Instantly share code, notes, and snippets.

@0XDE57 /config.md
Last active Sep 19, 2018

Embed
What would you like to do?
Firefox about:config privacy settings

ABOUT

about:config settings to harden the Firefox browser. Privacy and performance enhancements.
To change these settings type 'about:config' in the url bar. Then search the setting you would like to change and modify the value. Some settings may break certain websites from functioning and rendering normally. Some settings may also make firefox unstable.

I am not liable for any damages/loss of data.

Not all these changes are necessary and will be dependent upon your usage and hardware. Do some research on settings if you don't understand what they do. These settings are best combined with your standard privacy extensions (HTTPS Everywhere, NoScript/Request Policy, uBlock origin, agent spoofing, Privacy Badger etc), and all plugins set to "Ask To Activate".

Note: some keys may not be listed and must be added manually, or they are no longer relavent as firefox changes.

Note: you can check current connections via: about:networking

CONTROL & MISC

dom.event.contextmenu.enabled = false
	Don't allow websites to prevent use of right-click, 
	or otherwise messing with the context menu.

dom.event.clipboardevents.enabled = false
	Don't allow websites to prevent copy and paste.
	Disable notifications of copy, paste, or cut functions. 
        Stop webpage knowing which part of the page had been selected.

network.IDN_show_punycode = true
	Show punycode. Help protect from character 'spoofing' eg:
	xn--80ak6aa92e.com -> аррӏе.com
	[IDN homograph attacks](https://www.xudongz.com/blog/2017/idn-phishing/)

PRIVACY SETTINGS

plugins.enumerable_names = blank
	Disable site reading installed plugins.

network.http.sendRefererHeader = 0
	Tells website where you came from. Disabling may break some sites.
	0 = Disable referrer headers. 
	1 = Send only on clicked links.
	2 = (default) Send for links and image.
        
network.http.sendSecureXSiteReferrer = false
        Disable referrer headers between https websites.
		
network.http.referer.spoofSource = true
	Send fake referrer (if choose to send referrers).
		
privacy.trackingprotection.enabled = true
        Mozilla’s built in tracking protection.
		
geo.enabled = false
geo.wifi.uri = blank
browser.search.geoip.url = blank
        Disables geolocation and firefox logging geolocation requests.


browser.safebrowsing.enabled = false
browser.safebrowsing.phishing.enabled = false
browser.safebrowsing.malware.enabled = false	
browser.safebrowsing.downloads.enabled = false
browser.safebrowsing.provider.google4.dataSharing.enabled = blank
browser.safebrowsing.provider.google4.updateURL = blank
browser.safebrowsing.provider.google4.reportURL = blank
browser.safebrowsing.provider.google4.reportPhishMistakeURL = blank
browser.safebrowsing.provider.google4.reportMalwareMistakeURL = blank
browser.safebrowsing.provider.google4.lists = blank
browser.safebrowsing.provider.google4.gethashURL = blank
browser.safebrowsing.provider.google4.dataSharingURL = blank
browser.safebrowsing.provider.google4.dataSharing.enabled = false
browser.safebrowsing.provider.google4.advisoryURL = blank
browser.safebrowsing.provider.google4.advisoryName = blank
browser.safebrowsing.provider.google.updateURL = blank
browser.safebrowsing.provider.google.reportURL = blank
browser.safebrowsing.provider.google.reportPhishMistakeURL = blank
browser.safebrowsing.provider.google.reportMalwareMistakeURL = blank
browser.safebrowsing.provider.google.pver = blank
browser.safebrowsing.provider.google.lists = blank
browser.safebrowsing.provider.google.gethashURL = blank
browser.safebrowsing.provider.google.advisoryURL = blank
browser.safebrowsing.downloads.remote.url = blank
        Disable Google Safe Browsing and malware and phishing protection.
	Stop sending links and downloading lists from google.	
	Security risk, but privacy improvement.
	Note: this list may be incomplete as firefox updates, be sure to search for browser.safebrowsing.provider.google*
	Also simply setting safebrowsing.*.enabled to false should make setting the URL's to blank redundant, but better to be safe.
	If you see anything pointing google, probably best to nuke it.


