Mozilla Firefox is hands down the best web browser when it comes to privacy and security; It is fast, secure, open source, and is backed by the Mozilla Foundation, an organization dedicated to keeping the internet a public resource that is open and accessible to us all.
Firefox runs on the Gecko engine, unlike Google’s Blink engine that powers most of the browsers including, Google Chrome, Brave, Microsoft Edge, etc., using the Firefox browser, helps keeping the internet more open.
The developer edition of Firefox is so much better, especially for debugging CSS, all Firefox browsers get regular updates, and they also have privacy-focussed editions for phones.
Firefox is almost perfect right out of the box, and comes with most of the settings tweaked to protect your privacy. But where it shines is its customizability—the Tor Browser is actually a highly modified version of Firefox designed to run on Tor network.
This guide on Firefox privacy will cover all the privacy and security tweaks and recommendations. But first, let’s discuss a few things that you should keep in mind before tweaking the defaults.
Before tweaking any settings or installing an add-on, you should consider how it’s going to affect the browser’s fingerprint, as this may render some of those privacy measures ineffective.
Every time you visit a web page, your web browser voluntarily sends information about its configuration like OS, browser type, available fonts, screen resolution, add-ons, and a lot more to the web server.
This is done partly because the website or the web app needs to know things like the resolution of your screen, time zones, etc. to adapt the website accordingly.
The problem occurs when the combination of these data points is unique, it can facilitate identification and tracking of users online, without the use of any traditional tracking tools like cookies.
The weird, ironic aspect of taking privacy measures like installing add-ons or tweaking settings is that the more measures you take to avoid tracking, the easier it would be to track you online.
This is why it’s recommended that to install or modify anything on the Tor Browser, hence making every single Tor browser instance indistinguishable from the other.
More is not always better. You don’t need to use every add-on and tweak I am recommending here.
You can check how unique your browser’s fingerprint is using Cover Your Tracks (formerly Panopticlick). Don’t stress much about the numbers, our guide explains fingerprinting and its prevention in details.
Compartmentalization is the key to taking back control of your online identity; it’s all about making sure that two different swaths of personal data cannot be linked together.
One way of accomplishing just that is using different browsers for different scenarios, like using different separate browsers for banking, social media, work, and casual browsing.
You can use the Firefox Multi-Account Container add-on, which helps create separate containers for cookies and other site data, allowing you to use the web with multiple identities or accounts simultaneously in just one Firefox browser.
I couldn’t find any similar add-on for Chromium-based web browsers, you could try using different profiles.
Our guide on the art of compartmentalization explains how you can implement it to an even greater extent.
With these two things out of the way, let’s first get into the basic Firefox privacy settings you can make.
Firefox Privacy Settings
These are basic, easy-to-configure tweaks, which when combined with the recommended add-ons explained in later sections will put you ahead of most people when it comes to privacy and security online.
To configure these settings, just open the Settings / Options / Preferences page from the menu, or, go to this URL:
Change Your Default Search Engine
Firefox by default uses Google Search, you should consider switching to a more privacy-respecting search engine.
Just go to Menu > Settings > Search > Default Search Engine
Switch to DuckDuckGo, or pick from any of these privacy-respecting search engines.
You can add more search engines to Firefox by opening the search engine’s homepage that offers an OpenSearch search engine, and you’ll get the option to add it from the address bar context menu.
Firefox also has a tutorial on adding and removing search engines.
Enable Enhanced Tracking Protection
Mozilla Firefox comes with a built-in tracking content blocking feature that helps you block all kinds of tackers and malicious scripts:
- Social media trackers
- Cross-site cookies in all windows (includes tracking cookies)
- Tracking content in all windows
The Enhanced Tracking Protection uses a list of known trackers provided by Disconnect, and comes enabled by default, but is set to Standard.
Cloak it up to Strict by going to Menu > Settings > Privacy & Security > Browser Privacy > Enhanced Tracking Protection and selecting the Strict option.
Firefox warns that Strict mode can “cause some websites to break”.
However, most of the websites work just fine, you can always just switch back to the default Standard option or disable it on certain sites if you are experiencing issues.
Disable Content Blocking on Sites
You can disable the content blocking feature on certain sites if they aren’t working properly.
To disable content blocking, click on the shield icon to the left of the address bar and flip the switch next to Enhanced Tracking Protection.
