Firefox Hardening Guide for Privacy

Change Firefox Preferences

To open the Firefox Preferences menu, open menu (top-right of browser window) and click “Preferences.” Alternatively, enter about:preferences into the address bar and hit enter.

Remove Pocket from your home page

Under Home > Firefox Home Content, UNCHECK Recommended by Pocket

Change your default search engine

DuckDuckGo as an alternative to Google, as it respects your privacy and doesn’t track you.

If you’d like to use DuckDuckGo as your primary search engine, simply go to Search > Default search engine and change it to DuckDuckGo.

Enable Tracking Protection

Under Privacy & Security > Enhanced Tracking Protection, select Custom. CHECK all options and select All third-party cookies under Cookies. This may cause a small number of websites to break, but it’s worth it for security and privacy.

If you encounter a website that doesn’t function without third-party cookies (such as Microsoft Teams and Pearson MyLab), you may temporarily disable Firefox’s Tracking Protection for that website. To do this, click on the Shield icon on the left of the address bar, and toggle off Enhanced Tracking Protection for this site.

Disable Password Saving

On the same page, under Logins and Passwords, UNCHECK Ask to save logins and passwords for websites. It’s usually not a good idea to save passwords in your browser. You should use a password manager instead. For most people, use Bitwarden.

Decline location access

On the same page, in Location Settings…, CHECK Block new requests asking to access your location. This denies geolocation permission prompts by default, but the geolocation capability is retained.

Disallow notifications

On the same page, in Notification Settings…, CHECK Block new requests asking to allow notifications. This denies notification permission prompts by default, but the web notification capability is retained.

Disallow autoplay

On the same page, in Autoplay Settings…, set “Default for all websites” to Block Audio and Video for. This prevents audio/video from automatically playing.

Disable telemetry and error reporting

On the same page, UNCHECK EVERYTHING under Firefox Data Collection and Use.

Enable HTTPS-Only Mode

On the same page, under HTTPS-Only Mode, select Enable HTTPS-Only Mode in all windows.

HTTPS provides encrypted communication between your browser and websites, and you should always use HTTPS when available. With HTTPS-Only Mode enabled, Firefox will upgrade all connections to HTTPS, and you’ll see a warning when a website doesn’t support HTTPS.

Dive into advanced settings

To access these advanced settings, enter about:config into the address bar and hit enter. When you see a warning screen, click I accept the risk to continue.

All configuration items are in alphabetical order, and easily searchable using the search bar on the top of the page. In this section, configuration items are highlighted, and their values are in bold.

Double-click on a configuration item to modify it. If the item is a boolean, double-clicking it will change it from true to false, or vice versa. If the item is an integer or a string, double-clicking it will open a pop-up box to edit the value.

Disable telemetry

Making these changes disables Firefox telemetry:

  • Change browser.newtabpage.activity-stream.feeds.telemetry to false
  • Change to false
  • Change browser.tabs.crashReporting.sendReport to false
  • Change devtools.onboarding.telemetry.logged to false
  • Change toolkit.telemetry.enabled to false
  • Delete the URL for toolkit.telemetry.server, and leave it empty
  • Change toolkit.telemetry.unified to false

Disable Pocket

If you don’t use Pocket, or you don’t want Firefox’s Pocket integration, make the following changes:

  • Change browser.newtabpage.activity-stream.feeds.discoverystreamfeed to false
  • Change browser.newtabpage.activity-stream.feeds.section.topstories to false
  • Change browser.newtabpage.activity-stream.section.highlights.includePocket to false
  • Change browser.newtabpage.activity-stream.showSponsored to false
  • Change extensions.pocket.enabled to false

Disable prefetching

Even though prefetching may speed things up a bit, it may connect to servers without user intervention (which can be a privacy issue) and its performance benefits are minimal. Making these changes will disable prefetching:

  • Change network.dns.disablePrefetch to true
  • Change network.prefetch-next to false

Disable JavaScript in PDF

Firefox 88 introduced the ability to execute JavaScript in PDF documents. While there are legitimate uses for JavaScript in PDF (such as form validation), such uses are not very common. In addition, it could be used for malicious purposes, so it’s generally a good idea to disable this feature.

To disable JavaScript support in PDF documents, change pdfjs.enableScripting to false.

Harden SSL preferences

Making these changes will disable insecure SSL ciphers and force safe negotiation:

  • Change security.ssl3.rsa_des_ede3_sha to false
  • Change security.ssl.require_safe_negotiation to true

If you can’t find security.ssl3.rsa_des_ede3_sha, please ignore it. This option do not exist in the latest versions of Firefox, as support for these insecure ciphers has been removed.
A small number of sites (ones with legacy and potentially less secure SSL/TLS configurations) might no longer work after changing this option. If you find this to be an issue, leave security.ssl.require_safe_negotiation as default (false) and set security.ssl.treat_unsafe_negotiation_as_broken to true.

Disable Firefox account features

If you don’t want to sync your browser data with a Firefox account, you can simply use Firefox without signing in.

For those who want to completely disable this feature, change identity.fxaccounts.enabled to false.

Disable geolocation support

This prevents websites from accessing your location information. Change geo.enabled to false.

If you do not want to disable geolocation capabilities altogether, you may skip this step.

Disable notification support

Web notifications are often not useful and many find it annoying. To disable it completely, change dom.webnotifications.enabled to false.

If you do not want to disable notifications capabilities altogether, you may skip this step.

Disable WebRTC

WebRTC can potentially expose your real IP address, changing the following disables it:

  • Change media.peerconnection.enabled to false
  • Change media.navigator.enabled to false

Note: This will break any site that uses real-time audio/video communication, which includes almost all real-time chat and conferencing apps.

Disable WebGL

WebGL is used for some graphical web apps and online games, but it’s also a security risk and can potentially be used for fingerprinting. Disable it by changing webgl.disabled to true.

Note: This will break any site that uses WebGL for graphics, which includes most modern online games and complex graphical sites.

Strip URLs

  • privacy.query_stripping.enabled to true
  • privacy.query_stripping.enabled.pbmode to true

Resist browser fingerprinting

This feature can decrease advertisers’ and online trackers’ ability to identify you. Change privacy.resistFingerprinting to true.

Note: Based on my experience, enabling this can lead to noticeable performance and stability impacts. Please proceed with caution.

Disable referrer headers

Referrers tell websites how you came to their sites, which can be used to track you. To prevent referrer headers from being sent, change network.http.sendRefererHeader to 0.

Note: Many websites, especially ones with forms and logins, depend on referrers for security and spam protection. If you don’t send the referrer header, these sites will break.

Websites often store a small amount of information, called “cookies,” to store information (such as remembering login status and preferences) and track you.

Isolating cookies cookies and other stored information to the first party domain prevents cross-site tracking. To enable this feature, change privacy.firstparty.isolate to true.

Note: Firefox 86 introduced Total Cookie Protection, which stores each website’s cookies in their own “cookie jar.” This may conflict with privacy.firstparty.isolate.

If you don’t want websites to store any cookies at all, change network.cookie.lifetimePolicy to 2. Firefox will automatically delete cookies at the end of browsing sessions.

Note: Doing this will sign you out of many websites when you close Firefox, and websites will not be able to store any data on your device.

Install some add-ons


These add-ons require minimal configuration and can dramatically improve the security and privacy in Firefox. I recommend everyone install these extensions.

uBlock Origin

The most powerful open-source ad blocker, period. It can block ads, trackers, malwares, annoyances, and more. It also significantly improves page load speed.

If you want to customize it,


Decentraleyes prevents you against tracking though “free” CDN providers by serving common static files (such as the ones from Google Hosted Libraries) from your local device.

After you install it, you can just forget about it.

A password manager

If you already have a password manager, just install the add-on for it.

If you don’t use a password manager, you really should consider using one. I recommend Bitwarden, which is 100% open source and very easy to use.

These add-ons are recommended for most users, but they require some configuration and maintenance.

This extension automatically deletes cookies and site data from closed tabs, which prevents most websites from tracking you with cookies. If you set Firefox to delete all cookies and site data on exit, you might not need this.

After installing, open its settings page from its toolbar icon. Once you’re in there, check the box for Enable Automatic Cleaning and Enable Cleanup on Domain Change. Then, go to List of Expressions, and whitelist all websites that you wish to keep cookies for, including websites you want to stay logged in to and save preferences. In most cases, whitelisting the websites’ domain (without www) will do, but some websites have cookies associated with multiple domains, including:

  • Microsoft: whitelist for personal accounts; whitelist for work/school accounts
  • Google: whitelist and
  • ProtonMail: whitelist * and check “Keep LocalStorage”
  • Tutanota: whitelist and check “Keep LocalStorage”

Privacy Settings

Privacy Settings creates a toolbar panel to alter Firefox’s built-in privacy settings. Sometimes, you may have to disable some privacy protection for websites to function properly. When you finish using those websites, re-enable the privacy settings you just disabled for maximum privacy protection.

After installing, don’t change any settings with it yet. Here are a few cases you might want to change your privacy settings:

  • Enable network.peerConnectionEnabled to use real-time audio/video communication (Zoom, WebEx, Discord, etc.).
  • Many web forms will not work when the browser isn’t sending referrers. Enable websites.referrersEnabled temporarily to send referrers.

Backup Firefox profile

Before changing the configuration, you should make a backup of the default profile, or create a new profile to be used with the new settings.

To back up your profile, first close Firefox if it is open and then copy the default profile folder to another location, for example on Linux the profile folder is:


when “xxxxxxxx” is the ID of your profile.

See: Back up and restore information in Firefox profiles

Create, remove or switch Firefox profiles

Firefox Preferences

Search Preferences

  • Go to Search:
    • Default Search Engine: select DuckDuckGo
    • Search Shortcuts: select DuckDuckGo, remove Google, Bing, eBay, Amazon, Wikipedia search engines


The parameters are divided into “Sections” and are indicated with the format option = value for the sake of clarity. You can use the file user.js to set all the parameters automatically at Firefox startup.

On the search bar digit: about:config and set the parameters as follows:

StartUp Settings

  • Disable about:config warning:browser.aboutConfig.showWarning = false
  • Set startup home page:
    • 0 = blank
    • 1 = home
    • 2 = last visited page
    • 3 = resume previous session = 1

    browser.startup.homepage = "about:home"

  • Disable Activity Stream on new windows and tab pages:browser.newtabpage.enabled = falsebrowser.newtab.preload = falsebrowser.newtabpage.activity-stream.feeds.telemetry = false

    browser.newtabpage.activity-stream.telemetry = false

    browser.newtabpage.activity-stream.feeds.snippets = false

    browser.newtabpage.activity-stream.feeds.section.topstories = false

    browser.newtabpage.activity-stream.section.highlights.includePocket = false

    browser.newtabpage.activity-stream.showSponsored = false

    browser.newtabpage.activity-stream.feeds.discoverystreamfeed = false

    browser.newtabpage.activity-stream.showSponsoredTopSites = false

    browser.newtabpage.activity-stream.default.sites = ""


  • Use Mozilla geolocation service instead of Google if permission is = ""
  • Disable using the OS’s geolocation = false [Windows]geo.provider.use_corelocation = false [macOS]geo.provider.use_gpsd = false [Linux]
  • Disable region = ""browser.region.update.enabled = false

Language / Locale

  • Set language for displaying web pages:intl.accept_languages = "en-US, en"javascript.use_us_english_locale = true [Hidden pref]

Auto-updates / Recommendations

  • Disable auto-installing Firefox updates:app.update.background.scheduling.enabled = false [Windows] = false [Non-Windows]
  • Disable addons recommendations (uses Google Analytics):extensions.getAddons.showPane = false [Hidden pref]extensions.htmlaboutaddons.recommendations.enabled = false


  • Disable telemetry:datareporting.policy.dataSubmissionEnabled = falsedatareporting.healthreport.uploadEnabled = falsetoolkit.telemetry.enabled = false [Default: false]

    toolkit.telemetry.unified = false

    toolkit.telemetry.server = "data:,"

    toolkit.telemetry.archive.enabled = false

    toolkit.telemetry.newProfilePing.enabled = false

    toolkit.telemetry.shutdownPingSender.enabled = false

    toolkit.telemetry.updatePing.enabled = false

    toolkit.telemetry.bhrPing.enabled = false

    toolkit.telemetry.firstShutdownPing.enabled = false

    toolkit.telemetry.coverage.opt-out = true [Hidden pref]

    toolkit.coverage.opt-out = true [Hidden pref]

    toolkit.coverage.endpoint.base = "" = false

    beacon.enabled = false


  • Disable studies:app.shield.optoutstudies.enabled = false
  • Disable Normandy/Shield:app.normandy.enabled = falseapp.normandy.api_url = ""

Crash Reports

  • Disable crash reports:breakpad.reportURL = ""browser.tabs.crashReporting.sendReport = false

Captive Portal Detection / Network Checks

  • Disable captive portal detection:captivedetect.canonicalURL = ""network.captive-portal-service.enabled = false
  • Disable network connections checks:network.connectivity-service.enabled = false

Safe Browsing

  • Disable safe browsing service:browser.safebrowsing.malware.enabled = falsebrowser.safebrowsing.phishing.enabled = false
  • Disable list of blocked URI:browser.safebrowsing.blockedURIs.enabled = false
  • Disable fetch of updates:browser.safebrowsing.provider.google4.gethashURL = ""browser.safebrowsing.provider.google4.updateURL = "" = "" = ""

  • Disable checks for downloads:browser.safebrowsing.downloads.enabled = falsebrowser.safebrowsing.downloads.remote.enabled = falsebrowser.safebrowsing.downloads.remote.url = ""
  • Disable checks for unwanted software:browser.safebrowsing.downloads.remote.block_potentially_unwanted = falsebrowser.safebrowsing.downloads.remote.block_uncommon = false
  • Disable bypasses the block of safe browsing with a click for current session:browser.safebrowsing.allowOverride = false

Network: DNS, Proxy, IPv6

  • Disable link prefetching:network.prefetch-next = false
  • Disable DNS prefetching:network.dns.disablePrefetch = true
  • Disable predictor:network.predictor.enabled = false
  • Disable link-mouseover opening connection to linked server:network.http.speculative-parallel-limit = 0
  • Disable mousedown speculative connections on bookmarks and history:browser.places.speculativeConnect.enabled = false
  • Disable IPv6:network.dns.disableIPv6 = true
  • Disable GIO protocols as a potential proxy bypass vectors:network.gio.supported-protocols = "" [Hidden pref]
  • Remove special permissions for certain mozilla domains:permissions.manager.defaultsUrl = ""
  • Use Punycode in Internationalized Domain Names to eliminate possible spoofing:network.IDN_show_punycode = true

Search Bar: Suggestions, Autofill

  • Disable search = falsebrowser.urlbar.suggest.searches = false
  • Disable location bar domain guessing:browser.fixup.alternate.enabled = false
  • Display all parts of the url in the bar:browser.urlbar.trimURLs = false
  • Disable location bar making speculative connections:browser.urlbar.speculativeConnect.enabled = false
  • Disable form autofill:browser.formfill.enable = falseextensions.formautofill.addresses.enabled = falseextensions.formautofill.available = "off"

    extensions.formautofill.creditCards.available = false

    extensions.formautofill.creditCards.enabled = false

    extensions.formautofill.heuristics.enabled = false

  • Disable location bar contextual suggestions:browser.urlbar.quicksuggest.scenario = "history"browser.urlbar.quicksuggest.enabled = falsebrowser.urlbar.suggest.quicksuggest.nonsponsored = false

    browser.urlbar.suggest.quicksuggest.sponsored = false


  • Disable saving passwords:signon.rememberSignons = false
  • Disable autofill login and passwords:signon.autofillForms = false
  • Disable formless login capture for Password Manager:signon.formlessCapture.enabled = false
  • Hardens against potential credentials phishing:
    • 0 = don’t allow sub-resources to open HTTP authentication credentials dialogs
    • 1 = don’t allow cross-origin sub-resources to open HTTP authentication credentials dialogs
    • 2 = allow sub-resources to open HTTP authentication credentials dialogs (default)

    network.auth.subresource-http-auth-allow = 1

Disk Cache / Memory

  • Disable disk cache:browser.cache.disk.enable = false
  • Disable storing extra session data:
    • 0 = everywhere
    • 1 = unencrypted sites
    • 2 = nowhere

    browser.sessionstore.privacy_level = 2

  • Disable resuming session from crash:browser.sessionstore.resume_from_crash = false
  • Disable page thumbnail collectionbrowser.pagethumbnails.capturing_disabled = true [Hidden pref]


  • Enable HTTPS-Only mode in all = true
  • Disable sending HTTP request for checking HTTPS support by the = false
  • Display advanced information on Insecure Connection warning pages:browser.xul.error_pages.expert_bad_cert = true
  • Disable TLS1.3 0-RTT (round-trip time):security.tls.enable_0rtt_data = false
  • Set OCSP to terminate the connection when a CA isn’t validate:security.OCSP.require = true
  • Disable SHA-1 certificates:security.pki.sha1_enforcement_level = 1
  • Enable strict pinning (PKP (Public Key Pinning)):
    • 0 = disabled
    • 1 = allow user MiTM (i.e. your Antivirus)
    • 2 = strict

    security.cert_pinning.enforcement_level = 2

  • Enable CRLite
    • 0 = disabled
    • 1 = consult CRLite but only collect telemetry (default)
    • 2 = consult CRLite and enforce both “Revoked” and “Not Revoked” results
    • 3 = consult CRLite and enforce “Not Revoked” results, but defer to OCSP for “Revoked”

    security.remote_settings.crlite_filters.enabled = true

    security.pki.crlite_mode = 2

Headers / Referers

  • Control when to send a referer:
    • 0 = always (default)
    • 1 = only if base domains match
    • 2 = only if hosts match

    network.http.referer.XOriginPolicy = 2

  • Control the amount of information to send:
    • 0 = send full URI (default):
    • 1 = scheme+host+port+path:
    • 2 = scheme+host+port:

    network.http.referer.XOriginTrimmingPolicy = 2

Audio/Video: WebRTC, WebGL, DRM

  • Disable WebRTC:media.peerconnection.enabled = false
  • Force WebRTC inside the = true
  • Force a single network interface for ICE candidates = true
  • Force exclusion of private IPs from ICE = true
  • Disable WebGL (Web Graphics Library):webgl.disabled = true
  • Disable autoplay of HTML5 media:
    • 0 = allow all
    • 1 = block non-muted media (default)
    • 5 = block all

    media.autoplay.default = 5


  • Always ask you where to save = false
  • Disable adding downloads to system’s “recent documents” = false


  • Enable ETP (Enhanced Tracking Protection), ETP strict mode enables Total Cookie Protection (TCP):browser.contentblocking.category = "strict"
  • Enable state partitioning of service workers:privacy.partition.serviceWorkers = true

UI Features

  • Block popup windows:dom.disable_open_during_load = true
  • Disable Pocket extension:extensions.pocket.enabled = false
  • Disable Screenshots extension:extensions.Screenshots.disabled = true
  • Disable PDJFS scripting:pdfjs.enableScripting = false

Shutdown Settings

  • Clear history, cookies and site data when Firefox closes:network.cookie.lifetimePolicy = 2privacy.sanitize.sanitizeOnShutdown = trueprivacy.clearOnShutdown.cache = true

    privacy.clearOnShutdown.cookies = true

    privacy.clearOnShutdown.downloads = true

    privacy.clearOnShutdown.formdata = true

    privacy.clearOnShutdown.history = true

    privacy.clearOnShutdown.offlineApps = true

    privacy.clearOnShutdown.sessions = true

    privacy.clearOnShutdown.sitesettings = false

    privacy.sanitize.timeSpan = 0

Fingerprinting (RFP)

  • Enable RFP:privacy.resistFingerprinting = true
  • Set new window size rounding max values:privacy.window.maxInnerWidth = 1600privacy.window.maxInnerHeight = 900
  • Disable mozAddonManager Web API:privacy.resistFingerprinting.block_mozAddonManager = true [Hidden pref]
  • Disable using system colors:browser.display.use_system_colors = false [Default: false [Non-Windows]]
  • Disable showing about:blank page when possible at startupbrowser.startup.blankWindow = false
  • Disable using system colors:browser.display.use_system_colors = false [Default: false [Non-Windows]]


If you want (is recommended), you can use the user.js file with the settings of this guide or with your preferred settings, it is recommended to create a new profile for this purpose. Before using the file check the entries and modify/add them according to your preferences, don’t copy/paste without know what you are doing.

Download the user.js template from my GitHub gist, note that this user.js is configured for Linux systems, so if you use Windows or macOS edit, comment/uncomment the relevant entries according to the instructions listed above.

More information about Firefox user.js:

  • mozillaZine – User.js file
  • arkenfox/user.js – Wiki

uBlock Origin

uBlock Origin

  • Install uBlock Origin:Click on Add to Firefox
  • Open the plugin settings:Click the icon to the right of the search bar then select Open the dashboard
  • Enable additional blocklists:In the dashboard select Filter lists, this is my lists selection (you can select your favorite ones):

For more information about uBlock usage see the Wiki on GitHub, check the Blocking mode: Medium mode, is very powerful :).

DoH (DNS over HTTPS)

DNS-over-HTTPS, DNS-over-TLS, and DNSCrypt resolvers will not make you anonymous. Using Anonymized DNSCrypt hides only your DNS traffic from your Internet Service Provider. However, using any of these protocols will prevent DNS hijacking, and make your DNS requests harder for third parties to eavesdrop on and tamper with. For more information about DNS and DoH see: Wikipedia – DNS over HTTPS

If you want to set DoH on Firefox:

Go to Edit -> Settings -> General -> Network Settings, click on Settings, select Enable DNS over HTTPS, in Use Provider window, select Custom and insert your DoH provider.

Multiple profiles and Containers

A good practice is to use multiple profiles for different purposes, e.g. (work, streaming, personal, finance), read how to manage profiles in Firefox.

In the latest versions of Firefox you can create Containers, Firefox Multi-Account Containers lets you keep parts of your online life separated into color-coded tabs that preserve your privacy. Cookies are separated by container, allowing you to use the web with multiple identities or accounts simultaneously.

Browser Leak Tests

There are come resources where you can test your browser to see how unique it is:

5/53526 oy

Emre Tosunkaya

Kendini İnternete adamış bir tekno kişi. Teknoloji ve İnternet adına; WordPress, Webmaster, Android, Google, mobil, oyun, yazılım hakkında insanlara yararlı makaleler yazar.

  • İndirim Kuponları
  • Uzman Diyetisyen Semiye Tosunkaya
  • Güzel Hosting, 2008'den beri kaliteli ve ekonomik paylaşımlı hosting, kiralık sunucu, sanal sunucu ve co-location hizmetleri sağlamaktadır.
  • Turhost: Türkiye'nin Lider Hosting ve Domain Servis Sağlayıcısı
  • - Alışverişin Uğurlu Adresi
  • En Trend Ürünler Türkiye'nin Online Alışveriş Sitesi Amazon'da İndirim Kuponları Binance %10 Komisyon İndirimi TRBinance %10 Komisyon İndirimi Amazon Amazon 50₺ indirim kodu Trendyol Güncel İndirim Kodları