browser.selfsupport.url = blank
browser.aboutHomeSnippets.updateUrL = blank
browser.startup.homepage_override.mstone = ignore
browser.startup.homepage_override.buildID = blank
startup.homepage_welcome_url = blank
startup.homepage_welcome_url.additional = blank
startup.homepage_override_url = blank
	Can call home to every time firefox is started or home page is visited.
	https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections
	http://kb.mozillazine.org/Connections_established_on_startup_-_Firefox


toolkit.telemetry.cachedClientID = blank

browser.send_pings = false
	Prevent website tracking clicks.
		
browser.send_pings.require_same_host = true
	Only send pings if send and receiving host match (same website).
        
dom.battery.enabled = false
	Disable website reading how much battery your mobile device or laptop has.

network.cookie.alwaysAcceptSessionCookies = false
        Disables acceptance of session cookies.
		
network.cookie.cookieBehavior
        Disable cookies.
        0 = All cookies are allowed. (Default) 
        1 = Only cookies from the originating server are allowed. (block third party cookies)
        2 = No cookies are allowed. 
	3 = Third-party cookies are allowed only if that site has stored cookies already from a previous visit 
			
network.cookie.lifetimePolicy 
        cookies are deleted at the end of the session
        0 = The cookie's lifetime is supplied by the server. (Default) 
        1 = The user is prompted for the cookie's lifetime. 
        2 = The cookie expires at the end of the session (when the browser closes). 
        3 = The cookie lasts for the number of days specified by network.cookie.lifetime.days.   

network.dnsCacheEntries = 100
        Number of cached DNS entries. Lower number = More requests but less data stored.
    
network.dnsCacheExpiration = 60
        Time DNS entries are cached in seconds.
    
places.history.enabled = false
        Disables recording of visited websites.
    
browser.formfill.enable = false
        Disables saving of form data.
    
browser.cache.disk.enable = false
        Disables caching on hardrive.
    
browser.cache.disk_cache_ssl = false
        Disables caching for ssl connections.
    
browser.cache.memory.enable = false
        Disables caching in memory.
   
browser.cache.offline.enable = false
        Disables offline cache.
    
network.dns.disableIPv6 = true
        If your OS or ISP does not support IPv6, there is no reason to have this preference set to false. 

network.predictor.enabled = false
network.dns.disablePrefetch = true   
network.prefetch-next = false
        Link prefetching is when a webpage hints to the browser that certain pages are likely to be visited, 
	so the browser downloads them immediately so they can be displayed immediately when the user requests it. 

network.http.speculative-parallel-limit = 0
	Disable prefetch link on hover.
	
media.peerconnection.enabled = false    
network.websocket.enabled = false
        WebSockets is a technology that makes it possible to open an interactive communication 
        session between the user's browser and a server. (May leak IP when using proxy/VPN)
   
loop.enabled = false
	Disable 3rd party closed-source Hello integration.
	Note: only affects older versions of firefox as "Hello" has been discontinued as in favor of webrtc: https://support.mozilla.org/en-US/kb/hello-status
	
extensions.pocket.enabled = false
extensions.pocket.site = blank
extensions.pocket.oAuthConsumerKey = blank
extensions.pocket.api = blank
	Disable 3rd party closed-source Pocket integration.
	Note, this is browser.pocket.enabled for older versions of firefox

PERFORMANCE

layout.frame_rate.precise = true
	Increases animation speed. May mitigate choppy scrolling.
	
webgl.force-enabled = true
layers.acceleration.force-enabled = true
layers.offmainthreadcomposition.enabled = true
layers.offmainthreadcomposition.async-animations = true
layers.async-video.enabled = true
html5.offmainthread = true
	Enable Hardware Acceleration and Off Main Thread Compositing (OMTC).
	It's likely your browser is already set to use these features.
	May introduce instability on some hardware.

