Overview
What is hardening? In real Firefox’ world, “hardening” is just a synonym of “customization” related to privacy/security settings. With hardening, we aim to have a more private and safe internet experience.
So, why are you doing this for Firefox, not for Chrome/Chromium? Because many browsers use Chromium engine, which lead to monopolization. I don’t want to support this. In addition, with the configuration facilities Firefox offers to the user, it is much easier to increase privacy and anonymity. For these reasons, I prepared this document about Firefox.
About document
I felt the need to divide this document to 4 groups: Level 1, Level 2, Level 3 and Level 4
-
Level 1: Simple configurations. Easy to apply. Most sites will work normally. My suggestion for basic users.
-
Level 2: Several advanced settings. It is relatively more difficult to do. Some sites may break. My suggestion for a little more knowledgeable users.
-
Level 3: More advanced settings. It is not more difficult to complete. Sites are very likely to break. My suggestion for users who know what to do.
-
Level 4: About how to use Arkenfox’s user.js. Most sites will be broken. My suggestion for privacy and safety maniacs.
Hardening
Level 1
Settings > Home > Browsing
Disable this two options.
Settings > Home > Network > Setttings
Enable DNS over HTTPS. Here you can select the DNS provider you want. I prefer Cloudflare for Families’ Blocked Malware option. It is up to you whether or not to choose the DNS servers of a non -profit organization like Quad9.
Settings > Home > Firefox Home Content
Disable this two option.
Settings > Search > Default Search Engine
Here you can select any privacy-oriented search engine. Since the default options were DuckDuckGo, I chose it. If you want, you can add and choose a much more privacy-oriented service like SearX/SearXNG.
Settings > Search > Search Suggestion
Disable this option.
Settings > Privacy & Security > Browser Privacy
Set this setting like that. Most websites don’t have problems with this setting, but you can turn off Enhanced Tracking Protection for broken website.
For turning off Enhanced Tracker Protection, click the shield icon to the left of the URL bar. And toggle the switch.
Settings > Privacy & Security > Firefox Data Collection and Use
Disable the telemetry.
Settings > Privacy & Security > HTTPS-Only Mode
Select this option to enable HTTPS-Only Mode.
Level 2
Go to about:config. Click Accept the Risk and Continue
Fission
Find and set to “true” these options:
fission.autostartgfx.webrender.allThese options turn on Fission. Actually, Fission is enabled by default since Firefox 95. But if it’s not enabled, you can enable it with that.
Telemetry
browser.newtabpage.activity-stream.feeds.telemetry=falsebrowser.newtabpage.activity-stream.telemetry=falsebrowser.ping-centre.telemetry=falsetoolkit.telemetry.enabled=falsetoolkit.telemetry.unified=falsetoolkit.telemetry.archive.enabled=falsedatareporting.policy.dataSubmissionEnabled=falsebrowser.ping-centre.telemetry=falsesecurity.app_menu.recordEventTelemetry=falsetoolkit.telemetry.newProfilePing.enabled=falsetoolkit.telemetry.firstShutdownPing.enabled=falsesecurity.certerrors.recordEventTelemetry=falsetoolkit.telemetry.newProfilePing.enabled=falsetoolkit.telemetry.previousBuildID=2040000000000toolkit.telemetry.server=" "Leave the value of this option empty.toolkit.telemetry.server_owner=" "Leave the value of this option empty.toolkit.coverage.endpoint.base=" "Leave the value of this option empty.toolkit.telemetry.shutdownPingSender.enabled=falseapp.normandy.enabled=falseapp.normandy.api_url=" "Leave the value of this option empty.breakpad.reportURL=" "Leave the value of this option empty.browser.tabs.crashReporting.sendReport=falseextensions.pocket.enabled=falseDisables Pocket.
These options are aimed at turning off telemetry.
Geolocation
Set the Mozilla geolocation service instad of Google:
geo.provider.network.url="https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"
Disable the OS’ geolocation service:
geo.provider.use_geoclue=false(Linux)geo.provider.use_gpsd=false(Linux)geo.provider.ms-windows-location=false(Windows)geo.provider.use_corelocation=false(MacOS)
Add-on Suggestions
Set these options as follows:
extensions.getAddons.showPane=falseThis setting is not created, create yourself.extensions.htmlaboutaddons.recommendations.enabled=falseThis two options disable the add-on suggestion.
Various
network.gio.supported-protocols=" "This setting is not created, create yourself. Leave the value of this option empty.network.file.disable_unc_paths=trueThis setting is not created, create yourself.permissions.manager.defaultsUrl=" "Leave the value of this option empty.network.IDN_show_punycode=truemedia.peerconnection.enabled=falseThis option may cause problems with broadcasting. Change this option when you want to broadcast or participate in a broadcast.media.autoplay.default=5Disables autoplay of HTML5 media.privacy.partition.serviceWorkers=trueprivacy.firstparty.isolate=trueIf you think DFPI is enough for you. Do not set this option. If you have problems with logging on some sites, it is probably due to this setting.
