:
https://support.mozilla.org/en-US/kb/permission-request-messages-firefox-extensions
Makes no sense.
This could basically apply to most extensions, but it’s blocking CDN scripts, which are even more troubling. The code is also entirely open source: https://git.synz.io/Synzvato/decentraleyes
See also the FAQ here.
Hey Sven… our comments overlapped time wise; but you said it way better and more succinctly than me!
Well George, you also hit the nail on the head: it’s all about trust.
I hear you Zero!
I think you have brought up a real fundamental point which is: Who/what do you trust? What app or add-on do you, and can you, actually trust?
My 1st computer was an iMac with a cathode tube! (Also called a CRT monitor.) Goes to show you how long I’ve been on the Internet.
In my very-non-Geek experience, anything you add to your browser has to access and be allowed to “screw with” – for lack of a better description – your ‘junk’!!! How else could a 3rd party app possibly be of value? I’ve tried out A LOT of add-ons and all of them have to gain access to your stuff. Otherwise, how can they work???
That said, and not to get too wordy, I run with suggestions and recommendations based on Sven’s site and all the brilliant Geeks that know way, way more that me.
So, Zero……….. who or what do you trust?
Cheer, George from Canada
It really and truly, in my books, boils down to who do you trust!
Setting privacy.firstparty.isolate to true breaks Single Sign-On (SSO) for Atlassian JIRA, just a heads up.
On Firefox Quantum v 65.0.2 setting privacy.resistfingerprinting to true causes Amazon Prime Video to report that Firefox needs to be updated to play videos even though the the version is the most recent. Really not clear why this would be but I have tried it on two separate PC’s.
Cheers
https://bugzilla.mozilla.org/show_bug.cgi?id=1527747
Hi Sven, In case my question got buried in the 80 comments/replies on this topic, I would like to ask it on its own:
” I have a question regarding the mods you list should be done to the regular FF vs the ‘hardened’ version that you say the Tor network uses.
What is the difference in layman’s terms? What have the folks at Tor done to FF that is so different than what you have recommended?
”
Hi George, well there are a lot of small changes to make Tor locked down from a privacy and security perspective, while also reducing the browser fingerprint and configuring it to use the Tor network. There are also two add-ons that the Tor browser uses by default: HTTPS Everywhere and NoScript. You can read about more of the changes on the Tor website. See also the last big release with Tor Browser 8.0.
Thanks for your response!
Insightful!
In regard to the browser Firefox and the potential privacy tweaks, I guess you may mention all of those suggestions made by PrivacyTools.io
https://www.privacytools.io/#about_config
Also, there is an additional hardening suggestions by PIA in their blog:
https://www.privateinternetaccess.com/blog/2018/09/firefox-hardening-guide/#section3
I think about the following and it would be good if anybody could explain better some of the security adjustments suggested by PIA. In particular, they proposed to disable:
– the 3DES cipher (aiming to prevent 3DES to be supported – should it mean that Firefox would use a better cipher instead?)
– TLS versions 1.0 and 1.1 (aiming to force Firefox to only use TLS 1.2 and TLS 1.3 – what would happen with sites not supporting the former two versions?)
– Zero Round Trip Time Resumption – 0-RTT (aiming to enhance security and privacy).
I implemented them and later on I decided to run the test you suggested for VPN testing:
https://ipx.ac/run
In the TLS Test section, I usually have all sub-categories listed as Good (green light). This time, after the implementation, the following two sub-categories changed:
*Rating → Improvable
*Session Ticket Support → Improvable
Is it possible anybody to explain the changes please?
In addition, PIA suggests to disable all disk caching. I did it and I did not notice any difference so far. However, I am curious what is the impact on loading pages, potential 1st party cookies storing, etc. CookieAutoDelete deletes the cookies by default but following the given explanation for disabling all disk caching, should I assume that running a good software for recovering deleted files would be able easily to recover my deleted cookies? Maybe CookieAutoDelete deletes the cookies securely (with at least 3 overwriting), right?