Do note that disabling Enhanced Tracking will allow trackers and cookies on that site, so you will have to consider that’s something you are willing to do on, on a site-by-site basis.
Enable DNS over HTTPS
DNS or the Domain Name System is how your browser converts domain names like techcorpus.com to IP addresses like 18.104.22.168
Your browser needs to do so because it doesn’t really understand URL’s like techcorpus.com, instead can only make connections to IP addresses.
By default, your computer, and the web browser, uses your ISP or Internet Service Provider’s DNS Resolver to find the IP address of the websites you type in the URL section.
The problem is, most of these default DNS Resolvers provided by your ISP make unencrypted connections, which can facilitate logging and censorship of the websites you visit.
A privacy-respecting encrypted DNS resolver that uses DNS over HTTPS or DNS over TLS can help resolve this issue.
To enable DNS over HTTPS, go to Menu > Settings > General > Network Settings. There’ll be an option in the bottom, Enable DNS over HTTPS.
You can choose Cloudflare or any of these privacy-respecting encrypted DNS resolvers.
Update: Firefox now by default enables DNS over HTTPS via Cloudflare for the users in the US, and will most probably roll out to other countries in the future.
Nevertheless, you can switch to a different DNS resolver in the Network Settings panel.
Using DNS over HTTPS does add some privacy protection from your ISP, but you’re basically shifting that Trust from your ISP to the DNS over HTTPS (DoH) resolver provider.
Another thing that must be noted is that even when you’re using an encrypted DoH resolver, your ISP can still see what domains you are connecting to, by looking at SNI fields and OCSP connections, which are usually not encrypted.
Until, there is industry-wide support for Encrypted SNI (ESNI), OCSP Stapling, and DNSSEC, where there has been a lot of progress recently, DoH won’t provide you with perfect privacy.
Our guide on DNS explainer goes in much more detail about it.
Enable HTTPS-Only Mode
HTTPS provides a secure, encrypted connection between Firefox and the websites you visit. Most websites support HTTPS, and if HTTPS-Only Mode is enabled, then Firefox will upgrade all connections to HTTPS.
Enable HTTPS-Only Mode via Menu > Settings > Privacy & Security > HTTPS-Only Mode > Enable HTTPS-Only Mode in all windows.
Disable Telemetry & Data Collection
Firefox, by default, is configured to send “technical and interaction data” as well as “backlogged crash reports” to Mozilla, and can also install and run studies on your Firefox browser.
While Mozilla is one of the most privacy-respecting organizations, we are here all about sending as little data as possible.
I recommend disabling all of these settings, you can always choose to send crash reports manually.
To disable Telemetry & Data Collection, go to Menu > Settings > Privacy & Security > Firefox Data Collection and Use and untick all of them.
Disable Save to Pocket feature
Firefox Pocket is an app as well as a built-in Firefox functionality, which allows you to save blogs, web pages, videos, and access it across all your devices for offline reading.
It’s a pretty nifty feature if you are into it, however, the server-side code isn’t open source yet.
You can remove the Pocket button from the Firefox toolbar by right-clicking on the pocket button and selecting “Remove from Toolbar”
I have explained disabling it completely from Firefox in the later section, Pocket also has a guide on disabling pocket from Firefox.
Enable Clearing Cookies & Site Data
This setting is not for everyone, as clearing cookies will log you out of most of the websites.
However, it can come really handy if you want to have a fresh start every time you reopen the Firefox.
To enable, go to Menu > Settings > Privacy & Security > Cookies and Site Data and select the Delete cookies and site data when Firefox is closed option.
You can retain data of certain websites by adding it to exceptions by clicking on Manage Exceptions.
The “Do Not Track” Request
Firefox provides an option to request websites to not track you via the infamous “Do Not Track” request.
However, Its usefulness has come into question as most of the websites will just ignore these requests, and it can also facilitate fingerprinting of your browser as it is not something that’s enabled by default.
I recommend against turning on “Do Not Track” request feature, which can be found in Browser Privacy section of the settings menu.
Firefox about:config Settings
Apart from the general menu settings that you have tweaked above, there are a number of “under the hood” settings that can be accessed via the configuration editor.
To access the configuration editor page on your Firefox, go to this URL:
You will be prompted with a warning screen, “Proceed with Caution” prompt, just click Accept the Risk and Continue button.
