Skip to content

Instantly share code, notes, and snippets.

@0XDE57
Last active October 20, 2024 13:07
Show Gist options
  • Save 0XDE57/fbd302cef7693e62c769 to your computer and use it in GitHub Desktop.
Save 0XDE57/fbd302cef7693e62c769 to your computer and use it in GitHub Desktop.
Firefox about:config privacy settings

ABOUT

about:config settings to harden the Firefox browser. Privacy and performance enhancements.
To change these settings type 'about:config' in the url bar. Then search the setting you would like to change and modify the value. Some settings may break certain websites from functioning and rendering normally. Some settings may also make firefox unstable. I am not liable for any damages/loss of data.

Not all these changes are necessary and will be dependent upon your usage and hardware. Do some research on settings if you don't understand what they do. These settings are best combined with your standard privacy extensions (HTTPS Everywhere No longer required: Enable HTTPS-Only Mode, NoScript/Request Policy, uBlock origin, agent spoofing, Privacy Badger etc), and all plugins set to "Ask To Activate". https://github.com/arkenfox/user.js/wiki/4.1-Extensions

Some of these settings can actually make you more unique in some ways. There is a trade off. Evaluate your browsers fingerprint:

You can check current connections the your browser is making via about:networking
You can check current memory usage via about:memory

More information about most prefs, their values and effects can be found in mozilla docs here:
http://kb.mozillazine.org/Category:Security_and_privacy-related_preferences
http://kb.mozillazine.org/Category:Preferences

Also see: https://github.com/pyllyukko/user.js

CONTROL & MISC

dom.event.contextmenu.enabled = false
	Don't allow websites to prevent use of right-click, 
	or otherwise messing with the context menu.

dom.event.clipboardevents.enabled = false
	Don't allow websites to prevent copy and paste.
	Disable notifications of copy, paste, or cut functions. 
        Stop webpage knowing which part of the page had been selected.

network.IDN_show_punycode = true
	Show punycode. Help protect from character 'spoofing' eg:
	xn--80ak6aa92e.com -> аррӏе.com
	[IDN homograph attacks](https://www.xudongz.com/blog/2017/idn-phishing/)

PRIVACY SETTINGS

plugins.enumerable_names = blank
	Disable site reading installed plugins.

network.http.sendRefererHeader = 0
	Tells website where you came from. Disabling may break some sites.
	0 = Disable referrer headers. 
	1 = Send only on clicked links.
	2 = (default) Send for links and image.
        
network.http.sendSecureXSiteReferrer = false
        Disable referrer headers between https websites.
		
network.http.referer.spoofSource = true
	Send fake referrer (if choose to send referrers).
		
privacy.trackingprotection.enabled = true
        Mozilla’s built in tracking protection.
		
geo.enabled = false
geo.wifi.uri = blank
browser.search.geoip.url = blank
        Disables geolocation and firefox logging geolocation requests.


browser.safebrowsing.enabled = false
browser.safebrowsing.phishing.enabled = false
browser.safebrowsing.malware.enabled = false	
browser.safebrowsing.downloads.enabled = false
browser.safebrowsing.provider.google4.dataSharing.enabled = blank
browser.safebrowsing.provider.google4.updateURL = blank
browser.safebrowsing.provider.google4.reportURL = blank
browser.safebrowsing.provider.google4.reportPhishMistakeURL = blank
browser.safebrowsing.provider.google4.reportMalwareMistakeURL = blank
browser.safebrowsing.provider.google4.lists = blank
browser.safebrowsing.provider.google4.gethashURL = blank
browser.safebrowsing.provider.google4.dataSharingURL = blank
browser.safebrowsing.provider.google4.dataSharing.enabled = false
browser.safebrowsing.provider.google4.advisoryURL = blank
browser.safebrowsing.provider.google4.advisoryName = blank
browser.safebrowsing.provider.google.updateURL = blank
browser.safebrowsing.provider.google.reportURL = blank
browser.safebrowsing.provider.google.reportPhishMistakeURL = blank
browser.safebrowsing.provider.google.reportMalwareMistakeURL = blank
browser.safebrowsing.provider.google.pver = blank
browser.safebrowsing.provider.google.lists = blank
browser.safebrowsing.provider.google.gethashURL = blank
browser.safebrowsing.provider.google.advisoryURL = blank
browser.safebrowsing.downloads.remote.url = blank
        Disable Google Safe Browsing and malware and phishing protection.
	Stop sending links and downloading lists from google.	
	Security risk, but privacy improvement.
	Note: this list may be incomplete as firefox updates, be sure to search for browser.safebrowsing.provider.google*
	Also simply setting safebrowsing.*.enabled to false should make setting the URL's to blank redundant, but better to be safe.
	If you see anything pointing google, probably best to nuke it.


