This guide contains updated recommendations and privacy tweaks for Firefox, revised to reflect the latest version and new features (October 2019).
Mozilla Firefox is arguably the best browser available that combines strong privacy protection features, good security, active development, and regular updates. The newest version of Firefox is fast, light-weight, and packed full of privacy and security features.
It is for this reason that I consider Firefox to be the best all-around browser for privacy and security. It remains a solid alternative to some of the other options, such as Google Chrome, Microsoft Edge, and Safari.
Another great aspect of Firefox is that it is highly customizable, which is the point of this guide. Below we will go over how you can customize Firefox to give you the security and privacy you desire, while still working well for day-to-day browsing.
But before we jump in, let’s cover some important details.
There are many factors to consider when configuring Firefox to meet your needs, including your threat model and browsing preferences. In other words, there is no “one-size-fits-all” configuration that will work for everyone. This guide is a basic overview covering some of the different configurations options.
Before you start modifying Firefox and installing a bunch of add-ons, it’s important to consider browser fingerprinting.
The issue of browser fingerprinting (or device fingerprinting) is a big topic that covers all the different ways you can be tracked and identified by your system and various settings. All of the different add-ons you install and preference modifications you make to Firefox are inputs that can potentially be used to identify and track you.
Herein lies the catch-22: the more browser add-ons you install and settings you modify, the more likely you will stand out from the crowd and be easier to track. There are solutions for this and the latest version of Firefox does offer some fingerprinting protection. I discuss this problem and also provide solutions in the browser fingerprinting guide.
And that leads us to the next point that…
More is not always better
When it comes to browser add-ons and modifications, you don’t want to be like that kid who puts every topping imaginable on his ice cream. Similarly, more is not always better with Firefox browser add-ons.
Aside from the issue of browser fingerprinting, having too many add-ons may slow down performance and break things. Many of the popular Firefox add-ons also fulfill the same functions and are redundant when used together.
Therefore it is best to strike a balanced approach. Install and modify only what you think will be useful and necessary for your specific situation.
Proceed with caution
Modifying some of these settings may interfere with your browsing experience and break some websites (they won’t load properly). Therefore taking an incremental approach may be the best way to proceed. You can continue to install add-ons and adjust your settings as you see what works best for your needs.
This allows you to modify the settings, create exceptions, or add sites to a whitelist.
Firefox privacy settings
Before you get going with Firefox you may want to adjust the following settings for better privacy.
Note: if you are a Mac OS user, you will see the word “Preferences” in your menu rather than “Options” as it is listed below.
With the latest version of Firefox, it is configured to share “technical and interaction data” with Mozilla. This includes the ability to “install and run studies” on your computer. You can learn more about these studies and data collection practices, but I’d recommend disabling these settings.
To disable go to Open Menu (three bars at the top right corner of the browser) > Options > Privacy & Security > Firefox Data Collection and Use and then uncheck the boxes as you see below:
You can also disable data sharing with Firefox for Android by going to Menu > Options > Privacy > Data Choices and then uncheck all three categories for Telemetry, Crash Reporter, and Mozilla Location Service.
Note: You can also disable this in the About:Config settings with toolkit.telemetry.enabled set to false.
Change default search engine
Firefox now uses Google as the default search engine, but there are other private search engines you can use instead.
To do this, go to Menu > Options > Search > Default Search Engine. Firefox does not provide you with too many alternatives directly in the settings area. However, you can view more options by going down to One-Click Search Engines and then click Find more search engines to see the other alternatives.
Startpage seems to be a pretty good option that gives you good results (from Google) but still respects your privacy. See the setup instructions here.
Firefox also has a guide on modifying your search engine preferences.
Firefox Content Blocking
Another great new feature with Firefox is Content Blocking. This customizable feature will automatically block “content that tracks the sites you visit and profiles you.” You can choose between Standard, Strict, and Custom modes, which allow you to block:
To adjust the Firefox Content Blocking settings, go to Menu > Options > Privacy and Security > Content Blocking and then select which mode you want to use.
The Standard setting may be the best balance for regular users. Firefox warns that Strict mode may “cause some websites to break.” However, you can still…
Disable content blocking for specific sites
It’s easy to disable content blocking for certain trusted sites. Simply enter the website URL, then click the “i” icon to the left of the address bar, then click the grey button to “Turn off Blocking for This Site.”
Another benefit of Firefox’s Content Blocking feature is that it can save your data and improve page load speeds.
The “Do Not Track” request
Firefox also has an option to request that websites “do not track” you online. This is simply an HTTP header field that you can easily enable. However, the key word here is request, because this is not actually blocking anything. We have also learned that many websites simply ignore these requests.
