Chris Xiao

Aspiring Software Engineer

Chris Xiao

Aspiring Software Engineer

Yet Another Firefox Hardening Guide

My guide to improving security and privacy in Firefox without sacrificing convenience.

privacy security software 
Last updated on May 16, 2020

Yet Another Firefox Hardening Guide

Table of Contents

Why not Google Chrome?

Many statistics show that Google Chrome is the most popular browser, and it’s extremely fast and secure. However, Google wants to collect data and know everything about you, which is why they’re dominating online advertising. Chrome is also not completely open source. Even though Chrome is based on the Chromium project, which is open source, but Google Chrome comes with many proprietary components.

Why hardening Firefox?

By default, Firefox collects data via telemetry and crash reporting and doesn’t protect your privacy very well. By hardening Firefox, telemetry and crash reporting can be disabled, and tracking on websites can be mostly blocked, giving them little chance to track you.


Before you start

  • This guide is written for Firefox version 65 or newer.
  • Update Firefox to the lastet stable version before you start. If you're using Firefox ESR, update Firefox to the latest minor release.
  • If you see an option that doesn't exist in your version of Firefox, just ignore it.

Let's start in the Options menu

Remove Pocket from your home page

Under Home > Firefox Home Content, UNCHECK Recommended by Pocket

Change your default search engine

I recommend DuckDuckGo as an alternative to Google, as it respects your privacy and doesn't track you.

If you'd like to use DuckDuckGo as your primary search engine, simply go to Search > Default search engine and change it to DuckDuckGo.

Enable Tracking Protection

Under Privacy & Security > Content Blocking, select Custom. CHECK all options and select All third-part cookies under Cookies. This may cause a very small number of websites to break, but it's worth it for security and privacy.

On the same page, under Login & Security, UNCHECK Ask to save logins and passwords for websites. It's usually not a good idea to save passwords in your browser. Use a password manager instead (I recommend Bitwarden.

Disable telemetry and error reporting

On the same page, UNCHECK EVERYTHING under Firefox Data Collection and Use.


Dive into advanced settings

To access these advanced settings, enter about:config into the URL bar and hit enter. When you see a warning screen, just click I accept the risk to continue.

All configuration items are in alphabetical order, and easily searchable using the search bar on the top of the page. In this section, configuration items are highlighted, and their values are in bold.

Double-click on a configuration item to modify it. If the item is a boolean, double-clicking it will change it from true to false, or vice versa. If the item is an integer or a string, double-clicking it will open a pop-up box to edit the value.

Disable telemetry

Making these changes disables Firefox telemetry:

  • Change browser.newtabpage.activity-stream.feeds.telemetry to false
  • Change browser.ping-centre.telemetry to false
  • Change browser.tabs.crashReporting.sendReport to false
  • Change devtools.onboarding.telemetry.logged to false
  • Change toolkit.telemetry.enabled to false
  • Delete the URL for toolkit.telemetry.server, and leave it empty
  • Change toolkit.telemetry.unified to false

Disable Pocket

If you don't use Pocket, or you don't want Firefox's Pocket integration, make the following changes:

  • Change browser.newtabpage.activity-stream.section.highlights.includePocket to false
  • Change extensions.pocket.enabled to false

Block autoplay

To stop audio and video from automatically start playing, make the following changes:

  • Change media.autoplay.allow-muted to false
  • Change media.autoplay.default to 5

Disable WebRTC

WebRTC can potentially expose your real IP address, changing the following disables it:

  • Change media.peerconnection.enabled to false
  • Change media.navigator.enabled to false

Disable geolocation support

This prevents websites from accessing your location information. Change geo.enabled to false.

Disable notification support

Web notifications are rarely useful and many find it annoying. To disable it completely, change dom.webnotifications.enabled to false.

Disable WebGL

WebGL is used for some online games, but it's also a security risk and can potentially be used for fingerprinting. Disable it by changing webgl.disabled to true.

Disable prefetching

Even though prefetching may speed things up a bit, it may connect to servers without user intervention (which can be a privacy issue) and its performance benefits are minimal. Making these changes will disable prefetching:

  • Change network.dns.disablePrefetch to true
  • Change network.prefetch-next to false

Resist browser fingerprinting

This feature can decrease advertisers' and online trackers' ability to identify you. Change privacy.resistFingerprinting to true.

Disable referrer headers

Referrers tell websites how you came to their sites, which can be used to track you. To prevent referrer headers from being sent, change network.http.sendRefererHeader to 0.

Harden SSL preferences

Making these changes will disable insecure SSL ciphers and force safe negotiation:

  • Change security.ssl3.rsa_des_ede3_sha to false
  • Change security.ssl.require_safe_negotiation to true

Disable Firefox account features

For your privacy, you shouldn't sync your browser data with a Firefox account. You can simply use Firefox without signing in, but if you want to completely disable this feature, change identity.fxaccounts.enabled to false.

Websites often store a small amount of information, called Cookies, to store information (such as remembering login status and preferences) and track you.

Isolating cookies cookies and other stored information to the first party domain prevents cross-site tracking. To enable this feature, change privacy.firstparty.isolate to true.

If you don't want websites to store any cookies at all, change network.cookie.lifetimePolicy to 2. Firefox will automatically delete cookies at the end of browsing sessions.
WARNING: Doing this will sign you out of many websites when you close Firefox.


Install some add-ons

Must-haves

These add-ons require minimal configuration and can dramatically improve the security and privacy in Firefox. I recommend everyone install these extensions.

uBlock Origin

The most powerful open-source adblocker, period. It can block ads, trackers, malwares, annoyances, and more. It also significantly improves page load speed.

If you want to customize it, please refer to the official wiki.

HTTPS Everywhere

HTTPS Everywhere redirect insecure connections to their secure versions. It's created by the Electronic Frontier Foundation (EFF), a major player that fights for digital rights and privacy.

Once you install it, you can just forget about it.

Decentraleyes

Decentraleyes prevents you against tracking though "free" CDN providers by serving common static files (such as the ones from Google Hosted Libraries) from your local device.

After you install it, you can just forget about it.

Privacy Settings

Privacy Settings creates a toolbar panel to alter Firefox's built-in privacy settings. Sometimes, you may have to disable some privacy protection for websites to function properly. When you finish using those websites, re-enable the privacy settings you just disabled for maximum privacy protection.

After installing, don't change any settings with it yet. Here are a few cases you might want to change your privacy settings:

  • Disable websites.resistFingerprinting to quickly pass Google ReCaptcha.
  • Enable network.peerConnectionEnabled to use voice chat on Discord.

A password manager

If you already have a password manager, just install the add-on for your password manager.

If you still don't use a password manager, you really should consider using one. I recommend Bitwarden. It's very easy to use and it's 100% open source.

These add-ons are recommended for most users, but they require some configuration and maintenance.

This extension automatically deletes cookies from closed tabs, which prevents most websites from tracking you with cookies.

After installing, open its settings page from its toolbar icon. Once you're in there, check the box for Enable Automatic Cleaning and Enable Cleanup on Domain Change. Then, go to List of Expressions, and whitelist all websites that you wish to keep cookies for, including websites you want to stay logged in to and save preferences. In most cases, whitelisting the websites' domain (without www) will do, but some websites have cookies associated with multiple domains, including:

  • Microsoft: whitelist login.live.com for personal accounts; whitelist login.microsoftonline.com for work/school accounts
  • Google: whitelist google.com and accounts.google.com

Changelog

  • (11/10/2019) Added more settings and updated options for Firefox 70.
  • (1/1/2020) Startpage is no longer recommended.
  • (1/1/2020) Changed media.autoplay.default to block autoplay for audio and video.
  • (5/16/2020) Clarify instructions under Before you start
  • (5/16/2020) Fixed broken link under uBlock Origin
  • (5/16/2020) Added whitelisting instruction for Microsoft work/school accounts

CC BY-SA 4.0

This article is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.