Mozilla Firefox Privacy: The Comprehensive Guide

Mozilla Firefox is hands down the best web browser when it comes to privacy and security; It is fast, secure, open source, and is backed by the Mozilla Foundation, an organization dedicated to keeping the internet a public resource that is open and accessible to …

Mozilla Firefox is hands down the best web browser when it comes to privacy and security; It is fast, secure, open source, and is backed by the Mozilla Foundation, an organization dedicated to keeping the internet a public resource that is open and accessible to us all.

Firefox runs on the Gecko engine, unlike Google’s Blink engine that powers most of the browsers including, Google Chrome, Brave, Microsoft Edge, etc., using the Firefox browser, helps keeping the internet more open.

The developer edition of Firefox is so much better, especially for debugging CSS, all Firefox browsers get regular updates, and they also have privacy-focussed editions for phones.

Firefox is almost perfect right out of the box, and comes with most of the settings tweaked to protect your privacy. But where it shines is its customizability—the Tor Browser is actually a highly modified version of Firefox designed to run on Tor network.

This guide on Firefox privacy will cover all the privacy and security tweaks and recommendations. But first, let’s discuss a few things that you should keep in mind before tweaking the defaults.

Browser Fingerprinting

Before tweaking any settings or installing an add-on, you should consider how it’s going to affect the browser’s fingerprint, as this may render some of those privacy measures ineffective.

Every time you visit a web page, your web browser voluntarily sends information about its configuration like OS, browser type, available fonts, screen resolution, add-ons, and a lot more to the web server.

You can go visit DeviceInfo.me & BrowserLeaks.com to see what data your browser is sending.

This is done partly because the website or the web app needs to know things like the resolution of your screen, time zones, etc. to adapt the website accordingly.

The problem occurs when the combination of these data points is unique, it can facilitate identification and tracking of users online, without the use of any traditional tracking tools like cookies.

The weird, ironic aspect of taking privacy measures like installing add-ons or tweaking settings is that the more measures you take to avoid tracking, the easier it would be to track you online.

This is why it’s recommended that to install or modify anything on the Tor Browser, hence making every single Tor browser instance indistinguishable from the other.

More is not always better. You don’t need to use every add-on and tweak I am recommending here.

You can check how unique your browser’s fingerprint is using Cover Your Tracks (formerly Panopticlick). Don’t stress much about the numbers, our guide explains fingerprinting and its prevention in details.

Browser Compartmentalization

Compartmentalization is the key to taking back control of your online identity; it’s all about making sure that two different swaths of personal data cannot be linked together.

One way of accomplishing just that is using different browsers for different scenarios, like using different separate browsers for banking, social media, work, and casual browsing.

You can use the Firefox Multi-Account Container add-on, which helps create separate containers for cookies and other site data, allowing you to use the web with multiple identities or accounts simultaneously in just one Firefox browser.

I couldn’t find any similar add-on for Chromium-based web browsers, you could try using different profiles.

Our guide on the art of compartmentalization explains how you can implement it to an even greater extent.

With these two things out of the way, let’s first get into the basic Firefox privacy settings you can make.

Firefox Privacy Settings

These are basic, easy-to-configure tweaks, which when combined with the recommended add-ons explained in later sections will put you ahead of most people when it comes to privacy and security online.

To configure these settings, just open the Settings / Options / Preferences page from the menu, or, go to this URL:

about:preferences

Change Your Default Search Engine

Firefox by default uses Google Search, you should consider switching to a more privacy-respecting search engine.

Just go to Menu > Settings > Search > Default Search Engine

Switch to DuckDuckGo, or pick from any of these privacy-respecting search engines.

You can add more search engines to Firefox by opening the search engine’s homepage that offers an OpenSearch search engine, and you’ll get the option to add it from the address bar context menu.

Firefox also has a tutorial on adding and removing search engines.

