The Open Web has become a predatory environment. In the past anyone could passively use a web browser and remain relatively safe by simply avoiding morally questionable websites, but not any more.
Today millions of legitimate websites are unintentionally serving up "malveritzing" and other malware. Beyond that, well-funded automated Big Data cyber-snoopers are aggressively tracking your activities by recording the web pages you see, what you search for, and even what links you hover your mouse over. You could simply ignore all of this, but that would be clouded thinking.
There's something you can do about it. With Firefox and this Configuration Guide you can have a quicker, safer, more private web-browsing experience. You'll greatly decrease surreptitious tracking of your web-surfing activities and help your computer remain malware-free.
If Firefox is already installed, you can refresh your Firefox profile and achieve the same result. (Highly recommended.)
Levels of Protection
This guide explains Essential, Intermediate, and Advanced configuration changes you can make to Firefox.
- Essential Changes
- The Essential changes are baseline settings that "just work" without extra interaction, except maybe occasional whitelisting of sites with two clicks to permit ads for a site. These are as close to set-and-forget as possible. Whenever I install Firefox I make at least the Essential changes.
- Intermediate Changes
- The Intermediate-level changes require a small amount of interaction, for example you may need to enable and disable Flash using a toolbar button or you may, on rare occasion, need to whitelist a (broken) site so it will display properly.
- Advanced Changes
- The Advanced changes are extra-effective but require active participation to develop whitelists. They're suitable for more advanced users because they have a steeper learning curve. You can use a two-browser strategy to ease the learning process.
The Firefox project seems to be losing its way.
Firefox now includes features like targeted advertising in new tabs (which we'll turn off), mandatory add-ons (Firefox Hello video-chat and Pocket read-it-later apps), connection to sites without clicking links (we'll turn off "speculative preconnection" and DNS prefetching), a new Google-Chrome-Compatible "Web Extensions API" for add-ons, and more. Some would say Firfox feature-creep has introduced some creepy features.
For Firefox users especially, the information in this guide is more important than ever.
In mid-2015 I switched to Pale Moon as my main browser.
Pale Moon is a community-driven fork of Firefox, meaning it's an independent browser based on Firefox source code. Pale Moon's original focus was on fast performance. More recently it has become a safer alternative, not just faster. (Reference)
Some undesirable Firefox features are notably absent from Pale Moon and some other desirable features notably present. Default settings seem better. It's a lean-and-mean browser that works well.
For "the best of both worlds" I keep Pale Moon aggressively locked down and use Firefox, configured less restrictively, as a second browser. This has turned out to be an effective strategy. (Note 0)
If you're up to trying this, start by configuring Firefox with the Essential changes and Pale Moon with the Intermediate changes (or Intermediate and Advanced respectively). Use Pale Moon until you encounter a site or a web app that won't work properly, then check it with Firefox. This will help you make necessary adjustments and at the very least you'll have a dependable fallback option.
Options / Preferences
There are two different names for the same thing. In Windows they're Options. In Linux and Mac OS, they're Preferences.
Menu → Options (Windows) Menu → Preferences (Linux, Mac OS X)
Tools → Options (Windows) Edit → Preferences (Linux, Mac OS X)
There are eight sections.
Set home page to about:logo or about:blank
Always check if Firefox is the default... Save files to Downloads. (Note 1) (Windows only) Check Show tab previews...
Set the default search engine Uncheck "Provide search suggestions" (Note 2)
Add search engines after the browser has been hardened.
Tabs (Pale Moon)
Match Firefox's behavior.
Check "Insert related tabs next to the current tab"
No changes, except possibly one optional change to avoid tiny fonts:
Advanced - Minimum font size: <one size smaller than monospace font's size>
Set "mailto" to "Always ask", or to your mail program if you prefer.
Tracking Tell sites I do not want to be tracked History Use customs settings for history Keep cookies until I close Firefox Clear history when Firefox closes
Uncheck Remember passwords for sites. (Note 3)
Leave sync turned off if privacy and security are important to you.
Data Choices Uncheck Health Report and Crash Reporter
There are some essential Firefox extensions that will protect your privacy and security. This first set of extensions were chosen because they're effective and easy to use. They don't require much, if any, attention.
Manage your add-ons using the Add-ons Manager "tab".
