My Firefox Settings: Difference between revisions
Appearance
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
<blockquote>'''Note:''' This article is imported from an old note-taking app and may be outdated.</blockquote> | |||
== | == Core Modifications & Bloatware Removal == | ||
Some guides, such as the [https://spyware.neocities.org/guides/firefox Spyware Watchdog Mitigation Guide], recommend deleting default plugins bundled within the Firefox directory that may introduce privacy concerns or act as bloatware. | |||
Navigate to your Firefox features directory and remove unnecessary add-ons: | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
cd /usr/lib/firefox/browser/features | cd /usr/lib/firefox/browser/features | ||
| Line 8: | Line 11: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
'''List of bundled plugins commonly removed:''' | |||
* <code>firefox@getpocket.com.xpi</code> — Pocket | |||
* <code>followonsearch@mozilla.com.xpi</code> — Follow-On Search | |||
* <code>activity-stream@mozilla.org.xpi</code> — Activity Stream | |||
* <code>screenshots@mozilla.org.xpi</code> — Screenshots | |||
* <code>onboarding@mozilla.org.xpi</code> — Onboarding | |||
* <code>formautofill@mozilla.org.xpi</code> — Autofill | |||
* <code>webcompat@mozilla.org.xpi</code> — Web Compatibility Reporter | |||
=== | == Configuration Tweaks (about:config) == | ||
=== | === Privacy, Security & Networking === | ||
; <code>network.trr.mode</code> : Set to <code>3</code> to force DNS over HTTPS (DoH) every time you make a DNS request, even if your DNS server doesn't respond. (Alternatively, change the "DNS protection" preference in Settings). | |||
; <code>security.tls.version.min</code> : Set to <code>3</code> to enforce strict TLS standards. | |||
; <code>network.http.referrer.spoofSource</code> : Set to <code>true</code>. | |||
; <code>browser.display.use_document_fonts</code> : Set to <code>0</code> to mitigate font fingerprinting. | |||
; <code>browser.urlbar.maxRichResults</code> : Set to <code>0</code> (or desired low number) to limit URL bar suggestions. | |||
; <code>accessibility.blockautorefresh</code> : Set to <code>true</code> to disable forced redirections. Combining this with disabled CSS and JS yields raw, unmangled result links. [https://pedantic.software/fxc/blog/why_there_is_no_css_on_my_website.html (via Pedantic Software)] | |||
; <code>browser.sessionstore.interval</code> : Set to a very high value to reduce disk writes and SessionStore tracking. | |||
=== | === Media & Autoplay Limitations === | ||
To disable autoplay and drastically reduce background video caching, apply the following: | |||
* <code>media.autoplay.enabled</code> = <code>false</code> | |||
* <code>media.cache_readahead_limit</code> = <code>0</code> | |||
* <code>media.cache_resume_threshold</code> = <code>10</code> | |||
* <code>media.autoplay.blocking_policy</code> = <code>1</code> | |||
* <code>media.autoplay.allow-muted</code> = <code>false</code> | |||
=== | === Experimental Social Settings === | ||
''Note: These disable legacy social integrations. May not be necessary on modern versions.'' | |||
* <code>social.whitelist</code> = (leave empty) | |||
* <code>social.toast-notifications.enabled</code> = <code>false</code> | |||
* <code>social.shareDirectory</code> = (leave empty) | |||
* <code>social.remote-install.enabled</code> = <code>false</code> | |||
* <code>social.directories</code> = (leave empty) | |||
* <code>social.share.activationPanelEnabled</code> = <code>false</code> | |||
=== | === Additional Hardening Actions === | ||
* '''Disable Firefox SessionStore''': Search for <code>browser.sessionstore</code> in <code>about:config</code> and disable relevant telemetry/saving mechanisms. | |||
* '''Disable CSS Visited Links''': Mitigates history-sniffing vulnerabilities. [https://www.reddit.com/r/privacy/comments/15fddo0/retrieving_your_browsing_history_through_a/juf5br1/ Read the Reddit discussion here.] | |||
== | == User.js Templates & Generators == | ||
Instead of manually configuring <code>about:config</code>, you can use pre-configured <code>user.js</code> files. | |||
'''Generators:''' | |||
* [https://ffprofile.com ffprofile.com] — Interactive <code>user.js</code> generator. | |||