Enable Enhanced Tracking Protection

Mozilla Firefox comes with a built-in tracking content blocking feature that helps you block all kinds of tackers and malicious scripts:

  • Social media trackers
  • Cross-site cookies in all windows (includes tracking cookies)
  • Tracking content in all windows
  • Cryptominers
  • Fingerprinters

The Enhanced Tracking Protection uses a list of known trackers provided by Disconnect, and comes enabled by default, but is set to Standard.

Cloak it up to Strict by going to Menu > Settings > Privacy & Security > Browser Privacy > Enhanced Tracking Protection and selecting the Strict option.

Firefox warns that Strict mode can “cause some websites to break”.

However, most of the websites work just fine, you can always just switch back to the default Standard option or disable it on certain sites if you are experiencing issues.

Disable Content Blocking on Sites

You can disable the content blocking feature on certain sites if they aren’t working properly.

To disable content blocking, click on the shield icon to the left of the address bar and flip the switch next to Enhanced Tracking Protection.

Do note that disabling Enhanced Tracking will allow trackers and cookies on that site, so you will have to consider that’s something you are willing to do on, on a site-by-site basis.

Enable DNS over HTTPS

DNS or the Domain Name System is how your browser converts domain names like techcorpus.com to IP addresses like 123.45.67.89

Your browser needs to do so because it doesn’t really understand URL’s like techcorpus.com, instead can only make connections to IP addresses.

By default, your computer, and the web browser, uses your ISP or Internet Service Provider’s DNS Resolver to find the IP address of the websites you type in the URL section.

The problem is, most of these default DNS Resolvers provided by your ISP make unencrypted connections, which can facilitate logging and censorship of the websites you visit.

A privacy-respecting encrypted DNS resolver that uses DNS over HTTPS or DNS over TLS can help resolve this issue.

To enable DNS over HTTPS, go to Menu > Settings > General > Network Settings. There’ll be an option in the bottom, Enable DNS over HTTPS.

You can choose Cloudflare or any of these privacy-respecting encrypted DNS resolvers.

Update: Firefox now by default enables DNS over HTTPS via Cloudflare for the users in the US, and will most probably roll out to other countries in the future.

Nevertheless, you can switch to a different DNS resolver in the Network Settings panel.

Using DNS over HTTPS does add some privacy protection from your ISP, but you’re basically shifting that Trust from your ISP to the DNS over HTTPS (DoH) resolver provider.

Another thing that must be noted is that even when you’re using an encrypted DoH resolver, your ISP can still see what domains you are connecting to, by looking at SNI fields and OCSP connections, which are usually not encrypted.

Until, there is industry-wide support for Encrypted SNI (ESNI), OCSP Stapling, and DNSSEC, where there has been a lot of progress recently, DoH won’t provide you with perfect privacy.

Our guide on DNS explainer goes in much more detail about it.

Enable HTTPS-Only Mode

HTTPS provides a secure, encrypted connection between Firefox and the websites you visit. Most websites support HTTPS, and if HTTPS-Only Mode is enabled, then Firefox will upgrade all connections to HTTPS.

Enable HTTPS-Only Mode via Menu > Settings > Privacy & Security > HTTPS-Only Mode > Enable HTTPS-Only Mode in all windows.

Disable Telemetry & Data Collection

Firefox, by default, is configured to send “technical and interaction data” as well as “backlogged crash reports” to Mozilla, and can also install and run studies on your Firefox browser.

While Mozilla is one of the most privacy-respecting organizations, we are here all about sending as little data as possible.

I recommend disabling all of these settings, you can always choose to send crash reports manually.

To disable Telemetry & Data Collection, go to Menu > Settings > Privacy & Security > Firefox Data Collection and Use and untick all of them.

Disable Save to Pocket feature

Firefox Pocket is an app as well as a built-in Firefox functionality, which allows you to save blogs, web pages, videos, and access it across all your devices for offline reading.

It’s a pretty nifty feature if you are into it, however, the server-side code isn’t open source yet.