Click on the Show All button to view all the options, or just search the ones you want to change via the search bar, do note that preference names are case-sensitive, but search terms are not.
Modifying Preferences in about:config
You can modify preferences by just double-clicking the preference name. There are two ways to change preference: Boolean (True-False) and String (Text).
For Boolean: Just Click the Toggle button or Double-Click the Preference Name.
For String: Just Click on Edit button or Double-Click the Preference Name and enter a New Value.
Click on the Checkmark to save the changes.
To reset a Preference to its Default Value, Click on the Reset Button.
To remove an Added Preference, Click on Delete Button.
You can also add own preferences.
Alright, here are the recommended changes, sorted according to their sections:
Privacy & Security
media.peerconnection.enabled = false
WebRTC or Web Real-Time Communication is a free, open source project that enables web browsers with real-time communication.
However, there is a flaw in this communication protocol which makes browsers that support WebRTC, expose your actual IP Address even when you are using a VPN.
However, it’s recommended that you block WebRTC unless you use browser-based call functionality, used in web apps like Google Meet, Jitsi, Microsoft Teams, etc.
If you want to disable all WebRTC Settings:
- media.peerconnection.enabled = false
- media.peerconnection.turn.disable = true
- media.peerconnection.use_document_iceservers = false
- media.peerconnection.video.enabled = false
- media.peerconnection.identity.timeout = 1
Note: Disabling WebRTC will stop call functionality in audio-video chat apps, like Google Meet, Microsoft Teams, Jitsi, Discord, etc. on your Firefox Browser.
privacy.firstparty.isolate = true
First-Party Isolation is a result of the Tor Uplift Project, it isolates all browser identifier sources like cookies to the first party domain, with the goal of preventing tracking across different domains.
It also helps isolate cache, HTTP Authentication, DOM Storage, auto-form fill, favicons, and much more.
privacy.resistFingerprinting = true
Another feature that is a part of Tor Uplift Project, that makes Firefox more resistant to browser fingerprinting.
privacy.trackingprotection.fingerprinting.enabled = true
Blocks fingerprinting in Firefox 67+
privacy.trackingprotection.cryptomining.enabled = true
Blocks cryptomining in Firefox 67+
privacy.trackingprotection.enabled = true
Mozilla’s new built-in tracking protection that blocks tracking from things like Google Analytics on privileged pages where add-ons that usually can block are disabled.
beacon.enabled = false
Blocks sending of data to servers when leaving pages.
geo.enabled = false
Disables geolocation feature that uses Google Location Services to get your location from your IP address.
webgl.disabled = true
browser.send_pings = false
Disables click tracking on websites.
browser.cache.offline.enable = false
Disables offline cache, It may lead to less performance but better privacy.
browser.urlbar.speculativeConnect.enabled = false
Disables preloading of autocomplete URLs in the address bar, which is a concern if the suggested URLs are of websites that you don’t want to connect to.
browser.safebrowsing.downloads.remote.enabled = false
Disables sending of information about downloaded executable files to Google Safe Browsing.
browser.sessionstore.privacy_level = 2
Allows you to control when to store extra information about a session like contents of forms, cookies, POST data, etc.
Set Session Privacy on Firefox using about:config by using one of these values:
- 0 = Stores extra session data for any site.
- 1 = Stores extra session data only for unencrypted (non-HTTPS) sites.
- 2 = Never store extra session data.
extensions.pocket.enabled = false
Disables the Save to Pocket functionality in Firefox
extensions.pocket.onSaveRecs = false
Disables similar story recommendations that appear when I save to Pocket
dom.battery.enabled = false
Disables the ability to track the battery status of your device.
dom.event.clipboardevents.enabled = false
Disables the ability to track if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
media.navigator.enabled = false
Disables tracking of microphone and camera status of your device.
media.eme.enabled = false
Opts you out of CDM playback, uninstalls CDMs and stops all CDM downloads.
media.gmp-widevinecdm.enabled = false
Disables Widevine Content Decryption Module provided by Google that is used for playback on DRM-Controlled HTML5 content.
CDM (or Content Decryption Module) is a mechanism used by DRM (or Digital Rights Management) which enables online video and audio services to enforce that the content they provide is in accordance with their requirements.
