Chris Xiao

Aspiring Software Engineer

Chris Xiao

Aspiring Software Engineer

Yet Another Firefox Hardening Guide

My guide to improving security and privacy in Firefox without sacrificing convenience.

Last updated on Nov 25, 2021

Privacy Software
title

Table of Contents

Why not Google Chrome?

Statistics clearly show that Google Chrome is the most popular browser, and it’s extremely fast and secure. However, Google collects a large amount of data and wants to know everything about you, which is why they’re dominating online advertising.

Chrome is also not completely open source. Even though Chrome is based on the Chromium open-source project, Google Chrome comes with proprietary components, such as the Chrome Cleanup Tool on Windows and the built-in updater.

Why hardening Firefox?

Even though Firefox is much better for your privacy than Google Chrome, it’s not great out-of-the-box. By default, Firefox collects data via telemetry and crash reporting, and many privacy-enhancing features aren’t enabled. By hardening Firefox, telemetry and crash reporting can be disabled, and online tracking can be mostly prevented. This way, there is much less chance for most websites to track you.

Before you start

  • This guide is written for the latest version of Firefox. It has been tested on Firefox version 78 and later.
  • Update Firefox to the lastet stable version before you start. If you’re using Firefox ESR, update Firefox to the latest ESR release.
  • If you see an option that doesn’t exist in your version of Firefox, just ignore it.

Change Firefox Preferences

To open the Firefox Preferences menu, open menu (top-right of browser window) and click “Preferences.” Alternatively, enter about:preferences into the address bar and hit enter.

Remove Pocket from your home page

Under Home > Firefox Home Content, UNCHECK Recommended by Pocket

Change your default search engine

I recommend DuckDuckGo as an alternative to Google, as it respects your privacy and doesn’t track you.

If you’d like to use DuckDuckGo as your primary search engine, simply go to Search > Default search engine and change it to DuckDuckGo.

Enable Tracking Protection

Under Privacy & Security > Enhanced Tracking Protection, select Custom. CHECK all options and select All third-party cookies under Cookies. This may cause a small number of websites to break, but it’s worth it for security and privacy.

If you encounter a website that doesn’t function without third-party cookies (such as Microsoft Teams and Pearson MyLab), you may temporarily disable Firefox’s Tracking Protection for that website. To do this, click on the Shield icon on the left of the address bar, and toggle off Enhanced Tracking Protection for this site.

Disable Password Saving

On the same page, under Logins and Passwords, UNCHECK Ask to save logins and passwords for websites. It’s usually not a good idea to save passwords in your browser. You should use a password manager instead. For most people, I recommend Bitwarden.

Decline location access

On the same page, in Location Settings…, CHECK Block new requests asking to access your location. This denies geolocation permission prompts by default, but the geolocation capability is retained.

Disallow notifications

On the same page, in Notification Settings…, CHECK Block new requests asking to allow notifications. This denies notification permission prompts by default, but the web notification capability is retained.

Disallow autoplay

On the same page, in Autoplay Settings…, set “Default for all websites” to Block Audio and Video for. This prevents audio/video from automatically playing.

Disable telemetry and error reporting

On the same page, UNCHECK EVERYTHING under Firefox Data Collection and Use.

Enable HTTPS-Only Mode

On the same page, under HTTPS-Only Mode, select Enable HTTPS-Only Mode in all windows.

HTTPS provides encrypted communication between your browser and websites, and you should always use HTTPS when available. With HTTPS-Only Mode enabled, Firefox will upgrade all connections to HTTPS, and you’ll see a warning when a website doesn’t support HTTPS.

Dive into advanced settings

To access these advanced settings, enter about:config into the address bar and hit enter. When you see a warning screen, click I accept the risk to continue.

All configuration items are in alphabetical order, and easily searchable using the search bar on the top of the page. In this section, configuration items are highlighted, and their values are in bold.

Double-click on a configuration item to modify it. If the item is a boolean, double-clicking it will change it from true to false, or vice versa. If the item is an integer or a string, double-clicking it will open a pop-up box to edit the value.

Note: Many options below should have no impact on Firefox’s usability and are recommended for everyone. However, some will break certain functionalities that users depend on.

Each option below is marked with a Level (L1/L2/L3), where L1 items are recommended for everyone, L2 items may cause minor inconveniences, L3 items are intended for advanced users. If you tweak L2/L3 items, I recommend installing the Privacy Settings extension, which allow you to temporarily change certain settings that prevent websites from functioning properly.

Disable telemetry [L1]

Making these changes disables Firefox telemetry:

  • Change browser.newtabpage.activity-stream.feeds.telemetry to false
  • Change browser.ping-centre.telemetry to false
  • Change browser.tabs.crashReporting.sendReport to false
  • Change devtools.onboarding.telemetry.logged to false
  • Change toolkit.telemetry.enabled to false
  • Delete the URL for toolkit.telemetry.server, and leave it empty
  • Change toolkit.telemetry.unified to false

Disable Pocket [L1]

If you don’t use Pocket, or you don’t want Firefox’s Pocket integration, make the following changes:

  • Change browser.newtabpage.activity-stream.feeds.discoverystreamfeed to false
  • Change browser.newtabpage.activity-stream.feeds.section.topstories to false
  • Change browser.newtabpage.activity-stream.section.highlights.includePocket to false
  • Change browser.newtabpage.activity-stream.showSponsored to false
  • Change extensions.pocket.enabled to false

Disable prefetching [L1]

Even though prefetching may speed things up a bit, it may connect to servers without user intervention (which can be a privacy issue) and its performance benefits are minimal. Making these changes will disable prefetching:

  • Change network.dns.disablePrefetch to true
  • Change network.prefetch-next to false

Disable JavaScript in PDF [L1]

Firefox 88 introduced the ability to execute JavaScript in PDF documents. While there are legitimate uses for JavaScript in PDF (such as form validation), such uses are not very common. In addition, it could be used for malicious purposes, so it’s generally a good idea to disable this feature.

To disable JavaScript support in PDF documents, change pdfjs.enableScripting to false.

Harden SSL preferences [L1]

Making these changes will disable insecure SSL ciphers and force safe negotiation:

  • Change security.ssl3.rsa_des_ede3_sha to false
  • Change security.ssl.require_safe_negotiation to true

Note:
If you can’t find security.ssl3.rsa_des_ede3_sha, please ignore it. This option do not exist in the latest versions of Firefox, as support for these insecure ciphers has been removed.
A small number of sites (ones with legacy and potentially less secure SSL/TLS configurations) might no longer work after changing this option. If you find this to be an issue, leave security.ssl.require_safe_negotiation as default (false) and set security.ssl.treat_unsafe_negotiation_as_broken to true.

Disable Firefox account features [L1]

If you don’t want to sync your browser data with a Firefox account, you can simply use Firefox without signing in.

For those who want to completely disable this feature, change identity.fxaccounts.enabled to false.

Disable geolocation support [L2]

This prevents websites from accessing your location information. Change geo.enabled to false.

If you do not want to disable geolocation capabilities altogether, you may skip this step.

Disable notification support [L2]

Web notifications are often not useful and many find it annoying. To disable it completely, change dom.webnotifications.enabled to false.

If you do not want to disable notifications capabilities altogether, you may skip this step.

Disable WebRTC [L2]

WebRTC can potentially expose your real IP address, changing the following disables it:

  • Change media.peerconnection.enabled to false
  • Change media.navigator.enabled to false

Note: This will break any site that uses real-time audio/video communication, which includes almost all real-time chat and conferencing apps.

Disable WebGL [L2]

WebGL is used for some graphical web apps and online games, but it’s also a security risk and can potentially be used for fingerprinting. Disable it by changing webgl.disabled to true.

Note: This will break any site that uses WebGL for graphics, which includes most modern online games and complex graphical sites.

Resist browser fingerprinting [L3]

This feature can decrease advertisers’ and online trackers’ ability to identify you. Change privacy.resistFingerprinting to true.

Note: Based on my experience, enabling this can lead to noticeable performance and stability impacts. Please proceed with caution.

Disable referrer headers [L3]

Referrers tell websites how you came to their sites, which can be used to track you. To prevent referrer headers from being sent, change network.http.sendRefererHeader to 0.