Level 3
Settings > Privacy & Security > Cookies and Site Data
Activate this option. This option is a good thing for privacy and security but this option also means that you log out from your accounts when Firefox is closed. You can add expections for sites. Cookies and data on these sites are not deleted.
Various
Set this options in about:config:
dom.event.clipboardevents.enabled=falseintl.accept_languages="en-US, en"Sets locale to English for more anonymity.javascript.use_us_english_locale=trueThis setting is not created, create yourself.beacon.enabled=falsecaptivedetect.canonicalURL=" "Leave the value of this option empty.network.captive-portal-service.enabled=falsenetwork.connectivity-service.enabled=falsenetwork.auth.subresource-http-auth-allow=1signon.rememberSignons=falsesignon.autofillForms=falsesignon.formlessCapture.enabled=falsebrowser.formfill.enable=falseextensions.formautofill.addresses.enabled=falseextensions.formautofill.available="off"extensions.formautofill.creditCards.available=falseextensions.formautofill.creditCards.enabled=falseextensions.formautofill.heuristics.enabled=falsesecurity.pki.sha1_enforcement_level=1security.cert_pinning.enforcement_level=2webgl.disabled=trueDisable WebGL (Web Graphics Library)browser.display.use_system_colors=falseDisable using system colors.privacy.partition.always_partition_third_party_non_cookie_storage=trueprivacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage=falsebrowser.cache.disk.enable=fasleDisable disk cache.browser.privatebrowsing.forceMediaMemoryCache=trueWrite media cache to memory instead of disk. May cause playback issues.media.memory_cache_max_size=65536Incrase the max size of the memory cache.browser.helperApps.deleteTempFileOnExit=trueDelete temporary files opened with external apps.network.http.referer.XOriginTrimmingPolicy=2Set cross-origin referers to only send scheme, host and port, instead of completely avoid sending them.dom.popup_allowed_events="click dblclick mousedown pointerdown"Limit events that can trigger pop-ups.
Google Safe Browsing
These options disable Google Safe Browsing. Safe Browsing is a good security feature but if you care more about your privacy, you can disable it:
browser.safebrowsing.provider.google4.gethashURL=" "Leave the value of this option empty.browser.safebrowsing.provider.google4.updateURL=" "Leave the value of this option empty.browser.safebrowsing.provider.google.gethashURL=" "Leave the value of this option empty.browser.safebrowsing.provider.google.updateURL=" "Leave the value of this option empty.browser.safebrowsing.downloads.enabled=falsebrowser.safebrowsing.downloads.remote.enabled=falsebrowser.safebrowsing.downloads.remote.url=" "Leave the value of this option empty.browser.safebrowsing.downloads.remote.block_potentially_unwanted=falsebrowser.safebrowsing.downloads.remote.block_uncommon=falsebrowser.safebrowsing.allowOverride=false
History
Clear history, cookies and site data when Firefox closes:
network.cookie.lifetimePolicy=2privacy.sanitize.sanitizeOnShutdown=trueprivacy.clearOnShutdown.cache=trueprivacy.clearOnShutdown.cookies=trueprivacy.clearOnShutdown.downloads=trueprivacy.clearOnShutdown.formdata=trueprivacy.clearOnShutdown.history=trueprivacy.clearOnShutdown.offlineApps=trueprivacy.clearOnShutdown.sessions=trueprivacy.clearOnShutdown.sitesettings=falseprivacy.sanitize.timeSpan=0
RFP
privacy.resistFingerprinting=trueEnable RFPprivacy.resistFingerprinting.block_mozAddonManager=trueThis setting may cause problems with installing add-ons from Mozilla Add-ons.
Level 4
For install Arkenfox (or any) user.js;
Download the user.js file from the repository
Open Firefox and go to about:profiles
Click this button and open profile directory.
Move the user.js file to the profile directory.
Restart Firefox. And you are ready!
Extensions
uBlock Origin: An open source content blocker extension with useful features. More information about the correct use here.
CanvasBlocker: This add-on allows users to prevent websites from using some Javascript APIs to fingerprint them.
If you didn’t set privacy.resistFingerprinting option in Level 3 section, you can use this extension.
Privacy Settings: Privacy Settings extension keeps all the built-in privacy and security related settings in one place.
You can quickly access the settings in about:config such as media.peerconnection.enabled. In this way, you can easily change this setting when you want to broadcast.