Note: You may not be able to play content on some sites that require DRM enabled, if you choose to disable widevine.
network.cookie.cookieBehavior = 1
Disables cookies. You can choose from 0, 1 or 2:
- 0 = Accepts all cookies by default
- 1 = Accepts Only from the originating site (Blocks 3rd-party cookies)
- 2 = Blocks all cookies by default
network.cookie.lifetimePolicy = 2
Deletes cookies at the end of the session, you can choose from 0, 1, 2 or 3. You don’t need to change it here if you have already done in options/preferences.
- 0 = Accepts cookies normally
- 1 = Prompts for each cookie
- 2 = Accepts for current session only
- 3 = Accepts for N days
network.http.referer.trimmingPolicy = 2
Allows you to send only the scheme, host, and port in the Referer header. You can choose from 0, 1 or 2.
- 0 = Sends the full URL in the referer header
- 1 = Sends the URL without its query string in the referer header
- 2 = Sends only the scheme, host, and port in the referer header
network.http.referer.XOriginPolicy = 2
Allows you to send only Referer header when the full hostnames match. You can choose from 0, 1 or 2.
- 0 = Sends Referer in all cases
- 1 = Sends Referer to same eTLD sites
- 2 = Sends Referer only when the full hostnames match
network.http.referer.XOriginTrimmingPolicy = 2
Allow you to send only the scheme, host, and port in the referer header of cross-origin request when sending referer across origins. You can choose from 0, 1 or 2.
- 0 = Sends full URL in referer
- 1 = Sends URL without query string in referer
- 2 = Sends only send scheme, host, and port in referer
network.IDN_show_punycode = true
Disables rendering of IDNs (or Internationalized Domain Names) as their Punycode equivalent which prevents phishing attacks that can be very difficult to notice.
network.security.esni.enabled = true
Enables Encrypted SNI (or Server Name Indication) to make sites that support eSNI a bit more difficult to track.
Disable Firefox Prefetching
- network.dns.disablePrefetch = true
- network.dns.disablePrefetchFromHTTPS = true
- network.predictor.enabled = false
- network.predictor.enable-prefetch = false
- network.prefetch-next = false
Firefox “Safe Browsing”
Safe Browsing provides phishing protection and malware checks to the websites you visit, however, since, it’s a Google service, it used to require sending things like URL, File Hashes to Google.
Newer Firefox browsers take a lot of measures to protect your privacy when providing Safe Browsing as explained by François Marier, a security engineer for Mozilla.
I recommend you keep Safe Browsing enabled on Firefox as it’s a pretty nifty tool and disabling it does not provide tangible privacy benefits.
If you wish to disable Safe Browsing feature, you can do it in about:config section:
- browser.safebrowsing.phishing.enabled = false
- browser.safebrowsing.malware.enabled = false
If something breaks, and you aren’t able to access websites because of the changes you made in about:config section.
You can always either Delete Firefox Preference Files or Refresh Firefox.
Delete Firefox Preference Files
Deleting the Firefox preference file can help remove the changes you have made to your Firefox using the configuration editor.
Firefox has a tutorial on deleting the preference files.
The Refresh feature restores Firefox to its default state while saving your essential information. It will reset preferences and remove other customizations, including added extensions and themes.
You can refresh Firefox by going to Menu > Help > More troubleshooting information > Refresh Firefox or by simply going to this URL:
Firefox’s user.js Template
A user.js is basically a configuration file for Mozilla Firefox that can be used to harden Firefox’s settings all at once.
The Arkenfox project provides a really hardened user.js file for Firefox, some of these options are quite strict, and a few are subjective and may cause some websites to not work properly.
I recommend using the Firefox Profilemaker to create a more personalized user.js template for your needs.
To install the user.js file on your Firefox browser, just copy the user.js file to the current user profile directory, which can be found by going to
about:support, under the
Profile Folder option there’ll be an
Open Folder button.
Firefox Privacy Add-ons
Browser add-ons or extension can be used to customize your web browser, including user interface modifications, ad blocking, cookie management, and so much more, however they also tend to increase your attack surface, and can help facilitate fingerprinting.
Here are some of the best add-ons for Firefox:
- uBlock Origin—an efficient wide-spectrum blocker that is easy on memory, comes with Advanced mode which allows for dynamic filtering similar to NoScript and uMatrix, and has no monetization strategy.
- Decentraleyes—works by emulating a CDN on your device locally, providing an additional layer of tracking protection from CDN providers that a website might be using.