Sevn,
Can you help me find the in about:config the line and the line code where you force the browser to only load https pages. I had it set up but when I upgraded I lost it.
Thanks,
MH
I’d recommend HTTPS Everywhere for this.
Mozilla is in the news again for another privacy scandal, requiring more “tweaks” to fix: https://venturebeat.com/2018/12/31/mozilla-ad-on-firefoxs-new-tab-page-was-just-another-experiment/
Anyone else getting sick of the BS from Mozilla? I’m done!
Checking out Librefox:
https://github.com/intika/Librefox
Hi Sven, thanks for the article. Is there any evidence that Cloudflare tracks users of website that use it?
I haven’t looked at Cloudflare too much, and I’m not sure about “evidence” of tracking, but it’s a large US company and it’s not the best option for privacy – see this article.
Dear Sven,
Thank you very much for your guide. One question: taking into account your concept of browser compartmentalization, I would like to know what preparend in such way FireFox would be good for? Sites requiring cookies and password, browsing the Internet, or using Facebook and watching YouTube videos? Or something else? I would be grateful for your answer.
Have blocked WebRTC in about:config and also have Ublock Origin blocking WebRTC, and yet amazon is showing ZIP Code and City Name when visiting their page, with no account log-in and even with JS turned off! Also have google blocked in firewall (but google gets in anyway)!
HOW are they finding our location/Zip and how do we stop it?
There are different possibilities, and it also depends on your operating system. If you are using Android, there’s not much you can do about this issue, even when disabling location services.
Thank You very much, Mr. Sven Taylor…
Not so paranoid or stupid at all, that recommendations from You’re and others investigations…
Sincerly and hope of God’s Bless,
Paul Versloot
The Netherlands
Thank you Paul.
Hey Sven-meister!
Maybe a dumb question: Do the settings you recommend have to be ‘reinstalled’ – for lack of better wording – every time FF releases an update? Or, once the settings are modified via about:config, do they hold?
Hi George, the settings should remain after updates.
Should? (Hmmmm…..) Guess I’ll have to “Geek-up” and see for myself!
Appreciate your feedback though! Cheers!
Hi I am really bad with computers and most of what y’all are saying I don’t really understand. I’m just trying to get the beat privacy, I did all the suggestions you said Sven, also installed the ublock origin, https, decentraleyes, cookieautodelete and privacy settings. However something breaks my webpages when I try to log in on websites, when it’s supposed to redirect me securely.
Being as bad on computers as I am, I’d really appreciate some help to fix this.
Thanks!
Hi Ben, for a simple privacy-friendly browser that works well without any customization, I’d recommend the Brave browser. Check out the secure browser guide for details. Regarding Firefox and broken websites, there could be many reasons for that. You could try disabling your add-ons and/or adjusting the settings back to see what works. But Brave is a good “out of the box” browser without any customization necessary.
Unfortunately, Sven, I can not agree with you. I think your article can give people a false sense of security, although this is not so.
Panopticlick.eff.org shows that even with the maximum security settings and enabled resistFingerprinting = true, the latest version of Firefox 62 does not protect me from a “Font Fingerprinting” and “Screen Size Fingerprinting”. For example, I see the Firefox protection of a screen size has errors in the implementation, due to which it does not correctly handle the increased scale of the screen (125%), as a result of Panopticlick.eff.org, with the default window size shows:
Screen Size and Color Depth — 1000x798x24 — 13 bit — 1 of 10000
I encourage you to warn people about Firefox problems.
Panopticlick is a test page and must allow javascript for the test to work. That said, your color-depth of 13 Bits really stands out – isn’t that an error?
The EFF test page acts like the sites you trust and you login with no blocks from 3rd party webextensions as NoScript or Ublock, so clearly it gets info from available APIs.