browser.selfsupport.url = blank
browser.aboutHomeSnippets.updateUrL = blank
browser.startup.homepage_override.mstone = ignore
browser.startup.homepage_override.buildID = blank
startup.homepage_welcome_url = blank
startup.homepage_welcome_url.additional = blank
startup.homepage_override_url = blank
	Can call home to every time firefox is started or home page is visited.
	https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections
	http://kb.mozillazine.org/Connections_established_on_startup_-_Firefox


toolkit.telemetry.cachedClientID = blank

browser.send_pings = false
	Prevent website tracking clicks.
		
browser.send_pings.require_same_host = true
	Only send pings if send and receiving host match (same website).
        
dom.battery.enabled = false
	Disable website reading how much battery your mobile device or laptop has.

network.cookie.alwaysAcceptSessionCookies = false
        Disables acceptance of session cookies.
		
network.cookie.cookieBehavior
        Disable cookies.
        0 = All cookies are allowed. (Default) 
        1 = Only cookies from the originating server are allowed. (block third party cookies)
        2 = No cookies are allowed. 
	3 = Third-party cookies are allowed only if that site has stored cookies already from a previous visit 
			
network.cookie.lifetimePolicy 
        cookies are deleted at the end of the session
        0 = The cookie's lifetime is supplied by the server. (Default) 
        1 = The user is prompted for the cookie's lifetime. 
        2 = The cookie expires at the end of the session (when the browser closes). 
        3 = The cookie lasts for the number of days specified by network.cookie.lifetime.days.   

network.dnsCacheEntries = 100
        Number of cached DNS entries. Lower number = More requests but less data stored.
    
network.dnsCacheExpiration = 60
        Time DNS entries are cached in seconds.
    
places.history.enabled = false
        Disables recording of visited websites.
    
browser.formfill.enable = false
        Disables saving of form data.
    
browser.cache.disk.enable = false
        Disables caching on hardrive.
    
browser.cache.disk_cache_ssl = false
        Disables caching for ssl connections.
    
browser.cache.memory.enable = false
        Disables caching in memory.
   
browser.cache.offline.enable = false
        Disables offline cache.
    
network.dns.disableIPv6 = true
        If your OS or ISP does not support IPv6, there is no reason to have this preference set to false. 

network.predictor.enabled = false
network.dns.disablePrefetch = true   
network.prefetch-next = false
        Link prefetching is when a webpage hints to the browser that certain pages are likely to be visited, 
	so the browser downloads them immediately so they can be displayed immediately when the user requests it. 

network.http.speculative-parallel-limit = 0
	Disable prefetch link on hover.
	
media.peerconnection.enabled = false    
network.websocket.enabled = false
        WebSockets is a technology that makes it possible to open an interactive communication 
        session between the user's browser and a server. (May leak IP when using proxy/VPN)
   
loop.enabled = false
	Disable 3rd party closed-source Hello integration.
	Note: only affects older versions of firefox as "Hello" has been discontinued as in favor of webrtc: https://support.mozilla.org/en-US/kb/hello-status
	
extensions.pocket.enabled = false
extensions.pocket.site = blank
extensions.pocket.oAuthConsumerKey = blank
extensions.pocket.api = blank
	Disable 3rd party closed-source Pocket integration.
	Note, this is browser.pocket.enabled for older versions of firefox

PERFORMANCE

layout.frame_rate.precise = true
	Increases animation speed. May mitigate choppy scrolling.
	
webgl.force-enabled = true
layers.acceleration.force-enabled = true
layers.offmainthreadcomposition.enabled = true
layers.offmainthreadcomposition.async-animations = true
layers.async-video.enabled = true
html5.offmainthread = true
	Enable Hardware Acceleration and Off Main Thread Compositing (OMTC).
	It's likely your browser is already set to use these features.
	May introduce instability on some hardware.