You can remove the Pocket button from the Firefox toolbar by right-clicking on the pocket button and selecting “Remove from Toolbar”

I have explained disabling it completely from Firefox in the later section, Pocket also has a guide on disabling pocket from Firefox.

Enable Clearing Cookies & Site Data

This setting is not for everyone, as clearing cookies will log you out of most of the websites.

However, it can come really handy if you want to have a fresh start every time you reopen the Firefox.

To enable, go to Menu > Settings > Privacy & Security > Cookies and Site Data and select the Delete cookies and site data when Firefox is closed option.

You can retain data of certain websites by adding it to exceptions by clicking on Manage Exceptions.

The “Do Not Track” Request

Firefox provides an option to request websites to not track you via the infamous “Do Not Track” request.

However, Its usefulness has come into question as most of the websites will just ignore these requests, and it can also facilitate fingerprinting of your browser as it is not something that’s enabled by default.

I recommend against turning on “Do Not Track” request feature, which can be found in Browser Privacy section of the settings menu.

Firefox about:config Settings

Apart from the general menu settings that you have tweaked above, there are a number of “under the hood” settings that can be accessed via the configuration editor.

To access the configuration editor page on your Firefox, go to this URL:

about:config

You will be prompted with a warning screen, “Proceed with Caution” prompt, just click Accept the Risk and Continue button.

Click on the Show All button to view all the options, or just search the ones you want to change via the search bar, do note that preference names are case-sensitive, but search terms are not.

Modifying Preferences in about:config

You can modify preferences by just double-clicking the preference name. There are two ways to change preference: Boolean (True-False) and String (Text).

For Boolean: Just Click the Toggle button or Double-Click the Preference Name.

For String: Just Click on Edit button or Double-Click the Preference Name and enter a New Value.

Click on the Checkmark to save the changes.

To reset a Preference to its Default Value, Click on the Reset Button.

To remove an Added Preference, Click on Delete Button.

You can also add own preferences.

Alright, here are the recommended changes, sorted according to their sections:

Privacy & Security

media.peerconnection.enabled = false

WebRTC or Web Real-Time Communication is a free, open source project that enables web browsers with real-time communication.

However, there is a flaw in this communication protocol which makes browsers that support WebRTC, expose your actual IP Address even when you are using a VPN.

Software like NoScript Security Suite and uBlock Origin can help prevent this leak.

However, it’s recommended that you block WebRTC unless you use browser-based call functionality, used in web apps like Google Meet, Jitsi, Microsoft Teams, etc.

If you want to disable all WebRTC Settings:

  • media.peerconnection.enabled = false
  • media.peerconnection.turn.disable = true
  • media.peerconnection.use_document_iceservers = false
  • media.peerconnection.video.enabled = false
  • media.peerconnection.identity.timeout = 1

Note: Disabling WebRTC will stop call functionality in audio-video chat apps, like Google Meet, Microsoft Teams, Jitsi, Discord, etc. on your Firefox Browser.

privacy.firstparty.isolate = true

First-Party Isolation is a result of the Tor Uplift Project, it isolates all browser identifier sources like cookies to the first party domain, with the goal of preventing tracking across different domains.

It also helps isolate cache, HTTP Authentication, DOM Storage, auto-form fill, favicons, and much more.

privacy.resistFingerprinting = true

Another feature that is a part of Tor Uplift Project, that makes Firefox more resistant to browser fingerprinting.

privacy.trackingprotection.fingerprinting.enabled = true

Blocks fingerprinting in Firefox 67+

privacy.trackingprotection.cryptomining.enabled = true

Blocks cryptomining in Firefox 67+

privacy.trackingprotection.enabled = true

Mozilla’s new built-in tracking protection that blocks tracking from things like Google Analytics on privileged pages where add-ons that usually can block are disabled.

beacon.enabled = false

Blocks sending of data to servers when leaving pages.

geo.enabled = false

Disables geolocation feature that uses Google Location Services to get your location from your IP address.

webgl.disabled = true

Disables WebGL (or Web-based Graphics Library) — a JavaScript API used by websites to access your video card to render interactive 2D and 3D-graphics within the browser without any plugins.