You are right about Firefox having holes used to fingerprint users, but the code of browsers started in an internet ecosystem where tracking and forced ads weren’t really a thing. Also Panopticlick has a flaw on its own: it gives you results on the pool of browsers used on that page (not the whole browsers on the internet).
I still use that test, but on different browsers and I try to get a lower identification threshold.
would like to pimp some of my stuff here, some of which is referred to by the ghacks crew (hi pants!) in their wiki…
Firefox/Mozilla-Based Browser Tech | 12Bytes.org
[http://12bytes.org/tech/firefox]
Hi 12bytes
Excellent pimping. For readers’ info, 12bytes and the ghacks user.js have worked together for years. I recommend his posts, good tutorials on setting up uMatrix, uBlock Origin etc, and of course he uses our js as a starting point 
PS: Sven: loving your articles. Keep up the good fight.
This! Really opened my eyes. Must read.
THX
Dwar Mr.Taylor,
Please ,using my email, let me know the best configuration for NoScript.Also,I would like to know your opinion about Epic Privacy Browser.With Bitdefender Tune Up facility,I get a plenty of privacy issues after having used FF 62.With Epic ,a few.
Thanks,
Great article with greatly help, thank you. I prefer to choose Smart HTTPs at present : HTTPS Everywhere is ineffective on some pages…
It goes both ways. Smart HTTPS doesn’t cope with cross-domain requests from insecure sites (or at least it didn’t, you’ll have to find out yourself if that has changed) – see https://github.com/ghacksuserjs/ghacks-user.js/issues/12#issuecomment-315898166 for more info
HTTPS-Everywhere is far more effective (and would cover the majority of top sites) in this regard because they can craft sets of “rules”, where Smart HTTPS doesn’t (or at least didn’t)
I haven’t looked at Smart HTTP for a year or so, but there is nothing “smart” about it. Hammering every single HTTP request as HTTPS is ridiculous – on top of that, it stores persistent local data on sites that can’t handle HTTPS – which breaks local disk avoidance. There’s an option to turn that off I think, and if you do, then you’re back to performance issues with hammering at every HTTP request. If this is not a problem with your threat model, then OK. But it still can’t handle complex rule sets like HTTPS-E, which is superior IMO.
Hi Sven, I followed the instrctions for Firefox, but I also had already the extensions Terms of Service, DuckDuckGo and StartPage, I don’t know if they are necessary.
Thanks for this interesting article. I changed the settings as you recommended and added add-ons. Now each time I open firefox, it’s opening in a window that is not full size. Before, it always openend full size as I like it. I have Windows 7 and Firefox 61.0.1. Can you help?
privacy.resistFingerprinting (RFP) deliberately stops FF from opening maximized – because browser inner window resolution leaks have a VERY VERY high entropy (think of all the permutations of width x height, in pixels). RFP will open your browser, and new windows, in 200s (width) x 100s (height). This will change soon, they are moving to 128’s x 100s (don’t ask). And they warn you (or will when bugzillas are done) when entering full screen or going maximized.
I have very large screen but Firefox opens in 1000×1000 size always. What does it take to force RFP to open Firfox in 200s x 100s ?
@chupa. You can use the following prefs. They are hidden, so you will need to right click>New?Integer in about:config and add them. Examples below
/* 4502: set new window sizes to round to hundreds (FF55+) [SETUP]
* [NOTE] Width will round down to multiples of 200s and height to 100s, to fit your screen.
* The override values are a starting point to round from if you want some control
* [1] https://bugzilla.mozilla.org/1330882
* [2] https://hardware.metrics.mozilla.com/ ***/
// user_pref(“privacy.window.maxInnerWidth”, 1600); // (hidden pref)
// user_pref(“privacy.window.maxInnerHeight”, 900); // (hidden pref)
Hello Sven
I just find it interesting that you call this website “Restore Privacy” and also advertise uBlock Origin, quoting in the article that “It has risen to popularity as a powerful alternative to Adblock Plus, which allows “acceptable ads” that many users disdain.”