** ''Note on User-Agent Spoofing:'' While you can spoof your user-agent to a more common one (e.g., Chrome), doing so on Firefox can actually make your browser fingerprint [https://deviceinfo.me more unique] ([https://www.billdietrich.me/ComputerPrivacy.html alternative tools list]). Because Firefox's engine behaves differently than Chromium, mismatched engine/user-agent data is easily detectable. For common agents, see [https://techblog.willshouse.com/2012/01/03/most-common-user-agents/ Willhouse] or [https://www.whatismybrowser.com/guides/the-latest-user-agent/chrome WhatIsMyBrowser]. | |||
'''Popular Pre-configured Templates:''' | |||
# [https://github.com/arkenfox/user.js/raw/master/user.js Arkenfox] (Highly recommended, well-known) | |||
# [https://raw.githubusercontent.com/pyllyukko/user.js/master/user.js Pyllyukko] (Security focused) | |||
# [https://git.nixnet.services/Narsil/desktop_user.js/raw/branch/master/user.js Narsil's user.js] (Privacy focused) | |||
# [https://codeberg.org/polarhive/vulpes Vulpes] | # [https://codeberg.org/polarhive/vulpes Vulpes] | ||
# [https://git.nixnet.services/Narsil/palemoon_user.js Narsil's user.js for Pale Moon] ( | # [https://git.nixnet.services/Narsil/palemoon_user.js Narsil's user.js for Pale Moon] (Privacy focused) | ||
# [https://git.sr.ht/~krathalan/firefox-complement krathalan config] | # [https://git.sr.ht/~krathalan/firefox-complement krathalan config] | ||
# [https://github.com/simeononsecurity/FireFox-Privacy-Script simeononsec FireFox Script] | # [https://github.com/simeononsecurity/FireFox-Privacy-Script simeononsec FireFox Script] | ||
# [https://vermaden.wordpress.com/2024/03/18/sensible-firefox-setup/ vermaden | # [https://vermaden.wordpress.com/2024/03/18/sensible-firefox-setup/ vermaden's Sensible Setup] | ||
==== | == Extensions & Add-ons == | ||
* | * '''ximatrix''': A Firefox extension similar to uMatrix capable of blocking inline scripts and advanced requests. [https://github.com/xi/xiMatrix Source code available here]. | ||
* | ** ''Alternative:'' [https://gitler.moe/Wrongthink/paraMatrix paraMatrix] (a fork of ximatrix). | ||
* | * '''Chrome Extensions on Firefox''': Firefox has introduced capabilities for importing Chrome extensions. [https://news.slashdot.org/story/23/08/24/2233242/firefox-users-may-import-chrome-extensions-now Read the Slashdot coverage]. | ||
* '''Extension Restrictions''': Mozilla occasionally restricts add-ons on specific domains. To disable these restrictions and allow uBlock Origin to operate aggressively everywhere, read [https://12bytes.org/tech/mozilla-wants-more-control-over-your-add-ons/ 12bytes' analysis] and their [https://12bytes.org/ublock-origin-suggested-settings/ uBlock suggested settings]. | |||
* | |||
== Browser UI & Maintenance Tweaks == | |||
* '''Verify Database Integrity''': Navigate to <code>about:support</code> -> Scroll down to '''Places Database''' -> Click '''Verify Integrity'''. | |||
* '''Turn Off Firefox Sidebar''': [https://utcc.utoronto.ca/~cks/space/blog/web/FirefoxPdfViewerSidebarOff Guide to disabling the PDF viewer sidebar]. | |||
* '''Disable Firefox Translator''': [https://xnacly.me/posts/2023/disable-firefox-translation/ Guide to disabling built-in local translation]. | |||
* '''Block Pop-Ups''': [https://support.mozilla.org/bm/questions/1369602 Mozilla Support thread on native pop-up blocking]. | |||
* '''GeckoView Config''': You can access deeper settings via [chrome://geckoview/content/config.xhtml chrome://geckoview/content/config.xhtml]. | |||
== Comprehensive Hardening Guides & Reading == | |||
* [https://github.com/awesome-windows11/firefox Awesome Firefox] | |||
* [https://github.com/JArmandoG/Firefox-Hardening JArmandoG's Firefox Hardening Guide] | |||
* [https://github.com/drduh/macOS-Security-and-Privacy-Guide#browser drduh's macOS Browser Privacy Guide] | |||
* [https://sunknudsen.com/privacy-guides sunknudsen's Privacy Guides] | |||
* [https://wrongthink.link/posts/hardened-web-browser/ Wrongthink: Hardened Web Browser] | |||
* [https://unixsheikh.com/articles/choose-your-browser-carefully.html#tweaking-firefox Unixsheikh: Tweaking Firefox] | |||
* [https://spyware.neocities.org/guides/firefox Spyware Watchdog: Firefox Mitigation] | |||
* [https://fingerprint.com/blog/browser-anti-fingerprinting-techniques/ Fingerprint.com: Browser Anti-Fingerprinting Techniques] | |||
* [https://gist.github.com/atcuno/3425484ac5cce5298932 atcuno's Privacy Guide] (Outdated but helpful concepts) | |||
* [https://github.com/CISOfy/privacy-guide/blob/master/browser-security.md CISOfy Browser Security Guide] | |||
* [http://kb.mozillazine.org/Category:Firefox MozillaZine Firefox Wiki] | |||
[[Category:Hardening]] | [[Category:Hardening]] | ||
Revision as of 20:48, 17 May 2026
Note: This article is imported from an old note-taking app and may be outdated.