Browser

browser.send_pings = false

Disables click tracking on websites.

browser.cache.offline.enable = false

Disables offline cache, It may lead to less performance but better privacy.

browser.urlbar.speculativeConnect.enabled = false

Disables preloading of autocomplete URLs in the address bar, which is a concern if the suggested URLs are of websites that you don’t want to connect to.

browser.safebrowsing.downloads.remote.enabled = false

Disables sending of information about downloaded executable files to Google Safe Browsing.

browser.sessionstore.privacy_level = 2

Allows you to control when to store extra information about a session like contents of forms, cookies, POST data, etc.

Set Session Privacy on Firefox using about:config by using one of these values:

  • 0 = Stores extra session data for any site.
  • 1 = Stores extra session data only for unencrypted (non-HTTPS) sites.
  • 2 = Never store extra session data.

extensions.pocket.enabled = false

Disables the Save to Pocket functionality in Firefox

extensions.pocket.onSaveRecs = false

Disables similar story recommendations that appear when I save to Pocket

DOM

dom.battery.enabled = false

Disables the ability to track the battery status of your device.

dom.event.clipboardevents.enabled = false

Disables the ability to track if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.

Media

media.navigator.enabled = false

Disables tracking of microphone and camera status of your device.

media.eme.enabled = false

Opts you out of CDM playback, uninstalls CDMs and stops all CDM downloads.

media.gmp-widevinecdm.enabled = false

Disables Widevine Content Decryption Module provided by Google that is used for playback on DRM-Controlled HTML5 content.

CDM (or Content Decryption Module) is a mechanism used by DRM (or Digital Rights Management) which enables online video and audio services to enforce that the content they provide is in accordance with their requirements.

Note: You may not be able to play content on some sites that require DRM enabled, if you choose to disable widevine.

Network

Disables cookies. You can choose from 0, 1 or 2:

  • 0 = Accepts all cookies by default
  • 1 = Accepts Only from the originating site (Blocks 3rd-party cookies)
  • 2 = Blocks all cookies by default

Deletes cookies at the end of the session, you can choose from 0, 1, 2 or 3. You don’t need to change it here if you have already done in options/preferences.

  • 0 = Accepts cookies normally
  • 1 = Prompts for each cookie
  • 2 = Accepts for current session only
  • 3 = Accepts for N days

network.http.referer.trimmingPolicy = 2

Allows you to send only the scheme, host, and port in the Referer header. You can choose from 0, 1 or 2.

  • 0 = Sends the full URL in the referer header
  • 1 = Sends the URL without its query string in the referer header
  • 2 = Sends only the scheme, host, and port in the referer header

network.http.referer.XOriginPolicy = 2

Allows you to send only Referer header when the full hostnames match. You can choose from 0, 1 or 2.

  • 0 = Sends Referer in all cases
  • 1 = Sends Referer to same eTLD sites
  • 2 = Sends Referer only when the full hostnames match

network.http.referer.XOriginTrimmingPolicy = 2

Allow you to send only the scheme, host, and port in the referer header of cross-origin request when sending referer across origins. You can choose from 0, 1 or 2.

  • 0 = Sends full URL in referer
  • 1 = Sends URL without query string in referer
  • 2 = Sends only send scheme, host, and port in referer

network.IDN_show_punycode = true

Disables rendering of IDNs (or Internationalized Domain Names) as their Punycode equivalent which prevents phishing attacks that can be very difficult to notice.

network.security.esni.enabled = true

Enables Encrypted SNI (or Server Name Indication) to make sites that support eSNI a bit more difficult to track.

Disable Firefox Prefetching

Firefox prefetches pages it thinks you will visit next which cause cookies from the prefetched site to be loaded.

  • network.dns.disablePrefetch = true
  • network.dns.disablePrefetchFromHTTPS = true
  • network.predictor.enabled = false
  • network.predictor.enable-prefetch = false
  • network.prefetch-next = false

Firefox “Safe Browsing”

Safe Browsing provides phishing protection and malware checks to the websites you visit, however, since, it’s a Google service, it used to require sending things like URL, File Hashes to Google.

Newer Firefox browsers take a lot of measures to protect your privacy when providing Safe Browsing as explained by François Marier, a security engineer for Mozilla.

I recommend you keep Safe Browsing enabled on Firefox as it’s a pretty nifty tool and disabling it does not provide tangible privacy benefits.

If you wish to disable Safe Browsing feature, you can do it in about:config section:

  • browser.safebrowsing.phishing.enabled = false
  • browser.safebrowsing.malware.enabled = false

Resolving Issues

If something breaks, and you aren’t able to access websites because of the changes you made in about:config section.

You can always either Delete Firefox Preference Files or Refresh Firefox.

Delete Firefox Preference Files

Deleting the Firefox preference file can help remove the changes you have made to your Firefox using the configuration editor.

Firefox has a tutorial on deleting the preference files.

Refresh Firefox

The Refresh feature restores Firefox to its default state while saving your essential information. It will reset preferences and remove other customizations, including added extensions and themes.

You can refresh Firefox by going to Menu > Help > More troubleshooting information > Refresh Firefox or by simply going to this URL:

about:support

Firefox’s user.js Template

A user.js is basically a configuration file for Mozilla Firefox that can be used to harden Firefox’s settings all at once.

The Arkenfox project provides a really hardened user.js file for Firefox, some of these options are quite strict, and a few are subjective and may cause some websites to not work properly.

You can easily change these settings to suit your needs, Arkenfox also enables container support, we strongly recommend reading through their wiki.

I recommend using the Firefox Profilemaker to create a more personalized user.js template for your needs.

To install the user.js file on your Firefox browser, just copy the user.js file to the current user profile directory, which can be found by going to about:support, under the Profile Folder option there’ll be an Open Folder button.

Firefox Privacy Add-ons

Browser add-ons or extension can be used to customize your web browser, including user interface modifications, ad blocking, cookie management, and so much more, however they also tend to increase your attack surface, and can help facilitate fingerprinting.

Here are some of the best add-ons for Firefox:

  • uBlock Origin—an efficient wide-spectrum blocker that is easy on memory, comes with Advanced mode which allows for dynamic filtering similar to NoScript and uMatrix, and has no monetization strategy.
  • Decentraleyes—works by emulating a CDN on your device locally, providing an additional layer of tracking protection from CDN providers that a website might be using.
  • Cookie AutoDelete—as the name suggests, automatically removes cookies, lingering sessions, and other information that can be used to spy on us when they are no longer used by open browser tabs.
  • Privacy Badger—an add-on by EFF that blocks “Invisible Trackers” by analyzing trackers and ads that violate the principle of user consent, seems redundant if used along with uBlock Origin.
  • ClearURLs—automatically removes tracking elements from URLs as you browse different websites across the Internet.
  • User-Agent Switcher and Manager—lets us spoof your browser’s User-Agent string, making it harder for websites to track us and deliver distinct content.
  • Firefox Multi-Account Containers—an add-on by Firefox that lets us keep parts of your online life separated into distinct containers with color-coded tabs.
  • NoScript Security Suite—a powerful scripts blocker that uses “ClearClick Technology” to protect us against XSS, cross-zone DNS rebinding / CSRF attacks, and Clickjacking attempts.

I use only uBlock Origin and enable pretty much all filter lists under the “Ads”, “Privacy”, “Malware domains”, “Annoyances” and “Multipurpose”, check what those filter lists do before enabling them.

I recommend keeping extensions to a minimum as they have privileged access within your browser, and can make you stand out, and weaken site isolation.

New Firefox Features

Mozilla Firefox offers a lot of products and features, here are some of these newer Firefox privacy features:

DNS over HTTPS

DNS over HTTPS allows you to use an encrypted DNS resolver, I have already about in the earlier basic Firefox privacy settings section.

It basically encrypts your DNS requests to protect your privacy, you can find it in the Network Settings panel on the General settings page.

HTTPS-Only Mode

HTTPS provides a secure, encrypted connection between Firefox and the websites you visit. Most websites support HTTPS, and enabling it will make Firefox upgrade all connections to HTTPS.

Firefox Monitor

Firefox Monitor warns you if your email address has been exposed in an online data breach. It is launched in partnership with haveibeenpwned.com, a website by web security expert Troy Hunt.

It lets you search for email address in public data breaches going back to 2007, additionally you can sign up for breach monitoring. It’ll also notify you in the Firefox browser if you visit a site that’s been breached.

Firefox Private Network

Firefox Private Network is basically a secure web proxy service that uses a server provided by Cloudflare to route your Firefox internet activity.

It is available as a browser extension, and works by creating an encrypted tunnel aka a proxy between your browser and a network managed by Cloudflare, which collects some data and deletes it permanently after 24 hours.

Firefox Private Network starts from $2.99/month, allows you to connect up to 3 devices, and has no bandwidth restrictions, but it is currently only available for customers in the US.

Mozilla VPN

Mozilla VPN is a full-fledged VPN service, unlike the Firefox Private Network, which is basically a white-labelled version of Mullvad VPN, a highly reputed VPN service provider that uses WireGuard protocol, based in Sweden.

It is available as a standalone app for Windows 10, Mac, Android, iOS, and Linux devices for a flat fee of $4.99/month, for 5 devices, and no bandwidth restrictions, but is currently limited to only a few countries now.

While using Mozilla VPN will help support the Mozilla Foundation, But, I find just using the Mullvad VPN way much better as it is what’s working under the hood, is available for pretty much everyone around the world.

Mullvad VPN doesn’t require any personal data for account sign-up, and has lots of privacy-oriented payment methods.

Firefox Relay

Firefox Relay is the newest product launched by Mozilla that aims to protect the privacy of your email address by generating an email aliases that will forward all your emails to your real inbox.

It is free and uses Amazon SES, which has a pretty good spam and malware filter. You’ll need a Firefox account and the Firefox Relay add-on to generate email aliases.

Multi-Account Containers

Multi-Account Containers is Firefox’s in-house add-on that lets you isolate your work, shopping or personal browsing without having to clear your history, log in and out, or use multiple browsers.

It is free, open source, and is developed by Mozilla, and can help you compartmentalize your online activity easily.

There are other add-ons like Facebook Container that are developed in-house by Mozilla.

Firefox Lockwise

Firefox Lockwise is a simple password manager that lets you access the passwords you’ve saved in Firefox from anywhere, even outside the browser.

It is backed into your Firefox browser under the Passwords section, and uses 256-bit encryption to protect your passwords while syncing.

You can secure your passwords with Face or Touch ID, and it is available for both Android and iOS.

Firefox Pocket

Firefox Pocket is an app as well as a built-in Firefox functionality, which allows you to save a variety of content (such as blogs, web pages, videos) to one place, and access it across all your devices for offline reading.

There is a free version, with apps for both Android & iOS for on-the-go reading, you’ll need to create a free Firefox account.

Firefox Send [Discontinued]

Firefox Send was a free and open-source end-to-end encrypted file sharing service by Mozilla It had a file size limit of 2.5 GB, and was available on the Web and Android.

Additional Resources

Mozilla’s Privacy Policy – You should consider reading the privacy statements of any organization you deal with. Reading privacy policy can be a time-consuming and tedious task, you could also check out Terms of Service; Didn’t Read to get a summary and an overall idea.

That’s all folks!

I will be updating this page frequently with more Firefox tools and information.