And yet, on this page, and other pages on this website, Adblock Plus shows a LOT of whitelisted ads appearing, that ABP have been paid to show, either by your own website or the companies that appear on the various web pages.
I’m surprised, as promoting privacy, that you allow this.
Can you explain please?
Hi Ronnie, I have no idea what you mean with Adblock showing you “whitelisted ads” on RP. There are no ads on this website. I have never used Adblock Plus, so I can’t explain what it’s showing you.
Hi again Sven,
this list might include a few more options for about:config,
Enter “about:config” in the firefox address bar and press enter.
Press the button “I’ll be careful, I promise!”
Follow the instructions below…
Getting started:
privacy.firstparty.isolate = true
A result of the Tor Uplift effort, this preference isolates all browser identifier sources (e.g. cookies) to the first party domain, with the goal of preventing tracking across different domains. (Don’t do this if you are using the Firefox Addon “Cookie AutoDelete” with Firefox v58 or below.)
privacy.resistFingerprinting = true
A result of the Tor Uplift effort, this preference makes Firefox more resistant to browser fingerprinting.
privacy.trackingprotection.enabled = true
This is Mozilla’s new built in tracking protection. It uses Disconnect.me filter list, which is redundant if you are already using uBlock Origin 3rd party filters, therefore you should set it to false if you are using the add-on functionalities.
browser.cache.offline.enable = false
Disables offline cache.
browser.safebrowsing.malware.enabled = false
Disable Google Safe Browsing malware checks. Security risk, but privacy improvement.
browser.safebrowsing.phishing.enabled = false
Disable Google Safe Browsing and phishing protection. Security risk, but privacy improvement.
browser.send_pings = false
The attribute would be useful for letting websites track visitors’ clicks.
browser.sessionstore.max_tabs_undo = 0
Even with Firefox set to not remember history, your closed tabs are stored temporarily at Menu -> History -> Recently Closed Tabs.
browser.urlbar.speculativeConnect.enabled = false
Disable preloading of autocomplete URLs. Firefox preloads URLs that autocomplete when a user types into the address bar, which is a concern if URLs are suggested that the user does not want to connect to. Source
dom.battery.enabled = false
Website owners can track the battery status of your device. Source
dom.event.clipboardevents.enabled = false
Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
geo.enabled = false
Disables geolocation.
media.navigator.enabled = false
Websites can track the microphone and camera status of your device.
network.cookie.cookieBehavior = 1
Disable cookies
0 = Accept all cookies by default
1 = Only accept from the originating site (block third party cookies)
2 = Block all cookies by default
network.cookie.lifetimePolicy = 2
cookies are deleted at the end of the session
0 = Accept cookies normally
1 = Prompt for each cookie
2 = Accept for current session only
3 = Accept for N days
network.http.referer.trimmingPolicy = 2
Send only the scheme, host, and port in the Referer header
0 = Send the full URL in the Referer header
1 = Send the URL without its query string in the Referer header
2 = Send only the scheme, host, and port in the Referer header
network.http.referer.XOriginPolicy = 2
Only send Referer header when the full hostnames match. (Note: if you notice significant breakage, you might try 1 combined with an XOriginTrimmingPolicy tweak below.) Source
0 = Send Referer in all cases
1 = Send Referer to same eTLD sites
2 = Send Referer only when the full hostnames match
network.http.referer.XOriginTrimmingPolicy = 2
When sending Referer across origins, only send scheme, host, and port in the Referer header of cross-origin requests. Source
0 = Send full url in Referer
1 = Send url without query string in Referer
2 = Only send scheme, host, and port in Referer
webgl.disabled = true
WebGL is a potential security risk. Source
browser.sessionstore.privacy_level = 2
This preference controls when to store extra information about a session: contents of forms, scrollbar positions, cookies, and POST data. more information
0 = Store extra session data for any site. (Default starting with Firefox 4.)
1 = Store extra session data for unencrypted (non-HTTPS) sites only. (Default before Firefox 4.)