Core Modifications & Bloatware Removal
Some guides, such as the Spyware Watchdog Mitigation Guide, recommend deleting default plugins bundled within the Firefox directory that may introduce privacy concerns or act as bloatware.
Navigate to your Firefox features directory and remove unnecessary add-ons:
cd /usr/lib/firefox/browser/features
doas rm *.xpi
List of bundled plugins commonly removed:
firefox@getpocket.com.xpi— Pocketfollowonsearch@mozilla.com.xpi— Follow-On Searchactivity-stream@mozilla.org.xpi— Activity Streamscreenshots@mozilla.org.xpi— Screenshotsonboarding@mozilla.org.xpi— Onboardingformautofill@mozilla.org.xpi— Autofillwebcompat@mozilla.org.xpi— Web Compatibility Reporter
Configuration Tweaks (about:config)
Privacy, Security & Networking
network.trr.mode- Set to
3to force DNS over HTTPS (DoH) every time you make a DNS request, even if your DNS server doesn't respond. (Alternatively, change the "DNS protection" preference in Settings). security.tls.version.min- Set to
3to enforce strict TLS standards. network.http.referrer.spoofSource- Set to
true. browser.display.use_document_fonts- Set to
0to mitigate font fingerprinting. browser.urlbar.maxRichResults- Set to
0(or desired low number) to limit URL bar suggestions. accessibility.blockautorefresh- Set to
trueto disable forced redirections. Combining this with disabled CSS and JS yields raw, unmangled result links. (via Pedantic Software) browser.sessionstore.interval- Set to a very high value to reduce disk writes and SessionStore tracking.
Media & Autoplay Limitations
To disable autoplay and drastically reduce background video caching, apply the following:
media.autoplay.enabled=falsemedia.cache_readahead_limit=0media.cache_resume_threshold=10media.autoplay.blocking_policy=1media.autoplay.allow-muted=false
Experimental Social Settings
Note: These disable legacy social integrations. May not be necessary on modern versions.
social.whitelist= (leave empty)social.toast-notifications.enabled=falsesocial.shareDirectory= (leave empty)social.remote-install.enabled=falsesocial.directories= (leave empty)social.share.activationPanelEnabled=false
Additional Hardening Actions
- Disable Firefox SessionStore: Search for
browser.sessionstoreinabout:configand disable relevant telemetry/saving mechanisms. - Disable CSS Visited Links: Mitigates history-sniffing vulnerabilities. Read the Reddit discussion here.
User.js Templates & Generators
Instead of manually configuring about:config, you can use pre-configured user.js files.
Generators:
- ffprofile.com — Interactive
user.jsgenerator.- Note on User-Agent Spoofing: While you can spoof your user-agent to a more common one (e.g., Chrome), doing so on Firefox can actually make your browser fingerprint more unique (alternative tools list). Because Firefox's engine behaves differently than Chromium, mismatched engine/user-agent data is easily detectable. For common agents, see Willhouse or WhatIsMyBrowser.
Popular Pre-configured Templates:
- Arkenfox (Highly recommended, well-known)
- Pyllyukko (Security focused)
- Narsil's user.js (Privacy focused)
- Vulpes
- Narsil's user.js for Pale Moon (Privacy focused)
- krathalan config
- simeononsec FireFox Script
- vermaden's Sensible Setup
Extensions & Add-ons
- ximatrix: A Firefox extension similar to uMatrix capable of blocking inline scripts and advanced requests. Source code available here.
- Alternative: paraMatrix (a fork of ximatrix).
- Chrome Extensions on Firefox: Firefox has introduced capabilities for importing Chrome extensions. Read the Slashdot coverage.
- Extension Restrictions: Mozilla occasionally restricts add-ons on specific domains. To disable these restrictions and allow uBlock Origin to operate aggressively everywhere, read 12bytes' analysis and their uBlock suggested settings.
Browser UI & Maintenance Tweaks
- Verify Database Integrity: Navigate to
about:support-> Scroll down to Places Database -> Click Verify Integrity. - Turn Off Firefox Sidebar: Guide to disabling the PDF viewer sidebar.
- Disable Firefox Translator: Guide to disabling built-in local translation.
- Block Pop-Ups: Mozilla Support thread on native pop-up blocking.
- GeckoView Config: You can access deeper settings via [chrome://geckoview/content/config.xhtml chrome://geckoview/content/config.xhtml].
Comprehensive Hardening Guides & Reading
- Awesome Firefox
- JArmandoG's Firefox Hardening Guide
- drduh's macOS Browser Privacy Guide
- sunknudsen's Privacy Guides
- Wrongthink: Hardened Web Browser
- Unixsheikh: Tweaking Firefox
- Spyware Watchdog: Firefox Mitigation
- Fingerprint.com: Browser Anti-Fingerprinting Techniques
- atcuno's Privacy Guide (Outdated but helpful concepts)
- CISOfy Browser Security Guide
- MozillaZine Firefox Wiki