-
-
Notifications
You must be signed in to change notification settings - Fork 162
Optional Hardening
- Open the
user.js
in a text editor such as Notepad. - Add prefs from the options below to MY OVERRIDES.
- Save and close the file.
- Return to Required Reading.
Firefox Sync and Firefox View may be disabled to minimize connections and remove unused UI.
As of Firefox 127 (June 2024), users are no longer able to disable Firefox View. To remove the icon from the tab bar, see How do I remove Firefox View from the tabs bar?.
// PREF: disable Firefox Sync
user_pref("identity.fxaccounts.enabled", false);
// PREF: disable the Firefox View tour from popping up
user_pref("browser.firefox-view.feature-tour", "{\"screen\":\"\",\"complete\":true}");
The built-in password manager can be disabled for greater security.
-
☰
→ Settings → Privacy & Security → Logins and Passwords → Ask to save logins and passwords for websites
We recommend using Bitwarden or 1Password to manage your credentials on multiple devices.
// PREF: disable login manager
user_pref("signon.rememberSignons", false);
// PREF: disable address and credit card manager
user_pref("extensions.formautofill.addresses.enabled", false);
user_pref("extensions.formautofill.creditCards.enabled", false);
Enable Strict Enhanced Tracking Protection.
// PREF: enforce ETP Strict
user_pref("browser.contentblocking.category", "strict");
This matches the default behavior of Strict Enhanced Tracking Protection.
// PREF: do not allow embedded tweets, Instagram, Reddit, and Tiktok posts
user_pref("urlclassifier.trackingSkipURLs", "");
user_pref("urlclassifier.features.socialtracking.skipURLs", "");
Betterfox already blocks HTTP subresources from loading on HTTPS pages. We also attempt to upgrade all site navigation, only falling back to insecure connections when a website does not support it.
Warning
HTTPS-Only Mode sometimes causes annoying navigational errors when using DoH.
Note
HTTPS doesn't mean "trust this." It means "this is private."
You may be having a private conversation with Satan.
— Scott Hanselman
Firefox will get explicit permission from you before connecting to a site insecurely in Private Browsing (Firefox incognito mode).
// PREF: enable HTTPS-Only Mode
// Warn me before loading sites that don't support HTTPS
// when using Private Browsing windows.
user_pref("dom.security.https_only_mode_pbm", true);
user_pref("dom.security.https_only_mode_error_page_user_suggestions", true);
Firefox will get explicit permission from you before connecting to a site insecurely in Normal and Private Browsing.
// PREF: enable HTTPS-Only Mode
// Warn me before loading sites that don't support HTTPS
// in both Normal and Private Browsing windows.
user_pref("dom.security.https_only_mode", true);
user_pref("dom.security.https_only_mode_error_page_user_suggestions", true);
Setup and enforce DNS-over-HTTPS (DoH).
⭐ Create a profile with NextDNS and follow our configuration guide for greater protection from ads, trackers, and security threats. This will allow you to customize your solutions to your network.
Alternatively, use the DoH address below to protect against security threats, ads, and trackers. It uses DNSwarden with Hagezi's Light and Threat Intelligence Feed lists.
// PREF: set DoH provider
user_pref("network.trr.uri", "https://dns.dnswarden.com/00000000000000000000048"); // Hagezi Light + TIF
Increased Protection will switch back to your local provider if there are any issues.
Tip
Use this setting if your workplace or university causes issues with alternative DNS.
-
☰
→ Settings → Privacy & Security → DNS over HTTPS → Enable DNS over HTTPS using: → Increased Protection
// PREF: enforce DNS-over-HTTPS (DoH)
user_pref("network.trr.mode", 2);
user_pref("network.trr.max-fails", 5);
Max Protection displays user-friendly error pages with custom exceptions.
-
☰
→ Settings → Privacy & Security → DNS over HTTPS → Enable DNS over HTTPS using: → Max Protection
// PREF: enforce DNS-over-HTTPS (DoH)
user_pref("network.trr.mode", 3);
Keep in mind that disabling the disk cache is only available on Firefox. It is not an option in any other browser.
Disable the disk cache if you believe it helps your privacy or performance.
// PREF: disable disk cache
user_pref("browser.cache.disk.enable", false);
Make Firefox ask you where to save every download.
-
☰
→ Settings → General → Files and Applications → Downloads → Always ask you where to save files
// PREF: ask where to save every file
user_pref("browser.download.useDownloadDir", false);
Firefox will ask you what to do with a download only if it is your first time encountering a file type.
-
☰
→ Settings → General → Files and Applications → Applications → What should Firefox do with other files?
// PREF: ask whether to open or save new file types
user_pref("browser.download.always_ask_before_handling_new_types", true);
When installing a recommended extension, Firefox bypasses the 3rd-party site install panel. This pref forces Firefox to show the prompt.
Note
Firefox still forces user interaction with a permissions prompt, regardless of this setting.
// PREF: display the installation prompt for all extensions
user_pref("extensions.postDownloadThirdPartyPrompt", false);
Public Key Pinning (PKP) is a tool that boosts the safety of SSL certificates by linking a website to its unique security key. This process ensures that the website you're visiting is real and not fake. PKP stops any attempts to trick your computer into connecting with a fraudulent website.
Warning
Sometimes antivirus software — or some other source — won't let you open websites (example). Set it to 1
if you run into issues.
// PREF: enforce certificate pinning
// [ERROR] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
// 1 = allow user MiTM (such as your antivirus) (default)
// 2 = strict
user_pref("security.cert_pinning.enforcement_level", 2);
These settings automatically clear your browsing data, such as browser history, cookies, and cache, every time you close the browser. Clearing browsing data helps maintain privacy by ensuring that no information is stored on your device after you end your session.
Note
If you have session restore enable, then you will need to use Option 2 to restore previously opened tabs.
-
☰
→ Settings → Privacy & Security → History → Clear history when Firefox closes
// PREF: delete all browsing data on shutdown
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
user_pref("privacy.clearOnShutdown_v2.cache", true); // DEFAULT
user_pref("privacy.clearOnShutdown_v2.cookiesAndStorage", true); // DEFAULT
user_pref("privacy.clearOnShutdown_v2.historyFormDataAndDownloads", true); // DEFAULT
// PREF: after crashes or restarts, do not save extra session data
// such as form content, scrollbar positions, and POST data
user_pref("browser.sessionstore.privacy_level", 2);
This option allows you to retain browser history and restore previously opened tabs (optional).
-
☰
→ Settings → Privacy & Security → Cookies and Site Data → Delete cookies and site data when Firefox is closed
// PREF: delete cookies, cache, and site data on shutdown
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
user_pref("privacy.clearOnShutdown_v2.cache", true); // DEFAULT
user_pref("privacy.clearOnShutdown_v2.cookiesAndStorage", true); // DEFAULT
user_pref("privacy.clearOnShutdown_v2.historyFormDataAndDownloads", false);
For either option, you can create exceptions to stay logged in to some sites.
-
☰
→ Settings → Privacy & Security → Cookies and Site Data → Manage Exceptions
Privacy-conscious people often dislike Digital Rights Management (DRM) because it restricts what users can do with their devices and limits fair use rights.
DRM prevents users from copying, sharing, or changing content they bought, even for their own use. It also allows browsers to communicate to outside servers to check licenses and rights, which can share data about what users do and watch.
Warning
Disabling DRM will prevent most popular streaming platforms from functioning properly. Spotify, Apple Music, Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV, and other streaming services will not work with DRM disabled.
You can confirm if Encrypted Media Extension (EME) is disabled by going here.
// PREF: disable all DRM content
user_pref("media.eme.enabled", false);
// PREF: hide the UI setting; this also disables the DRM prompt (optional)
user_pref("browser.eme.ui.enabled", false);
Fingerprinting is a high threat model issue that is only addressed reasonably by Tor.1 Please use the Tor Browser if your context calls for anonymity and not just reasonable privacy.^what's the difference?
Betterfox aims to mitigate real-world tracking rather than advanced fingerprinting, which only Tor Browser and Mullvad Browser can effectively counter. While Firefox's Fingerprinting Protection (FPP) feature helps randomize some fingerprinting vectors, users may still have unique fingerprints. (It doesn't matter if you change a few preferences because you are already unique.) And while Betterfox strives to provide a seamless browsing experience, occasional site glitches may occur due to Betterfox settings, Firefox itself, or adblock filters. In such cases, using a secondary browser is recommended.
Most of our security and privacy tweaks come from AF. Just like that project, Betterfox usually focuses on state and other cross-origin linkability mechanisms like navigational tracking. State means client-side data stored on disk or memory, such as the items listed here. We also encourage you to read AF's explainer on RFP and fingerprinting.
By default, Firefox blocks known fingerprinters; and as of v.119, ETP Strict also blocks suspected fingerprinters. Betterfox does not enable additional protection known as privacy.resistFingerprinting
(RFP). You can read why here.