2 = Never store extra session data.
network.IDN_show_punycode = true
Not rendering IDNs as their punycode equivalent leaves you open to phishing attacks that can be very difficult to notice. Source
Related Information
ffprofile.com – Helps you to create a Firefox profile with the defaults you like.
mozillazine.org – Security and privacy-related preferences.
user.js Firefox hardening stuff – This is a user.js configuration file for Mozilla Firefox that’s supposed to harden Firefox’s settings and make it more secure.
Privacy Settings – A Firefox addon to alter built-in privacy settings easily with a toolbar panel.
Hi Sven, Keep up the good work opening users eyes to privacy and security issues!
here are just a few related interesting ‘items’ I have picked up on my path there.
AlgoVPN
https://github.com/trailofbits/algo/blob/master/README.md
Most VPN Services are Terrible
https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa
Onion Share for tor:
https://onionshare.org/
https://github.com/micahflee/onionshare/wiki
Onion Chat for Tor:
https://chatrapi7fkbzczr.onion
Tor-based messaging service called Briar:
https://darkwebnews.com/anonymity-tools/tor/briar-officially-released/
Bitmessage is also a decentralized P2P communication service where the government can’t pry its fingers into your messages. Unlike Briar, Bitmessage is available for download on Windows, OS X, and Linux.
https://bitmessage.org/wiki/Main_Page
https://bitmessage.org/bitmessage.pdf
https://pay.reddit.com/r/bitmessage/
https://bitmessage.org/forum/
Use Temporary Email Addresses
10minutemail.com
Check Your Data Breach Status
haveibeenpwned.com
Mail-in-a-Box
Take back control of your email with this easy-to-deploy mail server in a box
Mail-in-a-Box lets you become your own mail service provider in a few easy steps. It’s sort of like making your own gmail, but one you control from top to bottom.
Technically, Mail-in-a-Box turns a fresh cloud computer into a working mail server. But you don’t need to be a technology expert to set it up.
https://mailinabox.email/
Good tips, thanks.
Hi.How about Hotspot Shield? Avira VPN? Both beong assumed paid versions.
I am not computer savvy so I would like you to guide me about Algo.Is it the best you have come across? I use Windows 7 Home Edition( paid)
Thanks,
Thanks for the great article!
I have a question, I am running the latest version of Firefox and I like to use the container tabs extension. I also have the privacy.firstparty.isolate setting enabled. Does this do the same thing as the container tabs extension? Could I remove container tabs and still have the same protection?
Hi Kayla, check out this thread on GitHub for a detailed discussion explaining FPI vs containers:
“FPI (First Party Isolation) already isolates all data by 1st party, the same as if every unique domain had its own temporary container”
“While it is correct that FPI essentially gets its own container, it should be noted that the container is not temporary. FPI data will remain on disk and is accessible from the First Party until cleared. Since Firefox currently lacks the APIs to clear all data on per-domain basis, it is not possible to make FPI temporary without clearing all browser data.”
Sven, after following your setup on my Mac, I got the thought, “does bookmarking sites affect privacy?” I hope this isn’t a dumb question-novice
Hi Jack, it depends on the browser. Since you’re using Mac OS, Safari will store all bookmarks under your profile and even sync your browsing history across connected devices. With Firefox, I do not think your bookmarks are accessible remotely, hence not affecting privacy.
Thanks Sven! I will check it out…
You should add the addon ”chameleon” help you to resit fingerprinting by using a random profil on user agent, interesting addon.
Hi Sven Taylor,
about webgl, you have forgotten :
about:config
webgl.enable-webgl2–> must be false
I believe when you have webgl.disabled = true then you do not need to do anything else as WebGL is completely disabled.
First, I really appreciate the research and education that you provide.
I’m using iOS. Firefox is limited in what you can add. Any suggestions?
What is your take on “Brave Browser” for iOS?