Menu → Add-ons (or Tools → Add-ons)
You can also browse to about:addons or use a keyboard shortcut.
Use the tab's search feature to find extensions.
Search for: ublock
uBlock Origin is a privacy add-on that efficiently blocks ads, web trackers and malware.
If you haven't used an add-on like uBlock Origin or NoScript before, you are in for an eye-opening experience when you see how many tracking elements are slipped into the web pages you've been visiting.
The default settings for uBlock Origins work well. You can add additional site-lists if you wish to do more extensive blocking.
After you install the add-on a new button will appear in your Navigation Toolbar. You can use it to "whitelist" sites if you need to. From the add-on's page:
Many website operators earn money and support their sites by advertising. This configuration blocks ads because of computer security risk and invasive personal-privacy concerns. A few sites will be broken if ads are blocked. Consider enabling ads on sites you wish to support.
Search for: self
The Self-Destructing Cookies add-on wipes out cookies and (importantly) Local Storage Objects, sometimes called "super cookies", that you don't need any more. From the add-on's page:
In the Add-ons Manager (
about:addons) under Extensions, click the extensions' Preferences button. Make two (or three) changes.
Change #1: On rare occasions this add-on destroys cookies a little too quickly. For this reason you may wish to extend the grace period from 10 seconds to something like 60 seconds.
Change #2: Scroll down to near the bottom and set "Clear cache when idle" to something like 30 minutes. There multiple reasons for clearing cache every once in a while.
Change #3: Once you become familiar with the notifications, you can uncheck Notifications to turn them off.
These changes will help the extension "just work" without concern about whitelisting.
Disable Hello, Pocket & Reader+
Search for hello (Update: If it doesn't appear in the search results, install it from the extension's page.)
Firefox includes some "forced addons" that many consider bloat. These are: Firefox Hello, Pocket, Reader+. This extension disables all three, plus WebRTC (Real-Time Chat).
From extension's description:
This one requires you to visit the add-on's page.
"Browser fingerprinting" is a technique used to identify you (well, your browser anyway) without setting any cookies. Learn more about it at the Panopticlick test page and |BrowserLeaks.com. If you're startled and perturbed by what you discover there you're beginning to get the idea.
One fingerprinting technique is called "canvas fingerprinting". There's an add-on for that; it's called CanvasBlocker.
Pale Moon doesn't need this one. Instead, you can set canvas.poisondata to true using the Config Editor (i.e. about:config page).
Unlike the previous set-and-forget extensions, these require a small amount of awareness and participaton. Consider these next extensions optional, but recommended.
Search for: https
HTTPS-Everywhere automatically enables HTTPS encryption on sites that are known to support it. As a result, some connections that would normally use plain-text HTTP become encrypted over HTTPS instead. This one is in the Intermediate category because on rare occasion you may need to whitelist a site that won't load properly.
For the Pale Moon browser there's Encrypted Web.
After restarting, you'll be asked whether you want to join the SSL Observatory. Joining is probably safe.
QuickJava / FlashDisable
It's wise to keep plugins disabled except when they're necessary. These extensions add a Address Toolbar button you can use to quickly enable and disable Flash, Java, and Silverlight plugins. (Note 4)
Search for flashdisable
This one controls for Flash only. Use it if Java and Silverlight are not installed. Set these two options in preferences. (Experiment with the third one.)
Reload current tab on Flash activation Disable Flash on Firefox startup
Search for quickjava
This one controls Flash, Java, and Silverlight. Set these options in preferences.
"Include In Favorites"
On Intial Load
Java: Off Flash: Off Silverlight: Off
User Agent Overrider
Most Windows users probably don't need this one. If you use Linux or Pale Moon you might want it because under those circumstances your User-Agent string could be unintentionally distinctive. User Agent Overrider allows you to substitute a generic string so you can "blend in with the crowd". (Note 5)
Editing a User-agent string
Search for: overrider
This extension's Preferences will bring you to some lines of text that need editing. Change the "<your-OS>/Firefox NN.0" line to the current release in all three places in the line of text. Occasionally you'll need to increment the version number when a new version is released. (Note 6)
Pale Moon users need to install an older version of this extension from the extension's Version History page.
Your User-Agent string is:
Some generic Firefox strings are:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Mozilla/5.0 (X11; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) Gecko/20100101 Firefox/53.0
See also: UserAgents.txt (for pasting into Preferences)
Change Referer Button
Search for: referer
Change Referer Button Allows you to suppress your HTTP-Referer (Note 7) on the fly, either for all requests or just for image-file requests.
These two highly-effective extensions require some effort and attention. At first they seem similar, but they do different jobs. From the RequestPolicy FAQ:
RequestPolicy is a tool that gives you a default deny policy for cross-site requests. RequestPolicy allows you to whitelist cross-site requests you trust.
If you're unfamiliar with these, I recommend installing one at a time. After you're accustomed to using one, install the other. There are online tutorials available.
Search for: NoScript
NoScript is particularly effective at enhancing privacy and blocking malware. It can break some sites (usually only temporarily).
Search for: requestp
This extension let you control how your browser makes requests to third-party websites. You deny by default and accumulate whitelist rules, providing an effective defense against "cross-site request forgery" (CSRF)
Ghostery, Disconnect uMatrix, and Privacy Badger other add-ons that provide simiar protective measures to the ones provided in this guide. Disconnect.me has a search portal, Disconnect Search.
Sometimes a program that's installed on your computer will add a Firefox "plugin". Plugins are a type of add-on that are different from extensions.
Plugin auto-activation settings
- Software add-ons that are written specifically for Firefox and "extend" the browser.
- Third-party software that "plugs into" the browser when it's installed on the computer.
Extensions install inside Firefox, plugins install onto the operating system and are connected into Firefox.
Some common plugins are: Adobe Flash and Shockwave, Oracle Java, Apple QuickTime, Cisco OpenH264 Codec, Microsoft Silverlight, Google Update, and Dropbox Update.
You can't uninstall plugins from within Firefox. Instead, you can set them to "Never activate" or "Ask to activate". "Ask to activate" is little help from a privacy perspective. (Experiment at the Panopticlick test page to see for yourself.)
Plugins -- Java and Flash in particular -- frequently introduce security vulnerabilities. If you must run these, be sure to keep them up to date so you'll have the latest security patches. You can use Mozilla.org's Check Your Plugins page to check if your plugins are up-to-date.
Asking to allow a plugin
A sensible policy is: Don't let third-party software plug itself into your browser unless there's a good reason. Don't install Java, QuickTime, or any other software that creates a plugin unless it's necessary.
Go to Menu → Add-ons and click the plugins tab to configure the plugins your computer has installed.
Remembering setting for a site (whitelisting)
It's hard to give general advice here because so may computers and computer-operators are different. If it's your own computer you should disable anything with "Java" in the name unless you know a specific reason for leaving Java enabled in your browser, which is rare these days. If some site doesn't work, switch it to "always ask" and whitelist that site.
Use your best judgment. The more plugins you set to disable or "Always ask" without interfering with browsing content, the better.
Browse to about:plugins to see information about installed plugins.
Configuration Preferences (about:config)
Type about:config in the URL bar and click past the "scary" warning to see advanced, semi-hidden configuration options. There are tons of entries. Fortunately you can winnow them down by searching.
Many of these aren't present in Pale Moon.
Geolocation - Disable geolocation ("Location-Aware Browsing" - reference):
Search for: geo. (<-- geo<dot>) Set geo.enabled to false Delete the contents of geo.wifi.uri
Silent Pre-Connections - Disable silent requests when you hover over links or type into the location bar. (reference).
Search for: specu Set network.http.speculative.parallel.limit to 0
DNS Prefetching - Disable proactive domain name resolution that can cause errors.
Search for: disablep Set network.dns.disablePrefetch to true
Feedback-collection - Disable the Heartbeat feedback-collection system.
Search for: selfs Delete the contents of browser.selfsupport.url.
Health Reporter and Telemetry - There are good reasons enterprises turn off settings like these.
Search for submissione Set datareporting.policy.dataSubmissionEnabled to false Search for report.u Set datareporting.healthreport.uploadEnabled to false Search for service.e Set datareporting.healthreport.service.enabled to false Search for reporter.e Set dom.ipc.plugins.flash.subprocess.crashreporter.enabled to false Search for imgu Delete the contents of devtools.gcli.imgurUploadURL Delete the contents of devtools.gcli.imgurClientID Search for clienti Delete the contents of toolkit.telemetry.cachedClientID
Clipboard - Avoid letting sites read or modify Clipboard contents.
Search for: clipboarde Set dom.events.clipboardevents.enabled to false
Fingerprinting - Disable some items that are used for fingeprinting.
Search for batt Set dom.battery.enabled to false Search for senso Set device.sensors.enabled false
Face Detection - A browser doesn't need face detection.(!)
Search for face_ Set camera.control.face_detection.enabled to false
New-Tab Targeted Ads - Disable Targeted Advertising(!) in new tabs.
Search for: newt Set browser.newtab.preload to false Delete the contents of browser.newtabpage.directory.ping Delete the contents of browser.newtabpage.directory.source Set browser.newtabpage.enabled to false Set browser.newtabpage.enhanced to false
Web Notifications - Disable push notifications from websites (new)
Search for: webnot Set dom.webnotifications.enable to false Set dom.webnotifications.serviceworker to false
Block Autorefresh - "Warn me when websites try to redirect or reload"
Search for: blocka Set accessibility.blockautorefresh to true
PDF Viewer - You wouldn't always want to, but you can disable the internal PDF Viewer. (Note 8)
Search for pdfjs.disabled Set pdfjs.disabled to true
Canvas Fingerprinting (Pale Moon) - Enable Pale Moon's anti-canvas-fingerprinting feature.
Search for canvas.p Set canvas.poisondata to true
HTTP-Referer Trimming (sic)
Consider this setting Advanced because on rare occasion it may break a site, and it would take an alert and aware user to notice why.
By default Firefox sends the full URI in the HTTP-Referer header (Note 7), revealing e.g your search terms and/or the server path to the page where you clicked the link. You can configure it to send less revealing information.
Search for referer.t Set http.referer.trimmingPolicy to 1 0-> full URI (default) 1-> scheme, host, port and path (GET params trimmed) 2-> scheme, host and port. (path and GET params trimmed)
Setting it to 2 breaks some sites (banks, sites with downloadable files) because they verify certain incoming requests are from a specific host and path. Setting it to 1 seems to be a safe compromise that sends the host and path, but not extra information such as search terms.
New-Tab Thumbnails are created even if they won't be used. This feature has been exploited in the past. You can disable thumbnail creation by following the instructions at Mozilla.org.
To summarize, you need to add these two boolean values, then you can set them.
Set browser.pagethumbnails.capturing_disabled to true Set pageThumbs.enabled to false
This is only a partial solution. Metadata about visited sites is still saved, even if the thumbnails aren't. If you've followed this guide, it's deleted when you close Firefox.
Your web-search history is a prime target for snoopers. Add SSL Search items to yor search engines list, then remove the plain-HTTP duplicates.
You can add other search engines at Mozilla.org's Search Add-ons page.
Location Bar Buttons
Customize your Location Bar.
Menu → Customize (or View → Toolbars → Customize) Drag Subscribe onto the buttons area Exit Customize
Show the Bookmarks Toolbar.
Menu → Customize (or View → Toolbars → Customize) Show/Hide Toolbars - Bookmarks Toolbar Exit Customize
Yet More Add-ons
For best results, Firefox extensions should be used sparingly. With that said, here are some useful low-impact extensions.
Search for: context
This extension significantly enhances searching from within web pages.
"Expands the context menu's 'Search for' item into a list of installed search engines, allowing you to choose a specific search engine every time."
Search for: zoom
Some people will need this extension that provides site-zooming features.
Experiment with settings for best results. Two settings are worth special notice.
Zoom text, but not images
General -> Default Zoom Type -> Text-Only (T)
Zooming images degrades image quality and reduces space on the page available for text.
This add-on allows you to generate a PDF or JPEG image from webpage, including the whole page, not just the visible area. Unlike other similar add-ons, it doesn't use a cloud service and even works offline.
Pale Moon Commander
For Pale Moon only, the Pale Moon Commander extension provides a user-friendly interface to some advanced preferences.
Yet Another Config Option
Strictly optional for convenience only. Don't autohide Navigation and Tab toolbars in fullscreen mode
Search for: fullscreen Set browser.fullscreen.autohide to false
Refreshing a Firefox Profile
You can safely "start over" (restore Firefox to its default state) without losing your bookmarks. This used to be called "reset"; now it's called "refresh".
Prepare by making a list of your installed extensions and themes because refreshing removes them. Only reinstall the ones you actually use.
Menu -> Help (question mark) -> Troubleshooting Information -> Refresh Firefox
Help -> Troubleshooting Information -> Refresh Firefox
This is advisable to do every once in a while, especially if you've been experimenting with add-ons.
Pale Moon users can refresh preferences, including preferences of add-ons, using the Pale Moon Commander extension.
Menu -> Preferences -> Advanced options Other - Reset Reset All Preferences
New-Profile method (The Old Way)
Switching to the newly-created profile
Another way to "start over" is by creating a brand new profile. This method still works. You can leave the original profile intact or delete it once the new one is working properly.
Backup bookmarks Clear private data Exit the browser Start the Profile Manager (*) Open a terminal run firefox -P Create a new profile Create Profile -> Next -> Finish Double-click on your new profile Restore bookmarks
You can recover important data from the other profile.
(*) In Windows, start the Profile Manger with something like
Start -> Accessories -> Command Prompt - or - Start, then search for Command Prompt, then enter this at the prompt: "c:\Program Files (x86)\Mozilla Firefox\firefox.exe" /P
I discovered some reasons why a two-browser strategy is effective when I did in-depth research for this guide. Each browser has its own fingerprint, for one thing. Plugins are another. Arguably all plugins should be disabled in the browser you use for online shopping and banking.
ProTip: To quickly find your recently downloaded files, set your Downloads directory to Details View (List View in some file managers) and click the column header to sort your downloads by date, with the newest at the top.
Sometimes search suggestions are helpful. On those occasions, use a bookmark to go to the search engine's page, where suggestions are provided.
Flash and Java reveal a startling amount of information about your computer and their use is on the decline. They have long histories of security flaws. Flash and Silverlight also circumvent your intentions when you delete browser cookies by setting "supercookies". If you need these plugins installed, disable them whenever possible and enable them only when you're browsing one of the few remaining sites that still require them (Flash Earth, Netflix, ...).
There are other edge cases where overriding the User-Agent string is useful, for example web development purposes or downloading files for a different operating system when a website offers no other way choose that file. Using user-agent spoofing for nefarious purposes is not recommended.
Use Menu → Help → About Firefox to determine what Firefox version is currently installed. Alternatively, disable User Agent Overrider (if installed) and match the version in your User-Agent string.
By default your browser reveals certain iformation to servers you may not want to reveal. Specifically, it reports the referring page when you visit a link or load an image or a script. From the W3C: This optional header field allows the client to specify, for the server's benefit, the address ( URI ) of the document (or element within the document) from which the URI in the request was obtained.
Here are some links to resources where you can learn why these changes are important and also why you shouldn't assume anonymity when browsing.
Browsing only legitimate sites is no longer a viable strategy for avoiding malware.
- Nearly all websites have serious security vulnerabilities
- A new Acunetix report on 5,500 companies comprising 15,000 website and network scans, performed on over 1.9 million files, finds nearly half of the web applications scanned contained a high security vulnerability such as XSS or SQL Injection, while almost 4 in 5 web applications were affected by a ‘medium security’ vulnerability.
Your computer is probably far more identifiable than you think.
- Browser fingerprints, and why they are so hard to erase | Network World
- Even when deleting cookies, the browser fingerprint allows organizations to re-identify and re-cookie your system, essentially rejecting your efforts to remain private.
Browsers provide a lot of "fingerprinting sources".
- Valve/fingerprintjs2 · GitHub
- List of fingerprinting sources
Mozilla.org collects your browsing history and data about how you navigate the New Tab page.
- Ads based on your browsing history quietly hit Firefox's New Tab page | PCWorld
- It’s official: Firefox is serving you targeted ads on the browser’s New Tab page now.
Consider disabling location services in social apps and other browsers.
- No Geolocation
- The question is therefore how to effectively disable this feature.
Edge and Internet Explorer, being part of the system expose extra vulnerabilities.
- Windows Flaw Reveals Microsoft Account Passwords, VPN Credentials
- When a user accesses the link via Internet Explorer, Edge, or Outlook, because of the way Windows handles authentication for network shares, their computer will automatically send their login credentials to authenticate on the crook's domain, even via the Internet.