MEMORY REDUCTION

browser.cache.memory.capacity = xx
	Limit memory cache size. (xx = value in MB)
	
browser.sessionhistory.max_entries = xx
	Limit maximum pages in session history. (how many URLs you can traverse using the Forward or Back button)
	
browser.sessionstore.max_tabs_undo = xx
	Limit max closed tabs you can reopen.
	
browser.tabs.animate = false
browser.download.animateNotifications = false
	Disable some animations.
	
config.trim_on_minimize = true
	Reduce memory usage when minimized. (Windows only)
	
image.mem.max_decoded_image_kb = xx
	How much info Firefox stores of uncompressed images.
	Higher value = improve speed at the expense of increased memory usage.
	
javascript.options.mem.max == xx
	Limit amount of memory javascript may consume.
	-1 = Automatic

javascript.options.mem.high_water_mark == xx
	Tell garbage collector to start running when javascript is using xx MB of memory. 
	Garbage collection releases memory back to the system.

Flash Font Enumeration

This one is not for firefox, but for Flash if you have it installed. Font Enumeration allows a site to read which fonts you have installed which can be used to identify users.

Default Location:

Windows: 
	C:\Windows\SysWOW64\Macromed\Flash\mms.cfg
	C:\Windows\system32\Macromed\Flash\mms.cfg
Linux:
	/etc/adobe/mms.cfg
OSX:
	~/Library/Application Support/Google/Chrome/Default/Pepper Data/Shockwave Flash/System/mms.cfg

Add this line to the mms.cfg file:

DisableDeviceFontEnumeration = 1

Better yet, simply uninstall flash. Flash is deprecated...Consider a VM


Alternative browsers

https://www.privacyguides.org/en/desktop-browsers/

Comparison: https://privacytests.org/

Users may want to consider LibreWolf as a better alternative to stock Firefox. LibreWolf comes with no telemetry and much better defaults out of the box:

https://librewolf.net/

Mulvad is another interesting Firefox fork to consider.

Users that prefer chrome: consider Brave or ungoogled chromium

https://github.com/ungoogled-software/ungoogled-chromium



** I do my best to keep this list up to date. Additions and corrections are greatly appreciated. Some keys may not be listed and must be added manually, or they are no longer relavent as firefox changes. **
@jdrch
Copy link

jdrch commented Sep 9, 2018

Thanks for this. The ones I enabled are:

dom.event.contextmenu.enabled = false
	Don't allow websites to prevent use of right-click, 
	or otherwise messing with the context menu.

dom.event.clipboardevents.enabled = false
	Don't allow websites to prevent copy and paste.
	Disable notifications of copy, paste, or cut functions. 
        Stop webpage knowing which part of the page had been selected.

network.IDN_show_punycode = true
	Show punycode. Help protect from character 'spoofing' eg:
	xn--80ak6aa92e.com -> аррӏе.com
	[IDN homograph attacks](https://www.xudongz.com/blog/2017/idn-phishing/)

@cedricbonhomme
Copy link

I am using this configuration files without problems (sessions...):
https://github.com/cedricbonhomme/dotfiles/blob/master/mozilla/user.js

@sirfz
Copy link

sirfz commented Sep 10, 2018

I believe disabling referrer header breaks twitter. I'm getting "If you’re not redirected soon, please use this link."

Couldn't login to AWS console either.

@Jalakas
Copy link

Jalakas commented Sep 11, 2018

"network.http.sendRefererHeader" values 0 and 1 break Aliexpress login.

@richter-p
Copy link

browser.tabs.animate is deprecated, using toolkit.cosmeticAnimations.enabled = false works for me on current stable.

@TheOneBehindYou
Copy link

@sirfz @Jalakas tweaking the Referer values could broke some sites, especially when you're trying to connect to an account.

@TheOneBehindYou
Copy link

I'm not sure if it is a privacy enforcement, but as long as I don't need the screenshot functionality build in Mozilla:
extensions.screenshots.disabled = true

@enyone
Copy link

enyone commented Sep 21, 2018

dom.event.clipboardevents.enabled = false
This will break a lot of web functionality.

Examples:

  • will break google drive apps paste
  • will break facebook comment box paste

@hucste
Copy link

hucste commented Sep 22, 2018

Hi,

unless I am mistaken, there are two times to mark this:
''browser.safebrowsing.provider.google4.dataSharing.enabled''

the second is the good! ;)

@m0n4
Copy link

m0n4 commented Sep 22, 2018

Privacy :

set to empty :
toolkit.telemetry.server 
set to false:
browser.newtabpage.activity-stream.feeds.telemetry
browser.newtabpage.activity-stream.telemetry
browser.ping-centre.telemetry
toolkit.telemetry.archive.enabled
toolkit.telemetry.bhrPing.enabled
toolkit.telemetry.enabled
toolkit.telemetry.firstShutdownPing.enabled
toolkit.telemetry.hybridContent.enabled
toolkit.telemetry.newProfilePing.enabled
toolkit.telemetry.reportingpolicy.firstRun
toolkit.telemetry.shutdownPingSender.enabled
toolkit.telemetry.unified
toolkit.telemetry.updatePing.enabled
experiments.activeExperiment
experiments.enabled
experiments.supported
network.allow-expériences

@talonx
Copy link

talonx commented Sep 27, 2018

To turn off Firefox's new "partnership" with Cloudflare so that all DNS lookups are resolved via Cloudflare's DNS:
network.trr.mode=5

@TheOneBehindYou
Copy link

TheOneBehindYou commented Sep 29, 2018

@m0n4

experiments.enabled
experiments.supported

I don't have these values in about:config

network.allow-expériences is misspelled ---> network.allow-experiments

J'en déduis que vous êtes francophone, salutations amicales d'Auvergne.

@TheOneBehindYou
Copy link

@talonx

To turn off Firefox's new "partnership" with Cloudflare so that all DNS lookups are resolved via Cloudflare's DNS:
network.trr.mode=5

Or chose to keep it on and set the URL of a more ethical DNS resolver with network.trr.uri
https://wiki.mozilla.org/Trusted_Recursive_Resolver

@144288
Copy link

144288 commented Oct 2, 2018

Thank you for this.

Which option controls the browser zoom level per site?

@nostromov
Copy link

nostromov commented Oct 3, 2018

There's a ycombinator thread referencing this gist and one of the comments mentions how changing something like browser.safebrowsing.phishing.enabled can compromise the browser and security, not sure whether it's been covered here...

It's my belief that if we're to turn off the built-in mechanisms and lists, it can be replaced by something like uBlock Origin (with most, or all filters enabled).

Furthermore, it's argued how switching off (things like) browser.cache.offline.enabled isn't worth the hassle of losing (various, login) functionality, as a trade-off for security; however, there are plenty more SUCH about:config settings to consider.

Would you rather be inconvenienced that your filled-out form data may be lost, if something goes wrong with POST when submitting, or would you choose to ignore that this system and data can be used maliciously, depending on what site you're visiting, you know.

(For example, I make it a practice to first write in a notepad, prior to copy-pasting to the browser form, when needing to send some data. Simple. :))

Anyway, hopefully I'm not boring anyone: if I were to write (something like) this on ycomb - I'd get downvoted 5000 times, because it's not PC and pleasing to all SJWs and their grandmothers; sometimes it seems like all of the peasants have got an Internet connection, these days. ;$

Oh! And, for example, the gHacks user.js (hosted on GitHub) is very well documented (!), too; I'm, pretty much, using their file as baseline config - after much editing - Notepad++ on Windows has a nice compare plugin, to fix every new release. Check out their (closed) Issue, on how to inject about:config data to non-rooted Android devices via script: Ideas for Android (how to inject the config files) #318

@
arkenfox/user.js#318

"Using remote debugging to inject user.js preferences to Android Firefox", arkenfox/user.js#318 (comment)

++ To switch off and remove any-and-all 3rd-party server and data connections, to anything other than the site being visited... Including cookies and everything. It can often be an inconvenience, a bunch of things do not work - even logging in to comment and using the Google account to "authorize" -comment- pages, but IMO it's worth it. Hope it helps! :)

++ In the end, if you REALLY need to access something - as if your life depended on it - we can always -just- use a secondary browser, hehe.

@211217613
Copy link

Hi, i wrote node.js script for auto generating user.js file

Drop generated user.js here:

~/.mozilla/firefox/XXXXXXXX.your_profile_name/user.js - Linux
~/Library/Application Support/Firefox/Profiles/XXXXXXXX.your_profile_name - OS X
%APPDATA%\Mozilla\Firefox\Profiles\XXXXXXXX.your_profile_name\user.js - Windows

Hope this would be more convenient

Are all these settings set in the js file? Asking because I want to automate this stuff.

@chandukalyan
Copy link

How can we change the below settings of a firefox through ansible playbook?
browser.cache.disk.enable: false
browser.cache.memory.enable: false

I want to disable firefox cache through ansible playbook

@0XDE57
Copy link
Author

0XDE57 commented Nov 19, 2019

There's a ycombinator thread referencing this gist and one of the comments mentions how changing something like browser.safebrowsing.phishing.enabled can compromise the browser and security, not sure whether it's been covered here...

It's my belief that if we're to turn off the built-in mechanisms and lists, it can be replaced by something like uBlock Origin (with most, or all filters enabled).

Furthermore, it's argued how switching off (things like) browser.cache.offline.enabled isn't worth the hassle of losing (various, login) functionality, as a trade-off for security; however, there are plenty more SUCH about:config settings to consider.

Would you rather be inconvenienced that your filled-out form data may be lost, if something goes wrong with POST when submitting, or would you choose to ignore that this system and data can be used maliciously, depending on what site you're visiting, you know.

(For example, I make it a practice to first write in a notepad, prior to copy-pasting to the browser form, when needing to send some data. Simple. :))

Anyway, hopefully I'm not boring anyone: if I were to write (something like) this on ycomb - I'd get downvoted 5000 times, because it's not PC and pleasing to all SJWs and their grandmothers; sometimes it seems like all of the peasants have got an Internet connection, these days. ;$

Oh! And, for example, the gHacks user.js (hosted on GitHub) is very well documented (!), too; I'm, pretty much, using their file as baseline config - after much editing - Notepad++ on Windows has a nice compare plugin, to fix every new release. Check out their (closed) Issue, on how to inject about:config data to non-rooted Android devices via script: Ideas for Android (how to inject the config files) #318

@
ghacksuserjs/ghacks-user.js#318

"Using remote debugging to inject user.js preferences to Android Firefox", ghacksuserjs/ghacks-user.js#318 (comment)

++ To switch off and remove any-and-all 3rd-party server and data connections, to anything other than the site being visited... Including cookies and everything. It can often be an inconvenience, a bunch of things do not work - even logging in to comment and using the Google account to "authorize" -comment- pages, but IMO it's worth it. Hope it helps! :)

++ In the end, if you REALLY need to access something - as if your life depended on it - we can always -just- use a secondary browser, hehe.

Awesome. And yeah, I find my self running a second browser often.
Thanks!

@CAoTx
Copy link

CAoTx commented Mar 8, 2020

Network.http.referer.spoofSource = true

Breaks iCloud.com

network.http.sendRefererHeader other than 2

Breaks iCloud.com

privacy.resistFingerprinting = true

Breaks iCloud.com

@0XDE57
Copy link
Author

0XDE57 commented Apr 4, 2020

Network.http.referer.spoofSource = true

Breaks iCloud.com

network.http.sendRefererHeader other than 2

Breaks iCloud.com

privacy.resistFingerprinting = true

Breaks iCloud.com

thanks for the info. that is a perfect example of how some sites break.

remember with clouds: there is no cloud, just some one else's computer.
if privacy is a concern, ensure what you are uploading is encrypted.

@Aniruddha120
Copy link

So , you wanted to say the all of the safe search options of google are not related to security/privacy ? would you mind clearing my confusion?

@pompass
Copy link

pompass commented Oct 20, 2020

Hi there,

I have reconfigured about:config to match the above on firefox 78.0.2 and having an issue logging on to craigslist (https://accounts.craigslist.org/login) and getting the error below after entering Email, password and clicking Log in. any recommendations would be appreciated.

Error:

There is nothing here
No web page for this address
404 Error

@0XDE57
Copy link
Author

0XDE57 commented Feb 13, 2021

Found another one lately in my pihole logs. lots of traffic to http://detectportal.firefox.com
Interestingly seems to download a file that simply states 'success'

Looks like it's detect captive portals on public wifi networks to be able to redirect you to their logon screen. Based on that I assume this will break that feature if trying to logon at say a coffee shop or airport. But for my home desktop, not necessary.

network.captive-portal-service.enabled to false

https://www.ghacks.net/2020/02/19/why-is-firefox-establishing-connections-to-detectportal-firefox-com-on-start/

@Aniruddha120
Copy link

Hello , would you mind to look at this link about access memory usage of firefox? Thanks in advanced!

https://windowsreport.com/firefox-too-much-memory-windows-10/

@0XDE57
Copy link
Author

0XDE57 commented Feb 13, 2021

@Aniruddha120

So , you wanted to say the all of the safe search options of google are not related to security/privacy ? would you mind clearing my confusion?

Generally, the safe search stuff does client side checks again known bad domains. See:
https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work

Occasionally you run into a blocked site and you still want to view it for reason XYZ (eg: malware research perhaps safely in a VM, or disable javascript and read what you need and don't download or run anything). For me its more about control. I know what I'm doing the browser just needs to do what I tell it. If you are asking what it does or any of that sounds scary, just leave it on.

@0XDE57
Copy link
Author

0XDE57 commented Feb 13, 2021

@Aniruddha120

Hello , would you mind to look at this link about access memory usage of firefox? Thanks in advanced!

https://windowsreport.com/firefox-too-much-memory-windows-10/

What about it would you like me to look at? At first glance looks like there might be a couple more settings there I could add, later...
Added a note about:memory

Thanks.

@Aniruddha120
Copy link

actually , it is no related to privacy(at first I must say that) . But , as my browser gets slow and make my system slow also , I thought to check some settings related to it. So , I found it where they claim it will save some memory. But , my confusion is , if I follow those settings , will it effect on my privacy or not.

@Firepup6500
Copy link

privacy.resistFingerprinting = true

Breaks iCloud.com

This also breaks replit.com's console.

@sn0wmem0ry
Copy link

media.peerconnection.enabled = false
Causes Google Meet to get stuck at 'Getting ready...'

@0XDE57
Copy link
Author

0XDE57 commented Jan 19, 2024

media.peerconnection.enabled = false Causes Google Meet to get stuck at 'Getting ready...'

Then Google meet probably relies on WebRTC. You only need to worry about this if using a VPN, not to use web services that rely on WebRTC: https://nordvpn.com/blog/webrtc/

WebRTC (Web Real-Time Communication) is an open-source tool that allows web browsers to form real-time peer-to-peer connections with the websites they visit.

WebRTC does this by establishing special real time communication channels from the browser. They communicate with the website you’re visiting and exchange information (including your local and public IP addresses).

WebRTC leaks happen when communication channels bypass your encrypted tunnel created by using a VPN. In this case websites and online services you visit can see your IP address.

See mozilla docs for more info:
https://wiki.mozilla.org/Media/WebRTC/Privacy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment