Optional Hardening
- Open the
user.jsin a text editor such as Notepad. - Add prefs from the options below to MY OVERRIDES.
- Save and close the file.
- Return to Getting Started.
Firefox Sync and Firefox View may be disabled to minimize connections and remove unused UI.
// PREF: disable Firefox Sync
user_pref("identity.fxaccounts.enabled", false);
// PREF: disable Firefox View
user_pref("browser.tabs.firefox-view", false);
user_pref("browser.tabs.firefox-view-next", false);
user_pref("browser.tabs.firefox-view-newIcon", false); // needed?
user_pref("browser.firefox-view.feature-tour", "{\"screen\":\"\",\"complete\":true}");If the above doesn't work after restarting, then read here to remove Firefox View from the tab bar.
The built-in password manager can be disabled for greater security.
-
☰→ Settings → Privacy & Security → Logins and Passwords → Ask to save logins and passwords for websites
We recommend using Bitwarden or 1Password to manage your credentials on multiple devices.
// PREF: disable login manager
user_pref("signon.rememberSignons", false);
// PREF: disable address and credit card manager
user_pref("extensions.formautofill.addresses.enabled", false);
user_pref("extensions.formautofill.creditCards.enabled", false);This matches the default behavior of Strict Enhanced Tracking Protection.
// PREF: do not allow embedded tweets, Instagram, Reddit, and Tiktok posts
user_pref("urlclassifier.trackingSkipURLs", "");
user_pref("urlclassifier.features.socialtracking.skipURLs", "");Betterfox already blocks HTTP subresources from loading on HTTPS pages and attempts to upgrade HTTP site navigation to HTTPS.
Note
HTTPS doesn't mean "trust this." It means "this is private." You may be having a private conversation with Satan. — Scott Hanselman
Firefox will get explicit permission from you before connecting to a site insecurely in Private Browsing (Firefox incognito mode).
// PREF: enable HTTPS-Only Mode
// Warn me before loading sites that don't support HTTPS
// when using Private Browsing windows.
user_pref("dom.security.https_only_mode_pbm", true);
user_pref("dom.security.https_only_mode_error_page_user_suggestions", true);Firefox will get explicit permission from you before connecting to a site insecurely in Normal and Private Browsing.
// PREF: enable HTTPS-Only Mode
// Warn me before loading sites that don't support HTTPS
// in both Normal and Private Browsing windows.
user_pref("dom.security.https_only_mode", true);
user_pref("dom.security.https_only_mode_error_page_user_suggestions", true);Keep in mind that disabling the disk cache is only available on Firefox. It is consider a non-issue in any other browser.
Only disable the disk cache if your machine has or uses:
- HDD. Hard drive failure with modern SSDs is non-existent.
- More than 300 Mbps internet speed. Otherwise, it's probably faster to retrieve information from disk (test).
- Or ultimately, you believe disabling it helps your privacy or performance.
// PREF: disable disk cache
user_pref("browser.cache.disk.enable", false);Public Key Pinning (PKP) is a tool that boosts the safety of SSL certificates by linking a website to its unique security key. This process ensures that the website you're visiting is real and not fake. PKP stops any attempts to trick your computer into connecting with a fraudulent website.
Tip
Reset it to 1 if you run into issues.
// PREF: enforce certificate pinning
// [ERROR] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
user_pref("security.cert_pinning.enforcement_level", 2);You can allow exceptions if you want to stay logged in to some sites.
-
☰→ Settings → Privacy & Security → Cookies and Site Data → Manage Exceptions
Tip
If you have session restore enable, then you will need to use Option 1 for session restore to work.
-
☰→ Settings → Privacy & Security → Cookies and Site Data → Delete cookies and site data when Firefox is closed
// PREF: delete cookies, cache, and site data on shutdown
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
user_pref("privacy.clearOnShutdown.cache", true);
user_pref("privacy.clearOnShutdown.cookies", true);
user_pref("privacy.clearOnShutdown.offlineApps", true);
// PREF: do not save extra session data such as form content,
// scrollbar positions, and POST data after crashes or restarts
user_pref("browser.sessionstore.privacy_level", 2);-
☰→ Settings → Privacy & Security → History → Clear history when Firefox closes
// PREF: delete all browsing data on shutdown
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
user_pref("privacy.clearOnShutdown.history", true);
user_pref("privacy.clearOnShutdown.formdata", true);
user_pref("privacy.clearOnShutdown.sessions", true);
user_pref("privacy.clearOnShutdown.cache", true);
user_pref("privacy.clearOnShutdown.cookies", true);
user_pref("privacy.clearOnShutdown.offlineApps", true);
user_pref("privacy.clearOnShutdown.siteSettings", false);
// PREF: do not save extra session data such as form content,
// scrollbar positions, and POST data after crashes or restarts
user_pref("browser.sessionstore.privacy_level", 2);Setup and enforce DNS-over-HTTPS (DoH).
Use the provider below for better threat protection.
⭐ Create a profile with NextDNS and follow our configuration guide for greater protection from ads, trackers, and security threats.
// PREF: set DoH provider
user_pref("network.trr.uri", "https://dns.quad9.net/dns-query");Increased Protection will switch back to your local provider if there are any issues.
Tip
Use this setting if your workplace or university causes issues with alternative DNS.
// PREF: enforce DNS-over-HTTPS (DoH)
user_pref("network.trr.mode", 2);
user_pref("network.trr.max-fails", 5);Max Protection displays user-friendly error pages with custom exceptions.
// PREF: enforce DNS-over-HTTPS (DoH)
user_pref("network.trr.mode", 3);
user_pref("network.dns.skipTRR-when-parental-control-enabled", false);Add sites to the exceptions list.
-
☰→ Settings → Privacy & Security → DNS over HTTPS → Manage Exceptions
Privacy-conscious people often dislike Digital Rights Management (DRM) because it restricts what users can do with their devices and limits fair use rights. DRM prevents users from copying, sharing, or changing content they bought, even for their own use. DRM allow browsers to communicate to outside servers to check licenses and rights, which can share data about what users do and watch.
Warning
Disabling DRM will prevent most popular streaming platforms from functioning properly. Spotify, Apple Music, Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV, and other streaming services will not work with DRM disabled.
// PREF: disable all DRM content
user_pref("media.eme.enabled", false);
// PREF: hide the setting; this also disables the DRM prompt (optional)
user_pref("browser.eme.ui.enabled", false);You can confirm if DRM is disabled by going here.
Block connections to servers that do not support RFC 5746, as they are potentially vulnerable to man-in-the-middle attacks.
A server without RFC 5746 can be safe from the attack if it disables renegotiations. However, the browser cannot know that. Setting this pref to true is the only way to ensure no unsafe renegotiations occur between the browser and the server.
Warning
Some sites, like EA.com, will not let you login due to their weak encryption.
// PREF: require safe SSL negotiation
// [ERROR] SSL_ERROR_UNSAFE_NEGOTIATION
user_pref("security.ssl.require_safe_negotiation", true);On Windows, Mozilla collects information on what you've set as your default browser.
Warning
Breaks Make Default... button to set Firefox as the default browser on Windows.
Tip
Add this pref if you do not use this UI or if you have already set Firefox as the default browser.
// PREF: disable telemetry of what default browser you use [WINDOWS]
user_pref("default-browser-agent.enabled", false);Fingerprinting is a high threat model issue that is only addressed reasonably by Tor.1 Please use the Tor Browser if your context calls for anonymity and not just reasonable privacy.^what's the difference?
By default, Firefox blocks known fingerprinters; and as of v.119, ETP Strict also blocks suspected fingerprinters. Betterfox does not enable additional protection known as privacy.resistFingerprinting (RFP). You can read why here.
Most of our security and privacy tweaks come from AF. Just like that project, Betterfox usually focuses on state and other cross-origin linkability mechanisms like navigational tracking. (State means client-side data stored on disk or memory, such as the items listed here.)
We also encourage you to read AF's explainer on RFP and fingerprinting, some of which we echo here:
- Except for Tor Browser and Mullvad Browser, web browsers can only effectively fool naive fingerprinting scripts.
- However, starting with version 120, Firefox uses FPP (fingerprintingProtection), which subtly randomizes canvas per eTLD+1, session, and window-mode.
- We do not and never have claimed to defeat advanced fingerprinting. Betterfox does not care if a few preferences change any metrics, because you are already unique.
- Betterfox prioritizes privacy, security, speed, convenience, and minimalism in that order. However, this is always a balancing act.
- Where it makes sense for the average user, Betterfox focuses on mitigating real forms of tracking rather than prioritizing the potential threat of a widespread advanced fingerprinting script.
- We encourage you to use a secondary browser for the occasional site glitch. Sometimes it's because of Betterfox. Other times, it's Firefox itself or ad block filters not getting along with the page.