Note: Many websites, especially ones with forms and logins, depend on referrers for security and spam protection. If you don’t send the referrer header, these sites will break.

Websites often store a small amount of information, called “cookies,” to store information (such as remembering login status and preferences) and track you.

Isolating cookies cookies and other stored information to the first party domain prevents cross-site tracking. To enable this feature, change privacy.firstparty.isolate to true.

Note: Firefox 86 introduced Total Cookie Protection, which stores each website’s cookies in their own “cookie jar.” This may conflict with privacy.firstparty.isolate.

If you don’t want websites to store any cookies at all, change network.cookie.lifetimePolicy to 2. Firefox will automatically delete cookies at the end of browsing sessions.

Note: Doing this will sign you out of many websites when you close Firefox, and websites will not be able to store any data on your device.

Install some add-ons

Must-haves

These add-ons require minimal configuration and can dramatically improve the security and privacy in Firefox. I recommend everyone install these extensions.

uBlock Origin

The most powerful open-source ad blocker, period. It can block ads, trackers, malwares, annoyances, and more. It also significantly improves page load speed.

If you want to customize it, please refer to the official wiki.

Decentraleyes

Decentraleyes prevents you against tracking though “free” CDN providers by serving common static files (such as the ones from Google Hosted Libraries) from your local device.

After you install it, you can just forget about it.

A password manager

If you already have a password manager, just install the add-on for it.

If you don’t use a password manager, you really should consider using one. I recommend Bitwarden, which is 100% open source and very easy to use.

These add-ons are recommended for most users, but they require some configuration and maintenance.

This extension automatically deletes cookies and site data from closed tabs, which prevents most websites from tracking you with cookies. If you set Firefox to delete all cookies and site data on exit, you might not need this.

After installing, open its settings page from its toolbar icon. Once you’re in there, check the box for Enable Automatic Cleaning and Enable Cleanup on Domain Change. Then, go to List of Expressions, and whitelist all websites that you wish to keep cookies for, including websites you want to stay logged in to and save preferences. In most cases, whitelisting the websites’ domain (without www) will do, but some websites have cookies associated with multiple domains, including:

  • Microsoft: whitelist login.live.com for personal accounts; whitelist login.microsoftonline.com for work/school accounts
  • Google: whitelist google.com and accounts.google.com
  • ProtonMail: whitelist *.protonmail.com and check “Keep LocalStorage”
  • Tutanota: whitelist mail.tutanota.com and check “Keep LocalStorage”

Privacy Settings

Privacy Settings creates a toolbar panel to alter Firefox’s built-in privacy settings. Sometimes, you may have to disable some privacy protection for websites to function properly. When you finish using those websites, re-enable the privacy settings you just disabled for maximum privacy protection.

After installing, don’t change any settings with it yet. Here are a few cases you might want to change your privacy settings:

  • Enable network.peerConnectionEnabled to use real-time audio/video communication (Zoom, WebEx, Discord, etc.).
  • Many web forms will not work when the browser isn’t sending referrers. Enable websites.referrersEnabled temporarily to send referrers.

Changelog

  • (11/10/2019) Added more settings and updated options for Firefox 70.
  • (1/1/2020) Startpage is no longer recommended.
  • (1/1/2020) Changed media.autoplay.default to block autoplay for audio and video.
  • (5/16/2020) Clarify instructions under Before you start
  • (5/16/2020) Fixed broken link under uBlock Origin
  • (5/16/2020) Added whitelisting instruction for Microsoft work/school accounts
  • (12/23/2020) Refine wording throughout the article, and add information about third-party cookies.
  • (12/23/2020) Added whitelisting instruction for ProtonMail and Tutanota
  • (12/23/2020) Removed recommendation for HTTPS Everywhere, as Firefox 83 and later has HTTPS-Only Mode.
  • (3/29/2021) Added info on permission settings.
  • (3/29/2021) Added level ratings and clarifications for several about:config options.
  • (5/5/2021) Added guide to disable JavaScript support in PDF (for Firefox 88 and later).
  • (10/19/2021) Added clarifications about SSL settings in about:config.
  • (11/25/2021) Added additional about:config flags that disable connection to Pocket.

CC BY-SA 4.0

This article is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.