- Cookie AutoDelete—as the name suggests, automatically removes cookies, lingering sessions, and other information that can be used to spy on us when they are no longer used by open browser tabs.
- Privacy Badger—an add-on by EFF that blocks “Invisible Trackers” by analyzing trackers and ads that violate the principle of user consent, seems redundant if used along with uBlock Origin.
- ClearURLs—automatically removes tracking elements from URLs as you browse different websites across the Internet.
- User-Agent Switcher and Manager—lets us spoof your browser’s User-Agent string, making it harder for websites to track us and deliver distinct content.
- Firefox Multi-Account Containers—an add-on by Firefox that lets us keep parts of your online life separated into distinct containers with color-coded tabs.
- NoScript Security Suite—a powerful scripts blocker that uses “ClearClick Technology” to protect us against XSS, cross-zone DNS rebinding / CSRF attacks, and Clickjacking attempts.
I use only uBlock Origin and enable pretty much all filter lists under the “Ads”, “Privacy”, “Malware domains”, “Annoyances” and “Multipurpose”, check what those filter lists do before enabling them.
New Firefox Features
Mozilla Firefox offers a lot of products and features, here are some of these newer Firefox privacy features:
DNS over HTTPS
DNS over HTTPS allows you to use an encrypted DNS resolver, I have already about in the earlier basic Firefox privacy settings section.
It basically encrypts your DNS requests to protect your privacy, you can find it in the Network Settings panel on the General settings page.
HTTPS provides a secure, encrypted connection between Firefox and the websites you visit. Most websites support HTTPS, and enabling it will make Firefox upgrade all connections to HTTPS.
It lets you search for email address in public data breaches going back to 2007, additionally you can sign up for breach monitoring. It’ll also notify you in the Firefox browser if you visit a site that’s been breached.
Firefox Private Network
Firefox Private Network is basically a secure web proxy service that uses a server provided by Cloudflare to route your Firefox internet activity.
It is available as a browser extension, and works by creating an encrypted tunnel aka a proxy between your browser and a network managed by Cloudflare, which collects some data and deletes it permanently after 24 hours.
Firefox Private Network starts from $2.99/month, allows you to connect up to 3 devices, and has no bandwidth restrictions, but it is currently only available for customers in the US.
Mozilla VPN is a full-fledged VPN service, unlike the Firefox Private Network, which is basically a white-labelled version of Mullvad VPN, a highly reputed VPN service provider that uses WireGuard protocol, based in Sweden.
It is available as a standalone app for Windows 10, Mac, Android, iOS, and Linux devices for a flat fee of $4.99/month, for 5 devices, and no bandwidth restrictions, but is currently limited to only a few countries now.
While using Mozilla VPN will help support the Mozilla Foundation, But, I find just using the Mullvad VPN way much better as it is what’s working under the hood, is available for pretty much everyone around the world.
Mullvad VPN doesn’t require any personal data for account sign-up, and has lots of privacy-oriented payment methods.
Firefox Relay is the newest product launched by Mozilla that aims to protect the privacy of your email address by generating an email aliases that will forward all your emails to your real inbox.
It is free and uses Amazon SES, which has a pretty good spam and malware filter. You’ll need a Firefox account and the Firefox Relay add-on to generate email aliases.
Multi-Account Containers is Firefox’s in-house add-on that lets you isolate your work, shopping or personal browsing without having to clear your history, log in and out, or use multiple browsers.
It is free, open source, and is developed by Mozilla, and can help you compartmentalize your online activity easily.
Firefox Lockwise is a simple password manager that lets you access the passwords you’ve saved in Firefox from anywhere, even outside the browser.
It is backed into your Firefox browser under the Passwords section, and uses 256-bit encryption to protect your passwords while syncing.
You can secure your passwords with Face or Touch ID, and it is available for both Android and iOS.
Firefox Pocket is an app as well as a built-in Firefox functionality, which allows you to save a variety of content (such as blogs, web pages, videos) to one place, and access it across all your devices for offline reading.
There is a free version, with apps for both Android & iOS for on-the-go reading, you’ll need to create a free Firefox account.
Firefox Send [Discontinued]
Firefox Send was a free and open-source end-to-end encrypted file sharing service by Mozilla It had a file size limit of 2.5 GB, and was available on the Web and Android.
That’s all folks!
I will be updating this page frequently with more Firefox tools and information.