MEMORY REDUCTION

browser.cache.memory.capacity = xx
	Limit memory cache size. (xx = value in MB)
	
browser.sessionhistory.max_entries = xx
	Limit maximum pages in session history. (how many URLs you can traverse using the Forward or Back button)
	
browser.sessionstore.max_tabs_undo = xx
	Limit max closed tabs you can reopen.
	
browser.tabs.animate = false
browser.download.animateNotifications = false
	Disable some animations.
	
config.trim_on_minimize = true
	Reduce memory usage when minimized. (Windows only)
	
image.mem.max_decoded_image_kb = xx
	How much info Firefox stores of uncompressed images.
	Higher value = improve speed at the expense of increased memory usage.
	
javascript.options.mem.max == xx
	Limit amount of memory javascript may consume.
	-1 = Automatic

javascript.options.mem.high_water_mark == xx
	Tell garbage collector to start running when javascript is using xx MB of memory. 
	Garbage collection releases memory back to the system.

Flash Font Enumeration

This one is not for firefox, but for Flash if you have it installed. Font Enumeration allows a site to read which fonts you have installed which can be used to identify users.

Default Location:

Windows: 
	C:\Windows\SysWOW64\Macromed\Flash\mms.cfg
	C:\Windows\system32\Macromed\Flash\mms.cfg
Linux:
	/etc/adobe/mms.cfg
OSX:
	~/Library/Application Support/Google/Chrome/Default/Pepper Data/Shockwave Flash/System/mms.cfg

Add this line to the mms.cfg file:

DisableDeviceFontEnumeration = 1

Better yet, simply uninstall flash. Flash is garbage...


___
**I do my best to keep this list up to date. Additions and corrections are greatly appreciated.**
@dotsoxv

This comment has been minimized.

Show comment
Hide comment
@dotsoxv

dotsoxv commented Dec 20, 2017

gr8

@iamhanti

This comment has been minimized.

Show comment
Hide comment
@iamhanti

iamhanti Apr 12, 2018

This is a great work, thanks!

I haven't tried all of the settings, but I'll comment on those I did and feel needing of a comment.
I'm using FF59.0.2 (at the moment this is the latest stable version). All of my statements are for this version.

In the privacy settings section:
plugins.enumerable_names - as I see, this is the default now, I couldn't enumerate installed plugins, and this key doesn't exists by default
network.http.sendSecureXSiteReferrer - doesn't exists
geo.wifi.logging.enabled - doesn't exists

Now, for the google safe browsing part... there are a ton of changes here.
First I would suggest a browser.safebrowsing.phishing.enabled = false setting added to the others. But only if you haven't left it out on purpose.
Second, almost all of the settings' names' were changed to browser.safebrowsing.provider.google*. The dot is intentionally missing from the end, cause there is google and google4 settings as well. If you know something about this, why there are 4 sets, I would be happy to hear.
And third, I would blank out every "browser.safebrowsing.provider.google*" key which has "google" in it. Just to be sure.

Next.
browser.selfsupport.url - doesn't exists, but it's not a switch so maybe without an URL it doesn't working. On the other hand, I was monitoring FF network activity with a clean profile (no extensions, no tabs open, no nothing) and it tries to connect to amazon aws servers, but couldn't find out why. So maybe this is the key.
browser.send_pings = false is the default setting
browser.pocket.enabled is extensions.pocket.enabled now, but works the same
loop.enabled - doesn't exists (maybe any more?)

The last one isn't really a comment, but kinda a question.
I've tried network.cookie.lifetimePolicy = 1 (prompt for each cookie) but it doesn't seam to do anything apart from disabling writing of new cookies, but accepting the already stored ones. (Yes, I know you advice different setting.)
Do you know how that "prompt" should be?

And one more note: I found some setting names doesn't exist (any more?), could you comment beside them if you meant to create them or the nonexistance serves the purpose of the modification.

Okey, this is all, thanks for you work for collecting this and sharing with us.

iamhanti commented Apr 12, 2018

This is a great work, thanks!

I haven't tried all of the settings, but I'll comment on those I did and feel needing of a comment.
I'm using FF59.0.2 (at the moment this is the latest stable version). All of my statements are for this version.