Unfortunately Perfect Privacy is no longer an option. Track Stop doesn’t let me update my quicken and blocks my “Chess with Friends”. The VPN blocks my MLB TV
Hey Jack, check out Firefox Focus, which is a private browser for iOS.
Hi – I’m using the latest Firefox version on win7 and followed the about:config recommendations. Would any of them break flash? I can’t use a streaming site that depends on Flash. I do not get the “Activate Adobe Flash” prompts any longer. I have Flash 30.0 addon installed with ‘Ask to Activate’ set.
Hi Kenny, these articles may help:
https://www.ghacks.net/2014/12/21/how-to-disable-flash-player-protected-mode-in-firefox/
https://support.mozilla.org/en-US/kb/set-adobe-flash-click-play-firefox
What do you think about AdNauseam as an adblocker? It’s based on uBlock Origin, but clicks on everything in the background to disrupt tracking profiles.
Hi PB, I like the concept of AdNauseam, but I’ve heard that it can really slow down performance.
Thank you for the informative tips.
What is the consensus about Google Analytics opt-out browser add-on?
uBlock Origin will block Google Analytics by default.
Not picking… but that’s not the case. It will only block Google analytics domains if one of the blocking lists it can use actually contains those domains. (Meaning: disable all 3rd party lists and you just have a DIY content blocker which doesn’t block anything by default.)
I see your point, but when installing uBlock Origin, the default privacy list filters (which include Google analytics domains) should be enabled – i.e. the EasyPrivacy filter list.
Nice article. But, check the phrase “goog” under “about:config”
You may see that Google is tracking the heck out of users under the hood for a donation annually to the firefox foundation of many millions of buckaroos???
What are the proper settings, aside from wiping out all the relevant keys? We need a summit on how Firefox may be getting paid off to allow Google to track you under the hood.
Well, many of these google about:config settings pertain to the “safe browsing” issue discussed above – but there are others as well.
You are definitely correct about the financial ties between Firefox and Google. It does raise concerns.
What about disabling referals? Depending on how many links are clicked, they could leave a nice trail of bread crumbs. Some say they may break a couple sites, but so does disabling cookies and java. Settings below.
Network.http.sendRefererHeader
The following values are accepted:
0 – Disable referrer.
1 – Send the Referer header when clicking on a link, and set document.referrer for the following page.
2 – Send the Referer header when clicking on a link or loading an image (default).
Seems like a lot of work to get the same thing Brave achieves. Never been a fan of a bunch of addons either. Opinions?
Hi Ron, one drawback with Brave is that it remains vulnerable to the WebRTC issue, being a Chromium-based browser. Unlike with Firefox, you can’t disable WebRTC completely, but instead block it – but that may or may not work in all situations.
Sven, I know that’s it’s covered above but could you please make it clear if you can – is it safe to use Safe Browsing or is our privacy being violated? Is anything going to Google and if so what? Is our system details and IP addresses going to them or not?
Should we use Safe Browsing or disable it?
Maybe Ms McIntyre above, an advocacy on privacy matters, can inform us too whether or not to enable or disable Safe Browsing in Firefox?
Many thanks.
Hi John, I just clarified the issue a bit more in the article. Basically these concerns about the Safe Browsing feature are based on an older version, which would send URLs to Google (see here). But this version was discontinued in 2011. With the current version, raw URLs are NOT sent to Google and also Firefox implements a number of privacy protections. Therefore I would not recommend disabling it because there is no real benefit to privacy and it would also be a security risk.
Great advise! In trying to sort out what’s best re browsers, I’ve downloaded pretty much any and all for a Mac. (Even tried Opera Neon… made my eyes water and pop at the same time… deleted after 5 min. Too much ‘bling’ for my taste.) Settled in on FF Quantum.
Question I have: What’s your take on FF’s Multi-Account Containers? The principal seems banner. Does it do as advertised, or is it smoke’n’mirrors? Any feed-back from you and/or your community would be welcomed!
Hi George, the containers feature is definitely a good option to isolate cookies from different websites. That being said, there is probably not much need for containers if you are already using First Party Isolation, as described above.
Have implemented the suggested privacy settings to the letter. But I’m wondering: Is redundancy a functionally neutral thing = potential duplicate functions but no down-side, or a liability? Hope the question makes sense. Cheers!
Well more browser add-ons and modifications (redundancy) may affect browser fingerprinting, and perhaps performance, but you can test and modify your setup until it works best.
Hi Sven,
Great article, especially for the configuration in About:Config.
I have some consideration for using Firefox and would like to know your opinions. Firefox faced backlash for auto-installing ‘Mr. Robot’ add-on in Dec 2017, sources:
Engadget: https://www.engadget.com/2017/12/16/firefox-mr-robot-extension/
The Verge: https://www.theverge.com/2017/12/16/16784628/mozilla-mr-robot-arg-plugin-firefox-looking-glass
After that, I’ve turned to Vivaldi which is based on Chromium instead of just using Chrome. What do you think about that?
Hi Mr. Robot – yes, this issue was one of the studies, which I referenced in the guide. I believe that disabling WebRTC is still not possible with Chromium browsers. You can block WebRTC with certain add-ons, but this may not work in all cases. Disabling is the best option, hence my recommendation for Firefox. Other than that issue, I have not tested or used Vivaldi.
Thanks for your reply. I had been using Firefox since its early age, Firefox 2.X. The auto-installing issue really made me frustrated about Firefox and Mozilla. At the moment I’ll stay on Vivaldi.
Telemetry and user studies are two separate things — look at your own screenshot on this page!
Indeed! Comment updated
Hello Sven, great post.
Regarding the add-ons you recommend for Firefox, I would either replace Decentraleyes with Privacy Badger, or remove Decentraleyes, leaving uBlock with HTTPS Everywhere.
The reason for that is that if you enable Advanced user in uBlock, you can block 3rd party scripts and cookies, and Decentraleyes basically does nothing.
You can easily check it by enabling those settings and then go to Decentraleyes test utility page, which will be always telling you that the add-on is not working as intended.
PS: the funny thing is that I’m using Firefox 59, but it’s detected everywhere as Firefox 52 =)
Hi Josh, thanks for the feedback.
Excellent guide Sven. You’re a saint & a scholar for the hard work you do.
A comment on uBlock Origin:
Something that might interest people…If you disable “cosmetic filtering” & “remote fonts”, pages will load faster, on some pages, you can block “large media elements”, but some pages won’t work properly, it’s good for use on 3/4G networks.
It is without a doubt, the best add on for Firefox.
One’s that might interest people:
-Duckduckgo Privacy Essentials:
It picks up some tracking that uBlock misses & gives Privacy grades to sites.
-Popup blocker for FireFox: Poper Blocker
Excellent pop-up blocker, the best by a country mile.
-Canvas Defender:
I can’t say for sure how good it is or isn’t, but it prompts when a site is trying to read browser fingerprint, maybe it’s useless, maybe it isn’t, I can’t find any solid information out there.
Sidenote: I’ve tried the Tor Setup from the previous article to prevent browser fingerprinting & it drove me mad lol
Hi Richard, thanks for the feedback. I’ll check out some of these other options.
The link to the “user.js Firefox hardening” from gHacks is incorrect. It links to “pyllyukko’s” user.js file (which has not changed much in the last few years). The ghacks user.js is located at https://github.com/ghacksuserjs/ghacks-user.js (PS: it is not created by the guys from ghacks, it just has that name because that’s where it was first published and we kept the name), should you wish to list them both.
The ghacks user.js is right up to date and we document and react to every single change for each Firefox release. It includes a far more comprehensive listing of privacy-security-fingerprinting-etc prefs, and tries to explain some of them in an easier to understand fashion. It also includes a deprecated section, and other features/sections (such as what to not change in order to not screw with privacy.resistFingerprinting). Everything is in nice logical sections and numbered. Lots of technical links etc. And you can even flip some sections on/off with a single character change (eg the deprecated ESR52.x prefs).
Your two sections on Safe Browsing are incorrect or misleading. From the user.js itself:
This sub-section has been redesigned to differentiate between “real-time”/”user initiated” data being sent to Google from all other settings such as using local blocklists/whitelists and updating those lists. There are NO privacy issues here. *IF* required, a full url is never sent to Google, only a PART-hash of the prefix, and this is hidden with noise of other real PART-hashes.Google also swear it is anonymized and only used to flag malicious sites/activity. Firefox also takes measures such as striping out identifying parameters and storing safe browsing cookies in a separate jar. (#Turn on browser.safebrowsing.debug to monitor this activity) #Required reading [#] https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/
That required reading article is from François Marier, a Mozilla security engineer, who actually works in this exact area. He is also a valued contributor to both user.js projects
Disabling geo is not strictly necessary, as the default for geo requests is to ask (and the default value is behind a pref as well). Geo permissions are site permissions and can be controlled by site exceptions, which allows a user more flexibility. Note: geo is is currently blocked by privacy.resistFingerprinting, but that will be removed).
“If you are using the add-on “Cookie AutoDelete” then this is not necessary” – FPI (first party isolation) does far more than isolate persistent storage, it also covers OCSP, shared workers, SSL sessions, media cache, HSTS and HPKP, HTTP Alt Services, HTTP2, DNS cache, blob:URIs, data: urls, and about: urls (and more to come such as visited sites and windows.name)
If you wish to follow RFP and FPI changes then look at these two “sticky” issues
– https://github.com/ghacksuserjs/ghacks-user.js/issues/7
– https://github.com/ghacksuserjs/ghacks-user.js/issues/8 (although FPI is pretty much done)
There’s also some handy “stuff” in the Wiki section, such as user scripts, rules/filters for uBO and uMatrix. You can even block ETAGs (all the time permanently, this *may* raise your fingerprint, but the key to most fingerprinting is to block all JS by default, and besides, almost every browser is in a very small subset anyway).
I have other comments I’d like to make (such as couple of those extensions), but this is getting lengthy. Might drop back later
Thanks for the articles 
Hi ghacks user.js, thanks for the great feedback and also you work with Firefox!
I have now fixed the link and modified the description. I will also dig deeper into the Google “safe browsing” issue later this weekend and update the guide as necessary. If you have any more feedback feel free to contact me directly via the contact page, or just commenting on the post.
Update: After looking into the safe browsing topic more, I must concur with your assessment that it is not a privacy issue. I’ve updated the guide accordingly.
Hello Sven, as Liz said above – brilliant guide and one (and the website!) worth sharing around. However regarding Ublock Origin – great extension, agreed, most after testing it many times it doesn’t seem to be catching as many things as the old Adblock Plus (2.9.1 – the new version, 3.*, is equally as bad as Ublock Origin).
Some things, especially from the EasyPrivacy list, were getting through and only for the likes of Ghostery could have ended up tracking. Also, Adblock Plus 2.9.1 was blocking say 15 items, but Ublock Origin was only blocking 6 items with the same filters (and sometimes all the filters selected) installed.
When Ublock Origin was installed, with the same (or all) filter lists selected as Adblock Plus 2.9.1, the blocking lists in Ghostery and Privacy Badger increased dramatically, like more items were not being picked up.
I’m not saying that Ublock Origin is a bad extension, definitely not (like I said, the new Adblock Plus 3.* is just as bad), but it may worth installing Adblock Plus 2.9.1 and de-selecting “Allow Acceptable Ads” for more effectiveness.
Hi Tom, thanks for the feedback. I did not know you can disable the “allow acceptable ads” option.
Great guide, Sven! I’ll be sharing this. Thanks, too, for recommending Startpage.com for search privacy.
Hi Liz, thanks – Startpage is a great resource.