Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Configuring Firefox for security and privacy (as of Oct. 2017)

Configuring/Hardening Firefox for Security and Privacy

Source for some of these

  1. about:config
  • dom.event.clipboardevents.enabled => false
  • clipboard.plainTextOnly => true
  • referer spoofSource => true
  • media.peerconnection
    • enabled => false
    • identity => false
    • video => false
    • use document iceservers => false
  • eme (DRM)
    • disable media.eme, browser.eme
    • disable chromium-api
  • media.navigator.enabled => false (RTC)
  • screensharing
    • allowed domains => ""
    • enabled => false
  • camera.control.face detection.enabled => false
  • dom.event.contextmenu.enabled => false
  • dom.disable_window features
    • all true (disable them)
  • dom.gamepad.enabled => false
  • dom.battery.enabled => false
  • dom.enable user timing => false
  • dom.enable resource timing => false
  • disable dom.vr, dom.vibrator
  • beacon.enabled => false (notifies a website when you navigate away)
  • disable newtabpage (*)
  • reader
    • parse on load => false
  • send pings require same host => true
  • browser.urlbar.trimURLs => false
  • ssl/tls
    • tls.version.min => 2
    • disable all sha1 (search for "sha")
    • disable false start
    • disable all rc4, md5 (if any)
    • sha1 enforcement to 1 (Mozilla)
    • treat unsafe negotiation as broken
    • require safe negotiation
    • security.cert pinning.enforcement level => 2
  • geo
  • browser.search.geoip.url => ""
  • javascript.options.strict => true
  • slowStartup (*)
    • maxSamples => 0
    • notificationDisabled => true
  • network.allow experiments => false
  • extensions.pocket
    • enabled => false
    • api, site => ""
  1. Addons
  • uBlock Origin
  • HTTPS Everywhere
  • Privacy Badger
  1. Settings
  • open with blank page
  • DuckDuckGo search
  • Always Ask to open media

Note that settings denoted * are my preference and don't necessarily relate to security or privacy.

@Exagone313

This comment has been minimized.

Copy link

Exagone313 commented Oct 30, 2017

You could also add the add-ons: uMatrix (can replace Privacy Badger, for advanced users and much more effective), Multi-Account Containers (to separate website connections), Cookie AutoDelete (it supports rules according to containers). I use also NoScript (without JavaScript blocking) to disable WebGL, and for its protection features: against XSS and ClearClick, but it's a bit buggy in 56 and not yet available fully as web extension. If you use Google you have Google search link fix but it's minor. Also Canvas Defender but it prevents some websites to load (like GMail) and will be partially obsolete in 58+.

If you use uMatrix, you can start with such rules:

https-strict: * true
matrix-off: about-scheme true
matrix-off: behind-the-scene true
matrix-off: chrome-extension-scheme true
matrix-off: chrome-scheme true
matrix-off: opera-scheme true
* * * block
* 1st-party cookie allow
* 1st-party css allow
* 1st-party image allow

(You can remove the cookie line if you don't use Cookie AutoDelete.)

For the settings I have this in /usr/lib/firefox/browser/defaults/preferences/vendor.js (mostly coming from IceCat):

pref("general.useragent.compatMode.firefox",true);
pref("browser.EULA.override", true);
pref("app.update.url", "http://127.255.255.255/");
pref("browser.safebrowsing.enabled", false);
pref("browser.safebrowsing.malware.enabled", false);
pref("browser.safebrowsing.phishing.enabled", false);
pref("social.enabled", false);
pref("social.remote-install.enabled", false);
pref("datareporting.healthreport.uploadEnabled", false);
pref("datareporting.healthreport.about.reportUrl", "127.255.255.255");
pref("datareporting.healthreport.documentServerURI", "127.255.255.255");
pref("healthreport.uploadEnabled", false);
pref("social.toast-notifications.enabled", false);
pref("datareporting.policy.dataSubmissionEnabled", false);
pref("datareporting.healthreport.service.enabled", false);
pref("browser.slowStartup.notificationDisabled", true);
pref("network.prefetch-next", false);
pref("network.dns.disablePrefetch", true);
pref("toolkit.telemetry.enabled", false);
pref("toolkit.telemetry.unified", false);
pref("plugins.enumerable_names", "");
pref("plugin.state.flash", 0);
pref("browser.search.update", false);
pref("dom.battery.enabled", false);
pref("device.sensors.enabled", false);
pref("camera.control.face_detection.enabled", false);
pref("camera.control.autofocus_moving_callback.enabled", false);
pref("network.http.speculative-parallel-limit", 0);
pref("app.update.enabled", false);
pref("app.update.auto", false);
pref("media.eme.enabled", false);
pref("media.eme.apiVisible", false);
pref("media.peerconnection.enabled", false);
pref("media.peerconnection.ice.default_address_only", true);
pref("gecko.handlerService.schemes.mailto.0.name", "");
pref("gecko.handlerService.schemes.mailto.1.name", "");
pref("handlerService.schemes.mailto.1.uriTemplate", "");
pref("gecko.handlerService.schemes.mailto.0.uriTemplate", "");
pref("browser.contentHandlers.types.0.title", "");
pref("browser.contentHandlers.types.0.uri", "");
pref("browser.contentHandlers.types.1.title", "");
pref("browser.contentHandlers.types.1.uri", "");
pref("gecko.handlerService.schemes.webcal.0.name", "");
pref("gecko.handlerService.schemes.webcal.0.uriTemplate", "");
pref("gecko.handlerService.schemes.irc.0.name", "");
pref("gecko.handlerService.schemes.irc.0.uriTemplate", "");
pref("font.default.x-western", "sans-serif");
pref("extensions.webservice.discoverURL", "http://127.255.255.255");
pref("extensions.getAddons.search.url", "http://127.255.255.255");
pref("pfs.datasource.url", "http://127.255.255.255/");
pref("pfs.filehint.url", "http://127.255.255.255/");
pref("geo.enabled", false);
pref("geo.wifi.uri", "");
pref("media.gmp-manager.url", "http://127.255.255.255/");
pref("media.gmp-manager.url.override", "data:text/plain,");
pref("media.gmp-provider.enabled", false);
pref("media.gmp-gmpopenh264.enabled", false);
pref("media.gmp-eme-adobe.enabled", false);
pref("browser.selfsupport.url", "");
pref("browser.apps.URL", "");
pref("loop.enabled",false);
pref("browser.newtabpage.directory.source", "");
pref("browser.newtabpage.directory.ping", "");
pref("browser.newtabpage.introShown", true);
pref("browser.aboutHomeSnippets.updateUrl", "data:text/html");
pref("browser.casting.enabled", false);
pref("social.directories", "");
pref("browser.pocket.enabled", false);
pref("extensions.pocket.enabled", false);
pref("network.IDN_show_punycode", true);

And if you want to build Firefox, you can add this to your .mozconfig (not sure if all exports do something, it's copied from multiple places like IceCat):

ac_add_options --disable-eme

export MOZ_SERVICES_METRICS=0
export MOZ_TELEMETRY_REPORTING=0
export MOZ_PAY=0
export MOZ_SERVICES_HEALTHREPORTER=0
export MOZ_SERVICES_FXACCOUNTS=0
export MOZ_SERVICES_METRICS=0
export MOZ_DATA_REPORTING=0
export MOZ_DEVICES=0
@taoeffect

This comment has been minimized.

Copy link

taoeffect commented Oct 31, 2017

network.IDN_show_punycode => true is an important one to protect from fishing.

@myfreeweb

This comment has been minimized.

Copy link

myfreeweb commented Nov 1, 2017

@taoeffect not that important, all modern browsers automatically show punycode when they detect mixed alphabets

https://wiki.mozilla.org/IDN_Display_Algorithm
https://en.wikipedia.org/wiki/IDN_homograph_attack#Defending_against_the_attack

@Thorin-Oakenpants

This comment has been minimized.

Copy link

Thorin-Oakenpants commented Nov 24, 2017

FYI: Your source listed above ( https://websetnet.com/a-comprehensive-list-of-firefox-privacy-and-security-settings/ ) is an very old early copy of this original source ( https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/ ) which was updated numerous times (we got up to version 11, looks like the one linked is version 1 or something) before moving to github right here -> https://github.com/ghacksuserjs/ghacks-user.js. I only bring this up because the linked source contains deprecated prefs and some factual errors etc - like I said, it got reworked and tweaked lots (about 7 times in the first week as ghacks readers contributed and collectively fixed things)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.