In the privacy settings section:
plugins.enumerable_names - as I see, this is the default now, I couldn't enumerate installed plugins, and this key doesn't exists by default
network.http.sendSecureXSiteReferrer - doesn't exists
geo.wifi.logging.enabled - doesn't exists

Now, for the google safe browsing part... there are a ton of changes here.
First I would suggest a browser.safebrowsing.phishing.enabled = false setting added to the others. But only if you haven't left it out on purpose.
Second, almost all of the settings' names' were changed to browser.safebrowsing.provider.google*. The dot is intentionally missing from the end, cause there is google and google4 settings as well. If you know something about this, why there are 4 sets, I would be happy to hear.
And third, I would blank out every "browser.safebrowsing.provider.google*" key which has "google" in it. Just to be sure.

Next.
browser.selfsupport.url - doesn't exists, but it's not a switch so maybe without an URL it doesn't working. On the other hand, I was monitoring FF network activity with a clean profile (no extensions, no tabs open, no nothing) and it tries to connect to amazon aws servers, but couldn't find out why. So maybe this is the key.
browser.send_pings = false is the default setting
browser.pocket.enabled is extensions.pocket.enabled now, but works the same
loop.enabled - doesn't exists (maybe any more?)

The last one isn't really a comment, but kinda a question.
I've tried network.cookie.lifetimePolicy = 1 (prompt for each cookie) but it doesn't seam to do anything apart from disabling writing of new cookies, but accepting the already stored ones. (Yes, I know you advice different setting.)
Do you know how that "prompt" should be?

And one more note: I found some setting names doesn't exist (any more?), could you comment beside them if you meant to create them or the nonexistance serves the purpose of the modification.

Okey, this is all, thanks for you work for collecting this and sharing with us.

@Atavic

This comment has been minimized.

Show comment
Hide comment
@Atavic

Atavic May 19, 2018

Regarding phishing: I'd also put it as false, but I must add that, due to its nature, this issue is very important as anyone can be tricked by a page with the same layout of the original one. So, I'll put that entry as false, but I'll eventually use a 3rd party tool for this issue.

Atavic commented May 19, 2018

Regarding phishing: I'd also put it as false, but I must add that, due to its nature, this issue is very important as anyone can be tricked by a page with the same layout of the original one. So, I'll put that entry as false, but I'll eventually use a 3rd party tool for this issue.

@0XDE57

This comment has been minimized.

Show comment
Hide comment
@0XDE57

0XDE57 Jun 4, 2018

@iamhanti and @Atavic
Added browser.safebrowsing.phishing.enabled = false, thanks.

@iamhanti
This list was started a while ago and firefox is ever changing, so looks like some things have been removed and some things have been renamed (eg: browser.pocket.enabled -> extensions.pocket.enabled). Good catch!
Looks like loop ("Hello") has been discontinued in favor of webrtc: https://support.mozilla.org/en-US/kb/hello-status

I am not seeing a connection to amazon on my machine but could it be the new/home page? I added some new settings regarding that:
https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections
http://kb.mozillazine.org/Connections_established_on_startup_-_Firefox
If that doesn't resolve it, perhaps it's worth digging deeper. Maybe one of firefox's services relies on an aws instance?

Regarding the cookie prompt, I am not sure what the prompt should be as I haven't really played with it as I use a self destructing cookie add-on. I simply copied from http://kb.mozillazine.org/Network.cookie.lifetimePolicy

I believe there are some settings that aren't listed but adding them manually brings it into effect. Now as far as what settings have been removed and what settings are simply not listed by default, I am not sure. Would have to crawl through the firefox source and changelog to find out, so out of laziness I simply add them manually just in case.

Thanks guys.

Owner

0XDE57 commented Jun 4, 2018

@iamhanti and @Atavic
Added browser.safebrowsing.phishing.enabled = false, thanks.

@iamhanti
This list was started a while ago and firefox is ever changing, so looks like some things have been removed and some things have been renamed (eg: browser.pocket.enabled -> extensions.pocket.enabled). Good catch!
Looks like loop ("Hello") has been discontinued in favor of webrtc: https://support.mozilla.org/en-US/kb/hello-status

I am not seeing a connection to amazon on my machine but could it be the new/home page? I added some new settings regarding that:
https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections
http://kb.mozillazine.org/Connections_established_on_startup_-_Firefox
If that doesn't resolve it, perhaps it's worth digging deeper. Maybe one of firefox's services relies on an aws instance?

Regarding the cookie prompt, I am not sure what the prompt should be as I haven't really played with it as I use a self destructing cookie add-on. I simply copied from http://kb.mozillazine.org/Network.cookie.lifetimePolicy

I believe there are some settings that aren't listed but adding them manually brings it into effect. Now as far as what settings have been removed and what settings are simply not listed by default, I am not sure. Would have to crawl through the firefox source and changelog to find out, so out of laziness I simply add them manually just in case.

Thanks guys.

@TheOneBehindYou

This comment has been minimized.

Show comment
Hide comment
@TheOneBehindYou

TheOneBehindYou Jun 4, 2018

Hi, Thanks for this list, very useful. May I suggest to add those:
privacy.resistFingerprinting = true
privacy.firstparty.isolate = true
Privacy features used by Tor added to Firefox by the team Mozilla.

TheOneBehindYou commented Jun 4, 2018

Hi, Thanks for this list, very useful. May I suggest to add those:
privacy.resistFingerprinting = true
privacy.firstparty.isolate = true
Privacy features used by Tor added to Firefox by the team Mozilla.

@nemyxa

This comment has been minimized.

Show comment
Hide comment
@nemyxa

nemyxa Jul 19, 2018

Hi, i wrote node.js script for auto generating user.js file

Drop generated user.js here:

~/.mozilla/firefox/XXXXXXXX.your_profile_name/user.js - Linux
~/Library/Application Support/Firefox/Profiles/XXXXXXXX.your_profile_name - OS X
%APPDATA%\Mozilla\Firefox\Profiles\XXXXXXXX.your_profile_name\user.js - Windows

Hope this would be more convenient

nemyxa commented Jul 19, 2018

Hi, i wrote node.js script for auto generating user.js file

Drop generated user.js here:

~/.mozilla/firefox/XXXXXXXX.your_profile_name/user.js - Linux
~/Library/Application Support/Firefox/Profiles/XXXXXXXX.your_profile_name - OS X
%APPDATA%\Mozilla\Firefox\Profiles\XXXXXXXX.your_profile_name\user.js - Windows

Hope this would be more convenient

@egberts

This comment has been minimized.

Show comment
Hide comment
@egberts

egberts Sep 7, 2018

And what about security.tls.enable_0rtt_data?

egberts commented Sep 7, 2018

And what about security.tls.enable_0rtt_data?

@stef

This comment has been minimized.

Show comment
Hide comment
@jrmuizel

This comment has been minimized.

Show comment
Hide comment
@jrmuizel

jrmuizel Sep 7, 2018

html5.offmainthread defaults to true
layers.offmainthreadcomposition.enabled doesn't exist
layers.offmainthreadcomposition.async-animations defaults to true
layers.async-video.enabled doesn't exist

jrmuizel commented Sep 7, 2018

html5.offmainthread defaults to true
layers.offmainthreadcomposition.enabled doesn't exist
layers.offmainthreadcomposition.async-animations defaults to true
layers.async-video.enabled doesn't exist

@aaron-em

This comment has been minimized.

Show comment
Hide comment
@aaron-em

aaron-em Sep 7, 2018

@0XDE57 network.cookie.cookieBehavior and network.cookie.lifetimePolicy don't have values provided. I'd fork to fix them, only I'm not going to do that, because I made a garbage robot that looks at this gist (but not forks) and makes a user.js file out of it.

aaron-em commented Sep 7, 2018

@0XDE57 network.cookie.cookieBehavior and network.cookie.lifetimePolicy don't have values provided. I'd fork to fix them, only I'm not going to do that, because I made a garbage robot that looks at this gist (but not forks) and makes a user.js file out of it.

@jdrch

This comment has been minimized.

Show comment
Hide comment
@jdrch

jdrch Sep 9, 2018

Thanks for this. The ones I enabled are:

dom.event.contextmenu.enabled = false
	Don't allow websites to prevent use of right-click, 
	or otherwise messing with the context menu.

dom.event.clipboardevents.enabled = false
	Don't allow websites to prevent copy and paste.
	Disable notifications of copy, paste, or cut functions. 
        Stop webpage knowing which part of the page had been selected.

network.IDN_show_punycode = true
	Show punycode. Help protect from character 'spoofing' eg:
	xn--80ak6aa92e.com -> аррӏе.com
	[IDN homograph attacks](https://www.xudongz.com/blog/2017/idn-phishing/)

jdrch commented Sep 9, 2018

Thanks for this. The ones I enabled are:

dom.event.contextmenu.enabled = false
	Don't allow websites to prevent use of right-click, 
	or otherwise messing with the context menu.

dom.event.clipboardevents.enabled = false
	Don't allow websites to prevent copy and paste.
	Disable notifications of copy, paste, or cut functions. 
        Stop webpage knowing which part of the page had been selected.

network.IDN_show_punycode = true
	Show punycode. Help protect from character 'spoofing' eg:
	xn--80ak6aa92e.com -> аррӏе.com
	[IDN homograph attacks](https://www.xudongz.com/blog/2017/idn-phishing/)
@cedricbonhomme

This comment has been minimized.

Show comment
Hide comment
@cedricbonhomme

cedricbonhomme Sep 10, 2018

I am using this configuration files without problems (sessions...):
https://github.com/cedricbonhomme/dotfiles/blob/master/mozilla/user.js

cedricbonhomme commented Sep 10, 2018

I am using this configuration files without problems (sessions...):
https://github.com/cedricbonhomme/dotfiles/blob/master/mozilla/user.js

@sirfz

This comment has been minimized.

Show comment
Hide comment
@sirfz

sirfz Sep 10, 2018

I believe disabling referrer header breaks twitter. I'm getting "If you’re not redirected soon, please use this link."

Couldn't login to AWS console either.

sirfz commented Sep 10, 2018

I believe disabling referrer header breaks twitter. I'm getting "If you’re not redirected soon, please use this link."

Couldn't login to AWS console either.

@Jalakas

This comment has been minimized.

Show comment
Hide comment
@Jalakas

Jalakas Sep 11, 2018

"network.http.sendRefererHeader" values 0 and 1 break Aliexpress login.

Jalakas commented Sep 11, 2018

"network.http.sendRefererHeader" values 0 and 1 break Aliexpress login.

@richter-p

This comment has been minimized.

Show comment
Hide comment
@richter-p

richter-p Sep 13, 2018

browser.tabs.animate is deprecated, using toolkit.cosmeticAnimations.enabled = false works for me on current stable.

richter-p commented Sep 13, 2018

browser.tabs.animate is deprecated, using toolkit.cosmeticAnimations.enabled = false works for me on current stable.

@TheOneBehindYou

This comment has been minimized.

Show comment
Hide comment
@TheOneBehindYou

TheOneBehindYou Sep 14, 2018

@sirfz @Jalakas tweaking the Referer values could broke some sites, especially when you're trying to connect to an account.

TheOneBehindYou commented Sep 14, 2018

@sirfz @Jalakas tweaking the Referer values could broke some sites, especially when you're trying to connect to an account.

@TheOneBehindYou

This comment has been minimized.

Show comment
Hide comment
@TheOneBehindYou

TheOneBehindYou Sep 14, 2018

I'm not sure if it is a privacy enforcement, but as long as I don't need the screenshot functionality build in Mozilla:
extensions.screenshots.disabled = true

TheOneBehindYou commented Sep 14, 2018

I'm not sure if it is a privacy enforcement, but as long as I don't need the screenshot functionality build in Mozilla:
extensions.screenshots.disabled = true

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment