Skip to content

Optional Hardening

yokoffing edited this page Dec 24, 2024 · 128 revisions

Instructions

  1. Open the user.js in a text editor such as Notepad.
  2. Add prefs from the options below to MY OVERRIDES.
  3. Save and close the file.
  4. Return to Required Reading.

Options


Firefox Sync & View

Firefox Sync and Firefox View may be disabled to minimize connections and remove unused UI.

As of Firefox 127 (June 2024), users are no longer able to disable Firefox View. To remove the icon from the tab bar, see How do I remove Firefox View from the tabs bar?.

// PREF: disable Firefox Sync
user_pref("identity.fxaccounts.enabled", false);

// PREF: disable the Firefox View tour from popping up
user_pref("browser.firefox-view.feature-tour", "{\"screen\":\"\",\"complete\":true}");

Password, credit card, and address management

The built-in password manager can be disabled for greater security.

  • → Settings → Privacy & Security → Logins and Passwords → Ask to save logins and passwords for websites

We recommend using Bitwarden or 1Password to manage your credentials on multiple devices.

// PREF: disable login manager
user_pref("signon.rememberSignons", false);

// PREF: disable address and credit card manager
user_pref("extensions.formautofill.addresses.enabled", false);
user_pref("extensions.formautofill.creditCards.enabled", false);

Firefox Strict mode

Enable Strict Enhanced Tracking Protection.

// PREF: enforce ETP Strict
user_pref("browser.contentblocking.category", "strict");

Block embedded social posts on webpages

This matches the default behavior of Strict Enhanced Tracking Protection.

// PREF: do not allow embedded tweets, Instagram, Reddit, and Tiktok posts
user_pref("urlclassifier.trackingSkipURLs", "");
user_pref("urlclassifier.features.socialtracking.skipURLs", "");

HTTPS-Only Mode

Betterfox already blocks HTTP subresources from loading on HTTPS pages. We also attempt to upgrade all site navigation, only falling back to insecure connections when a website does not support it.

Warning

HTTPS-Only Mode sometimes causes annoying navigational errors when using DoH.

Note

HTTPS doesn't mean "trust this." It means "this is private."
You may be having a private conversation with Satan.
Scott Hanselman

Option 1: Private windows only

Firefox will get explicit permission from you before connecting to a site insecurely in Private Browsing (Firefox incognito mode).

// PREF: enable HTTPS-Only Mode
// Warn me before loading sites that don't support HTTPS
// when using Private Browsing windows.
user_pref("dom.security.https_only_mode_pbm", true);
user_pref("dom.security.https_only_mode_error_page_user_suggestions", true);

Option 2: All windows

Firefox will get explicit permission from you before connecting to a site insecurely in Normal and Private Browsing.

// PREF: enable HTTPS-Only Mode
// Warn me before loading sites that don't support HTTPS
// in both Normal and Private Browsing windows.
user_pref("dom.security.https_only_mode", true);
user_pref("dom.security.https_only_mode_error_page_user_suggestions", true);

Secure DNS

Setup and enforce DNS-over-HTTPS (DoH).

DoH Provider

⭐ Create a profile with NextDNS and follow our configuration guide for greater protection from ads, trackers, and security threats. This will allow you to customize your solutions to your network.

Alternatively, use the DoH address below to protect against security threats, ads, and trackers. It uses DNSwarden with Hagezi's Light and Threat Intelligence Feed lists.

// PREF: set DoH provider
user_pref("network.trr.uri", "https://dns.dnswarden.com/00000000000000000000048"); // Hagezi Light + TIF

Enforce DoH

Option 1: Increased Protection

Increased Protection will switch back to your local provider if there are any issues.

Tip

Use this setting if your workplace or university causes issues with alternative DNS.

  • → Settings → Privacy & Security → DNS over HTTPS → Enable DNS over HTTPS using: → Increased Protection
// PREF: enforce DNS-over-HTTPS (DoH)
user_pref("network.trr.mode", 2);
user_pref("network.trr.max-fails", 5);
Option 2: Max Protection

Max Protection displays user-friendly error pages with custom exceptions.

  • → Settings → Privacy & Security → DNS over HTTPS → Enable DNS over HTTPS using: → Max Protection
// PREF: enforce DNS-over-HTTPS (DoH)
user_pref("network.trr.mode", 3);

Disk Cache

Keep in mind that disabling the disk cache is only available on Firefox. It is not an option in any other browser.

Disable the disk cache if you believe it helps your privacy or performance.

// PREF: disable disk cache
user_pref("browser.cache.disk.enable", false);

Downloads

Always ask where to save files

Make Firefox ask you where to save every download.

  • → Settings → General → Files and Applications → Downloads → Always ask you where to save files
// PREF: ask where to save every file
user_pref("browser.download.useDownloadDir", false);

Ask to open or save new file types

Firefox will ask you what to do with a download only if it is your first time encountering a file type.

  • → Settings → General → Files and Applications → Applications → What should Firefox do with other files?
// PREF: ask whether to open or save new file types
user_pref("browser.download.always_ask_before_handling_new_types", true);

Display installation prompt for recommended extensions

When installing a recommended extension, Firefox bypasses the 3rd-party site install panel. This pref forces Firefox to show the prompt.

Note

Firefox still forces user interaction with a permissions prompt, regardless of this setting.

// PREF: display the installation prompt for all extensions
user_pref("extensions.postDownloadThirdPartyPrompt", false);

Public Key Pinning

Public Key Pinning (PKP) is a tool that boosts the safety of SSL certificates by linking a website to its unique security key. This process ensures that the website you're visiting is real and not fake. PKP stops any attempts to trick your computer into connecting with a fraudulent website.

Warning

Sometimes antivirus software — or some other source — won't let you open websites (example). Set it to 1 if you run into issues.

// PREF: enforce certificate pinning
// [ERROR] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
// 1 = allow user MiTM (such as your antivirus) (default)
// 2 = strict
user_pref("security.cert_pinning.enforcement_level", 2);

Sanitize on close

These settings automatically clear your browsing data, such as browser history, cookies, and cache, every time you close the browser. Clearing browsing data helps maintain privacy by ensuring that no information is stored on your device after you end your session.

Note

If you have session restore enable, then you will need to use Option 2 to restore previously opened tabs.

Option 1: Clear all browsing data on shutdown

  • → Settings → Privacy & Security → History → Clear history when Firefox closes
// PREF: delete all browsing data on shutdown
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
user_pref("privacy.clearOnShutdown_v2.cache", true); // DEFAULT
user_pref("privacy.clearOnShutdown_v2.cookiesAndStorage", true); // DEFAULT
user_pref("privacy.clearOnShutdown_v2.historyFormDataAndDownloads", true); // DEFAULT

// PREF: after crashes or restarts, do not save extra session data
// such as form content, scrollbar positions, and POST data
user_pref("browser.sessionstore.privacy_level", 2);

Option 2: Clear only cookies and cache on shutdown

This option allows you to retain browser history and restore previously opened tabs (optional).

  • → Settings → Privacy & Security → Cookies and Site Data → Delete cookies and site data when Firefox is closed
// PREF: delete cookies, cache, and site data on shutdown
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
user_pref("privacy.clearOnShutdown_v2.cache", true); // DEFAULT
user_pref("privacy.clearOnShutdown_v2.cookiesAndStorage", true); // DEFAULT
user_pref("privacy.clearOnShutdown_v2.historyFormDataAndDownloads", false);

Allow exceptions

For either option, you can create exceptions to stay logged in to some sites.

  • → Settings → Privacy & Security → Cookies and Site Data → Manage Exceptions

Disable DRM

Privacy-conscious people often dislike Digital Rights Management (DRM) because it restricts what users can do with their devices and limits fair use rights.

DRM prevents users from copying, sharing, or changing content they bought, even for their own use. It also allows browsers to communicate to outside servers to check licenses and rights, which can share data about what users do and watch.

Warning

Disabling DRM will prevent most popular streaming platforms from functioning properly. Spotify, Apple Music, Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV, and other streaming services will not work with DRM disabled.

You can confirm if Encrypted Media Extension (EME) is disabled by going here.

// PREF: disable all DRM content
user_pref("media.eme.enabled", false);

// PREF: hide the UI setting; this also disables the DRM prompt (optional)
user_pref("browser.eme.ui.enabled", false);

Fingerprinting

Fingerprinting is a high threat model issue that is only addressed reasonably by Tor.1 Please use the Tor Browser if your context calls for anonymity and not just reasonable privacy.^what's the difference?

Betterfox aims to mitigate real-world tracking rather than advanced fingerprinting, which only Tor Browser and Mullvad Browser can effectively counter. While Firefox's Fingerprinting Protection (FPP) feature helps randomize some fingerprinting vectors, users may still have unique fingerprints. (It doesn't matter if you change a few preferences because you are already unique.) And while Betterfox strives to provide a seamless browsing experience, occasional site glitches may occur due to Betterfox settings, Firefox itself, or adblock filters. In such cases, using a secondary browser is recommended.

Most of our security and privacy tweaks come from AF. Just like that project, Betterfox usually focuses on state and other cross-origin linkability mechanisms like navigational tracking. State means client-side data stored on disk or memory, such as the items listed here. We also encourage you to read AF's explainer on RFP and fingerprinting.

By default, Firefox blocks known fingerprinters; and as of v.119, ETP Strict also blocks suspected fingerprinters. Betterfox does not enable additional protection known as privacy.resistFingerprinting (RFP). You can read why here.