In addition to being ignored by most sites, this is also a value that can be used for browser fingerprinting purposes, as explained here. Therefore I no longer recommend enabling or modifying the Do Not Track settings, which you’ll find in the Content Blocking settings area.
You can learn more about the Do Not Track feature here.
Firefox About:Config settings
Aside from the general Menu settings we used above, you can also make a number of different modifications using about:config.
Note: If you made all of the changes above, you may notice that some of these settings are already updated in about:config. We will still cover the different about:config since some people prefer to modify settings in this area, rather than through the general Menu.
To access these configuration settings, simply enter about:config into the URL bar and hit enter. You will then be prompted with a warning screen stating “This might void your warranty.” Just click “I accept the risk” to continue.
After proceeding, you will see a large list of preferences, which each include a status, type, and value.
These preferences will be listed in alphabetical order and are easily searchable from the search bar near the top.
Modifying preferences – You can modify any of these Firefox preferences by simply double clicking the preference name. If the preference is a “boolean” type, then double clicking will change the value to true or false. If the preference is an “integer” or “string” type, double clicking will open a box to change the value.
Here are my recommended changes:
media.peerconnection.enabled (WebRTC) = false
WebRTC stands for “Web Real-Time Communication” and it allows for voice, video chat, and P2P sharing through your browser. Unfortunately, this capability can also expose your real IP address through browser STUN requests, even if you are using a good VPN service. (This is called a WebRTC leak.)
To disable WebRTC in Firefox simply enter media.peerconnection.enabled into the search bar and then double click the value to change it to false.
Aside from Firefox, the WebRTC vulnerability also affects Chrome, Opera, Brave, and other Chromium-based browsers. Safari is also in the process of implementing WebRTC.
privacy.resistFingerprinting = true
Changing this preference to true will help to make Firefox more resistant to browser fingerprinting.
Note: There are many factors that go into browser fingerprinting and the ability of an adversary to identify you. See the browser fingerprinting guide for additional details.
privacy.trackingprotection.fingerprinting.enabled = true
This is a new preference with Firefox 67+ to block fingerprinting.
privacy.trackingprotection.cryptomining.enabled = true
Another new preference with Firefox 67+, this will block cryptominers.
privacy.firstparty.isolate = true
Changing this to true will isolate cookies to the first party domain, which prevents tracking across multiple domains. First party isolation also does much more than isolating cookies, it affects: cookies, cache, HTTP Authentication, DOM Storage, Flash cookies, SSL and TLS session resumption, Shared Workers, blob URIs, SPDY and HTTP/2, automated cross-origin redirects, window.name, auto-form fill, HSTS and HPKP supercookies, broadcast channels, OCSP, favicons, mediasource URIs and Mediastream, speculative and prefetched connections.
This preference was added in late 2017 as part of the Tor Uplift Project.
privacy.trackingprotection.enabled = true
Another new update, this is Mozilla’s built-in tracking protection feature. This will use a Disconnect.me filter list, but may be redundant if you are using uBlock Origin 3rd party filters.
geo.enabled = false
Setting this to false will disable geolocation tracking, which may be requested by a site you are visiting. As explained by Mozilla, this preference is enabled by default and utilizes Google Location Services to pinpoint your location. In order to do that, Firefox sends Google:
- your computer’s IP address
- information about nearby wireless access points
- a random client identifier, which is assigned by Google (expires every two weeks)
Before this data is sent to Google, you would first get a request by the site you are visiting. Therefore you do have control over this, even if geo remains enabled.
media.navigator.enabled = false
Setting this preference to false will block websites from being able to track the microphone and camera status of your device.
This is an integer type preference with different values. Here are the cookie preference options:
- 0 = Accept all cookies by default
- 1 = Only accept from the originating site (block third-party cookies)
- 2 = Block all cookies by default
- 3 = Block cookies from unvisited sites
- 4 = New Cookie Jar policy (prevent storage access to trackers)
Any selection between 1 and 4 would improve privacy. The New Cookie Jar policy (value 4) offers more protection, but it may also break the functionality of some websites. Ghacks has a discussion of the New Cookie Jar policy here.
network.cookie.lifetimePolicy = 2
This is another integer type preference that you should set to a value of 2. This preference determines when cookies are deleted. Here are the different options:
- 0 = Accept cookies normally
- 1 = Prompt for each cookie
- 2 = Accept for current session only
- 3 = Accept for N days
With a value of 2, websites you visit should work without any problems, and all cookies will be automatically deleted at the end of the session.
network.dns.disablePrefetch = true
Setting this preference to true will disable Firefox from “prefetching” DNS requests. While advanced domain name resolution may slightly improve page load speeds, this also comes with some risks, as described in this paper.
network.prefetch-next = false
Similar to prefetching DNS requests above, setting this preference to false will prevent pages from being prefetched by Firefox. Mozilla has deployed this feature to speed up web pages that you might visit. However, it will use up resources and poses a risk to privacy. This is another example of performance at the price of privacy.
webgl.disabled = true
WebGL is a potential security risk, which is why it is best disabled by setting webgl.disabled to true. Another issue with WebGL is that it can be used to fingerprint your device.
dom.event.clipboardevents.enabled = false
This prevents websites from getting notifications if you copy, paste, or cut something from the page.
media.eme.enabled = false
This disables the playback of DRM-controlled HTML5 content. See details here.
Firefox “safe browsing” preferences
There are many recommendations to disable the Safe Browsing feature in Firefox due to privacy concerns and potential Google tracking. However, these concerns are based on an older version of the Safe Browsing feature, which would utilize “real-time lookup” of website URLs. This method has not been in use since 2011 – explained further here.
If a URL is needed, Firefox takes the following precautions to protect user privacy, as explained by François Marier, a security engineer for Mozilla:
- Query string parameters are stripped from URLs we check as part of the download protection feature.
- Cookies set by the Safe Browsing servers to protect the service from abuse are stored in a separate cookie jar so that they are not mixed with regular browsing/session cookies.
- When requesting complete hashes for a 32-bit prefix, Firefox throws in a number of extra “noise” entries to obfuscate the original URL further.
Therefore I would conclude that disabling Safe Browsing would give you no tangible privacy benefits, while also being a security risk. That being said, if you still want to disable this feature, here’s how in the about:config area:
- browser.safebrowsing.phishing.enabled = false
- browser.safebrowsing.malware.enabled = false
Firefox privacy and security add-ons
There are some great Firefox browser add-ons that will give you more privacy and security.
Note: When looking for Firefox add-ons, be sure to consider what you need in relation to the preferences you modified above. Some add-ons will be redundant and not necessary depending on your Firefox preferences and the other add-ons you are using.
In combination with the preference changes above, my top three recommendations for privacy add-ons would be:
- uBlock Origin
- HTTPS Everywhere
All three of these add-ons complement the preferences listed above, are easy to use, and will probably not break websites you visit.
Another great add-on is Cookie AutoDelete. However, if you have already modified your cookie preferences in about:config as described above, then this add-on is not necessary.
uBlock Origin is an efficient, light-weight blocker that filters both ads and tracking. It has risen to popularity as a powerful alternative to Adblock Plus, which allows “acceptable ads” that many users disdain. One added benefit of uBlock Origin is that it can significantly improve performance and page load speed.
Another great feature with uBlock Origin is the ability to whitelist certain websites. Given that many sites will block access if they detect an ad-blocker, the ability to whitelist will come in handy. uBlock Origin is free and entirely open source.
Fortunately, more and more websites are implementing HTTPS, so this is becoming less of an issue. Nonetheless, HTTPS Everywhere is still a good add-on to use with Firefox.
You can get more information on HTTPS from Electronic Frontier Foundation, which is behind the creation of this add-on.
Decentraleyes is an interesting Firefox add-on that protects you against tracking via content delivery networks that are operated by third parties. While CDNs do help improve website load time and performance, they are usually offered for free by third-parties that will use the CDN to track your browsing. These third parties include Google, Microsoft, Facebook, Cloudflare, Yandex, Baidu, MaxCDN, and others.
Decentraleyes solves this problem by hosting CDN resources locally. As described on their self-hosted GitLab repository, Decentraleyes “intercepts traffic, finds supported resources locally, and injects them into the environment” thereby preventing CDNs from tracking users.
This browser add-on may not be necessary with Firefox if you have made the changes above to preferences, which will automatically erase cookies that are no longer needed for the website you are viewing.
However, if you’d rather use an add-on instead of making these about:config changes, then Cookie AutoDelete is the way to go. It erases cookies that are no longer needed, thereby protecting you from tracking.
Privacy Badger is another add-on from Electronic Frontier Foundation that blocks spying ads and trackers. One drawback with Privacy Badger is that it only blocks third-party sites. Because it considers Google Analytics first-party site, it will not be blocked. Another drawback is that it does not actually use a filter list. Instead, it basically learns as you use it.
On a positive note, Privacy badger is very easy to use and will go a long way to giving you more privacy with general browsing. It can be used in combination with uBlock Origin, although there will be some overlap in terms of functionality.
uMatrix is an advanced add-on that gives you control over requests that may be tracking you on the websites you visit. It is made by the same people behind uBlock Origin. One advantage with uMatrix is that it is very customizable.
One drawback with uMatrix is that it can be difficult and time-consuming to get it configured for regular, day-to-day browsing. However, if you want a powerful blocker, and you don’t mind having to tinker with this plugin, then give uMatrix a shot.
NoScript is a script-blocker that allows you to identify/block scripts running on websites. While it does give you control, NoScript can be a pain to get configured properly. It breaks many websites, which requires you to tweak and configure the options. If you are already using uBlock Origin, or uMatrix, then you probably don’t need to be using NoScript.
This is definitely not an add-on for the casual user or those who don’t have the patience to devote some time into configuration.
New Firefox privacy features
Over the past year, Firefox has been launching some new privacy features. We already discussed the Content Blocking features above and how these are a huge advantage for privacy-conscious users.
In recent months, Firefox has introduced two other features: DNS over HTTPS (DoH) and also a Firefox proxy extension (Firefox Private Network). Interestingly, both of these new features rely on Cloudflare infrastructure, which is a large US-based company that provides CDN services.
Firefox officially launched a browser proxy extension called Firefox Private Network, which many refer to as Firefox VPN. While this may be good for some users, I also identified a few drawbacks in the Firefox VPN guide:
- Browser-only encryption: Only traffic through the Firefox browser is getting encrypted. (It’s a proxy, not a VPN.)
- Cloudflare: All traffic is being routed through Cloudflare.
- Data collection (logs): As disclosed in the respective privacy policies, Cloudflare will be logging your source IP address and the sites you visit. Mozilla is also recording technical, interaction, and registration data.
- No location selection: Unlike other browser-based proxies, Firefox Private Network does not offer any location selection. (It’s either on or off.)
With Cloudflare and Mozilla based in the United States (Five Eyes), there is also concern about government demands for user data, as we’ve seen before with Lavabit and also Riseup. Firefox Private Network remains in beta and only available to US users, but with plans to role it out to all users.
Firefox DNS over HTTPS (DoH)
Just like with Firefox Private Network, the implementation of DNS over HTTPS also relies on Cloudflare infrastructure. In fact, it makes Cloudflare the central processing point for all DNS requests in the Firefox browser by default.
While DNS over HTTPS may sound advantageous in some respects, there are also potential concerns. Rather than going over why, you can read the article, Centralised DoH is bad for privacy, in 2019 and beyond, which concludes:
Centralised DoH is currently a privacy net negative since anyone that could see your metadata can still see your metadata when DNS is moved to a third party. Additionally, that third party then gets a complete log per device of all DNS queries, in a way that can even be tracked across IP addresses.
Even if further privacy leaks are plugged, DoH to a third party remains at best a partial solution, one that should not be relied upon as a serious security layer, since it will be hard to plug everything, especially if non-CDN content providers survive.
Encrypting DNS is good, but if this could be done without involving additional parties, that would be better.
And for actual privacy on untrusted networks, nothing beats a VPN, except possibly not using hostile networks.
Many people also assume that encrypted third-party DNS will somehow offer privacy and anonymity. This is a false assumption. Your IP address and location remains exposed with everything you do online, while your ISP will still be able to see the websites you visit (IP addresses) even if it’s no longer handling DNS requests. In conclusion, a good VPN will offer much more protection than DoH through Cloudflare.
To disable DNS over HTTPS (DoH) in Firefox go to Menu > Options > General and then scroll down to Network Settings and click the Settings button. In the box that opens, scroll down to Enable DNS over HTTPS, where it can be enabled or disabled.
Below are some additional resources for configuring Firefox to give you more privacy and security:
- user.js Firefox hardening – As explained on their GitHub page, this is a “configuration file that can control hundreds of Firefox settings. For a more technical breakdown and explanation, you can read more on the overview wiki page.” Their Wiki page is also full of great information.
- Privacy Settings – This is a Firefox add-on to give you easy access and control of the built-in privacy settings in your browser.
- Firefox Profilemaker – FFprofile helps you to create your own Firefox profile with the default privacy and security settings to fit your needs.
Firefox privacy conclusion
In my opinion, Firefox remains the best all-around, mainstream browser on the market for privacy when it is modified as recommended above.
While many of the configurations and add-ons discussed in this guide will go a long way to giving you more privacy, there is one issue that remains: concealing your IP address and location. To do this, a good VPN service is necessary. The Tor network also achieves this end, but it comes with the drawbacks of slow speeds, risks, and limitations (only works in a browser).
For more options in addition to Firefox, see the secure browser guide.
Updated and revised on October 14, 2019.