Skip to content

Instantly share code, notes, and snippets.

@Blaumaus

Blaumaus/ff-config.md

Last active August 29, 2019 13:23
Show Gist options
  • Save Blaumaus/45475db9265ddf558661dc010e26fab2 to your computer and use it in GitHub Desktop.
Save Blaumaus/45475db9265ddf558661dc010e26fab2 to your computer and use it in GitHub Desktop.
Download ZIP
Firefox about:config privacy and performance configuration snippets.
Raw
ff-config.md

ABOUT

about:config settings to harden the Firefox browser. Privacy and performance enhancements.
You can use this settings in Tor browser too.
To change these settings type 'about:config' in the url bar. Then search the setting you would like to change and modify the value. Some settings may break certain websites from functioning and rendering normally. Some settings may also make firefox unstable.

I am not liable for any damages/loss of data.

Not all these changes are necessary and will be dependent upon your usage and hardware. Do some research on settings if you don't understand what they do. These settings are best combined with your standard privacy extensions (HTTPS Everywhere, NoScript/Request Policy, uBlock origin, agent spoofing, Privacy Badger etc), and all plugins set to "Ask To Activate".

Some of these settings can actually make you more unique in some ways. There is a trade off. Evaluate your browsers fingerprint:

https://panopticlick.eff.org/
https://browserleaks.com/
https://amiunique.org/
https://whoer.net/

You can check current connections the your browser is making via about:networking You can check your browser telemetry data via about:telemetry You can check your browser perfomance stats via about:performance You can check all about pages via about:about

More information about most prefs, their values and effects can be found in mozilla docs here: http://kb.mozillazine.org/Category:Security_and_privacy-related_preferences
http://kb.mozillazine.org/Category:Preferences

CONTROL & MISC

dom.event.contextmenu.enabled = false
	Don't allow websites to prevent use of right-click, 
	or otherwise messing with the context menu.
  	Can break some online games gameplay.

dom.event.clipboardevents.enabled = false
	Don't allow websites to prevent copy and paste.
	Disable notifications of copy, paste, or cut functions. 
  	Stop webpage knowing which part of the page had been selected.

network.IDN_show_punycode = true
	Show punycode. Help protect from character 'spoofing' eg:
	xn--80ak6aa92e.com -> аррӏе.com
  	Read more about IDN Homograph Attacks here -> https://www.xudongz.com/blog/2017/idn-phishing/

PRIVACY SETTINGS

privacy.firstparty.isolate = true
  	This preference isolates all browser identifier sources (e.g. cookies) to the first party domain, with the goal of preventing tracking across different domains.

network.http.sendRefererHeader = 0
	Tells website where you came from. Disabling may break some sites like AliExpress.
	0 = Disable referrer headers. 
	1 = Send only on clicked links.
	2 = (default) Send for links and image.
		
network.http.referer.spoofSource = true
	Send fake referrer (if choose to send referrers). Recommended.
		
privacy.trackingprotection.enabled = true
  	Mozilla’s built in tracking protection.
        
privacy.resistFingerprinting = true
  	This preference makes Firefox more resistant to browser fingerprinting.
  
privacy.trackingprotection.fingerprinting.enabled = true
privacy.trackingprotection.cryptomining.enabled = true
  	[FF67+] Blocks CryptoMining and Fingerprinting.
    
geo.enabled = false
geo.wifi.uri = blank
browser.search.geoip.url = blank
  	Disables geolocation and firefox logging geolocation requests.


browser.safebrowsing.enabled = false
browser.safebrowsing.phishing.enabled = false
browser.safebrowsing.malware.enabled = false	
browser.safebrowsing.downloads.enabled = false
browser.safebrowsing.provider.google4.dataSharing.enabled = false
browser.safebrowsing.provider.google4.updateURL = blank
browser.safebrowsing.provider.google4.reportURL = blank
browser.safebrowsing.provider.google4.reportPhishMistakeURL = blank
browser.safebrowsing.provider.google4.reportMalwareMistakeURL = blank
browser.safebrowsing.provider.google4.lists = blank
browser.safebrowsing.provider.google4.gethashURL = blank
browser.safebrowsing.provider.google4.dataSharingURL = blank
browser.safebrowsing.provider.google4.dataSharing.enabled = false
browser.safebrowsing.provider.google4.advisoryURL = blank
browser.safebrowsing.provider.google4.advisoryName = blank
browser.safebrowsing.provider.google.updateURL = blank
browser.safebrowsing.provider.google.reportURL = blank
browser.safebrowsing.provider.google.reportPhishMistakeURL = blank
browser.safebrowsing.provider.google.reportMalwareMistakeURL = blank
browser.safebrowsing.provider.google.pver = blank
browser.safebrowsing.provider.google.lists = blank
browser.safebrowsing.provider.google.gethashURL = blank
browser.safebrowsing.provider.google.advisoryURL = blank
browser.safebrowsing.downloads.remote.url = blank
  	Disable Google Safe Browsing and malware and phishing protection.
	Stop sending links and downloading lists from google.	
	Security risk, but privacy improvement.
	Note: this list may be incomplete as firefox updates, be sure to search for browser.safebrowsing.provider.google*
	Also simply setting safebrowsing.*.enabled to false should make setting the URL's to blank redundant, but better to be safe.
	If you see anything pointing google, probably best to nuke it.


browser.startup.homepage_override.mstone = ignore
browser.startup.homepage_override.buildID = blank
startup.homepage_welcome_url = blank
startup.homepage_welcome_url.additional = blank
startup.homepage_override_url = blank
	Can call home to every time firefox is started or home page is visited.
	https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections
	http://kb.mozillazine.org/Connections_established_on_startup_-_Firefox
  	In theory, this can break the ability to autoupdate the browser.

toolkit.telemetry.cachedClientID = blank

browser.send_pings = false
	Prevent website tracking clicks.
        
dom.battery.enabled = false
	Disable website reading how much battery your mobile device or laptop has.

network.cookie.alwaysAcceptSessionCookies = false
  	Disables acceptance of session cookies.
		
network.cookie.cookieBehavior = 1
  	Disable cookies.
  	0 = All cookies are allowed. (Default) 
  	1 = Only cookies from the originating server are allowed. (block third party cookies). Recommended.
  	2 = No cookies are allowed. 
	3 = Third-party cookies are allowed only if that site has stored cookies already from a previous visit 
			
network.cookie.lifetimePolicy = 2
  	Cookies are deleted at the end of the session
  	0 = The cookie's lifetime is supplied by the server. (Default) 
  	1 = The user is prompted for the cookie's lifetime. 
  	2 = The cookie expires at the end of the session (when the browser closes). Recommended.
  	3 = The cookie lasts for the number of days specified by network.cookie.lifetime.days.   

network.http.referer.trimmingPolicy = 2
  	0 = Send the full URL in the Referer header
  	1 = Send the URL without its query string in the Referer header
  	2 = Send only the scheme, host, and port in the Referer header (Recommended)

network.http.referer.XOriginPolicy = 2
  	Only send Referer header when the full hostnames match. 
  	(Note: if you notice significant breakage, you might try 1 combined with an XOriginTrimmingPolicy tweak below.)
  	0 = Send Referer in all cases
  	1 = Send Referer to same eTLD sites
  	2 = Send Referer only when the full hostnames match

network.http.referer.XOriginTrimmingPolicy = 2
  	When sending Referer across origins, only send scheme, host, and port in the Referer header of cross-origin requests.
  	0 = Send full url in Referer
  	1 = Send url without query string in Referer
  	2 = Only send scheme, host, and port in Referer
  
browser.sessionstore.privacy_level = 2
  	This preference controls when to store extra information about a session: contents of forms, scrollbar positions, cookies, and POST data.
  	0 = Store extra session data for any site. (Default starting with Firefox 4.)
  	1 = Store extra session data for unencrypted (non-HTTPS) sites only. (Default before Firefox 4.)
  	2 = Never store extra session data.

network.dnsCacheEntries = 100
  	Number of cached DNS entries. Lower number = More requests but less data stored.
    
network.dnsCacheExpiration = 60
  	Time DNS entries are cached in seconds.
    
places.history.enabled = false
  	Disables recording of visited websites.
    
browser.formfill.enable = false
  	Disables saving of form data.
   
browser.cache.disk.enable = false
  	Disables caching on hardrive.
    
browser.cache.disk_cache_ssl = false
  	Disables caching for ssl connections.
    
browser.cache.memory.enable = false
  	Disables caching in memory.
   
browser.cache.offline.enable = false
  	Disables offline cache.

network.predictor.enabled = false
network.dns.disablePrefetch = true   
network.prefetch-next = false
  	Link prefetching is when a webpage hints to the browser that certain pages are likely to be visited, 
	so the browser downloads them immediately so they can be displayed immediately when the user requests it. 

network.http.speculative-parallel-limit = 0
	Disable prefetch link on hover.
	
media.peerconnection.enabled = false
media.peerconnection.turn.disable = true
media.peerconnection.use_document_iceservers = false
media.peerconnection.video.enabled = false
media.peerconnection.identity.timeout = 1
network.websocket.enabled = false (Not recommended)
  	WebSockets is a technology that makes it possible to open an interactive communication 
  	session between the user's browser and a server. (May leak IP when using proxy/VPN)

extensions.pocket.enabled = false
extensions.pocket.site = blank
extensions.pocket.oAuthConsumerKey = blank
extensions.pocket.api = blank
	Disable 3rd party closed-source Pocket integration.
	Note, this is browser.pocket.enabled for older versions of firefox
  
webgl.disabled = true
  	WebGL is a potential security risk. https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern
  
extensions.blocklist.url = https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/
  	Limit the amount of identifiable information sent when requesting the Mozilla harmful extension blocklist.
  	Optionally, the blocklist can be disabled entirely by setting extensions.blocklist.enabled to false for increased privacy, but decreased security.
  
browser.urlbar.speculativeConnect.enabled = false
  	Disable preloading of autocomplete URLs.
  
media.eme.enabled = false
  	Disables playback of DRM-controlled HTML5 content, which, if enabled, automatically downloads the Widevine Content Decryption Module provided by Google Inc.
  	Details here -> https://support.mozilla.org/kb/enable-drm#w_opt-out-of-cdm-playback-uninstall-cdms-and-stop-all-cdm-downloads
  
media.gmp-widevinecdm.enabled = false
  	Disables the Widevine Content Decryption Module provided by Google Inc., used for the playback of DRM-controlled HTML5 content.
  
media.navigator.enabled = false
  	Websites can track the microphone and camera status of your device.
  	May break functionality of some sites like Skype Web edition.
  
network.trr.mode = 2
network.trr.uri = https://mozilla.cloudflare-dns.com/dns-query
network.trr.bootstrapAddress = 1.1.1.1
network.security.esni.enabled = true
  	Enable DoH and ESNI.
  	Check if everything works correctly here -> https://www.cloudflare.com/ssl/encrypted-sni/
  	Verify if your DNS Entries are encrypted here -> https://www.dnsleaktest.com/

PERFORMANCE

layout.frame_rate.precise = true
	Increases animation speed. May mitigate choppy scrolling.
	
webgl.force-enabled = true
layers.acceleration.force-enabled = true
layers.offmainthreadcomposition.enabled = true
layers.offmainthreadcomposition.async-animations = true
layers.async-video.enabled = true
html5.offmainthread = true
	Enable Hardware Acceleration and Off Main Thread Compositing (OMTC).
	It's likely your browser is already set to use these features.
	May introduce instability on some hardware.

MEMORY REDUCTION

browser.cache.memory.capacity = xx
	Limit memory cache size. (xx = value in MB)
	
browser.sessionhistory.max_entries = xx
	Limit maximum pages in session history. (how many URLs you can traverse using the Forward or Back button)
	
browser.sessionstore.max_tabs_undo = xx
	Limit max closed tabs you can reopen.
	
toolkit.cosmeticAnimations.enabled = false
browser.download.animateNotifications = false
	Disable some animations.
	
config.trim_on_minimize = true
	Reduce memory usage when minimized. (Windows only)
	
image.mem.max_decoded_image_kb = xx
	How much info Firefox stores of uncompressed images.
	Higher value = improve speed at the expense of increased memory usage.
	
javascript.options.mem.max == xx
	Limit amount of memory javascript may consume.
	-1 = Automatic

javascript.options.mem.high_water_mark == xx
	Tell garbage collector to start running when javascript is using xx MB of memory. 
	Garbage collection releases memory back to the system.

Flash Font Enumeration

This one is not for firefox, but for Flash if you have it installed. Font Enumeration allows a site to read which fonts you have installed which can be used to identify users.

Default Location:

Windows: 
	C:\Windows\SysWOW64\Macromed\Flash\mms.cfg
	C:\Windows\system32\Macromed\Flash\mms.cfg
Linux:
	/etc/adobe/mms.cfg
OSX:
	~/Library/Application Support/Google/Chrome/Default/Pepper Data/Shockwave Flash/System/mms.cfg

Add this line to the mms.cfg file:

DisableDeviceFontEnumeration = 1

Better yet, simply uninstall flash. Flash is garbage...


___
I do my best to keep this list up to date.
Additions and corrections are greatly appreciated.
Some keys may not be listed and must be added manually, or they are no longer relavent as firefox changes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment