Coronavirus information & resources
Treating effects of COVID-19 vax
Vaccines - What You Need To Know

FAQ: Firefox Hardening


Following are some questions i've been asked regarding the hardening of the Firefox web browser as outlined in The Firefox Privacy Guide For Dummies! and the Firefox Configuration Guide for Privacy Freaks and Performance Buffs.

Note that most answers assume you have followed one of the aforementioned guides or otherwise incorporated the 'arkenfox' user.js (or similar) for Firefox along with the suggested extensions and other advice provided in their wiki.

If you're looking for an answer to a particular question, try Ctrl + F.

Terms used:

Q: Any thoughts on Waterfox? I don't trust Mozilla.

A: I think i've been asked this question more than any other. My tl;dr answer is: don't bother with any 3rd party build/fork, the Tor browser being the only exception.

I can understand your mistrust of Mozilla and indeed they are deserving of criticism, however there's several key reasons for not using a 3rd party build/fork of Firefox, be it Waterfox, Pale Moon, etc.. What follows is a compilation of 'pants' thoughts and my own after i brought up Waterfox in conversation, which i was using at the time.

Our web browser may be the most important piece of software we use since it's usually our primary gateway to the www and all the attack vectors that come with that. Trusting the integrity of something as crucial and deeply complex as a web browser (currently more than 24+ million lines of code for Firefox) to a tiny team or a one-man show is potentially a really bad idea for several reasons, one being that critical security patches may not be applied in a timely manner. I have nothing against the Waterfox or other 3rd party developers, but their work often lags behind Mozilla, sometimes by many months, and they simply don't have the technical resources at their disposal that Mozilla does.

Lastly, there is little or nothing one can achieve with regard to privacy that you can't achieve with the official Mozilla release, it just takes a bit more tweaking.

Q: What is the difference between uBlock and uMatrix? Can they be used together? Which one should i use?

A: uMatrix is no longer developed, though you can still use it (personally i choose to use only uBlock Origin in advanced mode). Although they perform similar functions in that they essentially filter content much like a software firewall, the developer attempted to target different audiences, plus they work somewhat differently. uBlock Origin (uBO) is intended to be easier to use, while uMatrix (uM) offers more granular control.

Both can be used together, but because there is overlapping functionality they need to be configured to work together efficiently.

In the case where both are used, i suggest using uBO to handle the static filtering (the 3rd party filter lists used for ad blocking and such) and uMatrix to handle the dynamic filtering (JavaScript, cookies, frames, etc.). In this scenario you can essentially forget about uBO after installing and configuring it as most of your attention will be focused on uM.

At one time there was only a single extension and i think Raymond unnecessarily complicated matters for users when he split it, thus creating two with overlapping functionality. uBO is apparently targeted toward novices, yet includes an advanced mode option which has led to confusion and frustration for users who don't RTFM (read the f'ing manual), while uM is targeted toward advanced users. In practice however i found uM easier to use than uBO in it's advanced mode but, as mentioned earlier, uM is no longer developed and so i use uBO exclusively.

Q: What do you think about browser compartmentalization as suggested in this article, Incognito mode won’t keep your browsing private. Do this instead? What do you think about using Firefox Quantum for everyday use and Firefox ESR for accounts?

A: First of all, complete privacy on the web is a pipe dream. I think Michael's advice to use multiple browsers for different tasks is unnecessary for most users. If one is that privacy conscience (or paranoid) then essentially the same degree of isolation can be achieved by simply creating multiple Firefox profiles dedicated to different tasks (social media, purchases, banking, casual browsing, etc.).

What Michael calls "incognito mode" is "private browsing" mode in Firefox and he's right; PB isn't a complete solution to prevent tracking, leaking, etc., however there's a whole lot more going on in Firefox when you employ the 'arkenfox' user.js and the suggested add-ons than just PB mode, one of them being Dynamic First Party Isolation (dFPI) which isolates web storage per domain so that data-slurping sites like Facebook, Twitter, Instagram, Twitter, etc., aren't able to track you nearly as effectively. Add to that uBlock Origin and some of its filter list options and you have some pretty powerful stuff happening under the hood.

I think it really boils down to how much convenience you are willing to sacrifice in the interest of privacy. In my case, i use one Firefox profile for almost everything except shopping (i don't bank on the web), however i might spin up a new, default profile if i have trouble with a particular website or when i need to troubleshoot a problem with a preference or extension. Note however that i do not do online banking, nor am i a member of any of the mainstream behavioral modification websites, aka "social media". For shopping i keep a very relaxed profile with uBlock Origin installed and set to "Easy" mode.

Q: Do you think using different profiles and the multi-account containers/temporary containers within each browser would make things more secure/private?

A: Containers are dead, as is First Party Isolation. The new kid in town is dFPI (Dynamic FPI). I don't use PB or containers at all since dFPI is a much better solution that is far more transparent to the user.

Q: After following your Firefox guide I can't log on to 'x' website.

A: Certain preferences in the 'arkenfox' user.js could cause this as well as certain add-ons. Most often JavaScript and cookies must be allowed for logons to succeed, so if you're using uBlock Origin and/or uMatrix, you may need to alter their settings for specific domains.

Some websites also use a cross-domain logon system where the browser is forwarded to a different domain for the purpose of logging-on, then back to the original domain. In this case dFPI can break logons though there "shims" being employed by Firefox to overcome common instances of this problem. One way to circumvent this is to simply open the link for the logon domain in a new tab if possible so that both domains remain loaded, then log on in the new tab and refresh the first tab, after which the tab you used to log on can be closed. One website that uses cross-domain login is If you click the 'Log in' link, you'll be forwarded to and then back to

Q: Will modifying the CSS of a site make fingerprinting the browser easier?

A: If JS is enabled, then potentially, yes, but it depends on what the script is looking for. If it were only checking whether you modified the <body> attribute, and you didn't modify that particular attribute, then no. I have no idea how widespread such scripts are that look for CSS or script injections, but i would guess not very and i would further guess that it may be more likely that they're looking at one, or maybe a few specific attributes.

Q: I followed your privacy guide and now my FVD Speed Dial add-on doesn't work right.

A: Close your account with that jackass company after deleting everything you possibly can from their server, then remove the add-on and either dump ALL history for your Firefox profile or create a new one and import only the essentials. FVD Speed Dial is a privacy-hating data collection vacuum and it's collecting a lot of it. Nimbus Web, Inc., located in Ohio and incorporated in Delaware, is the company that markets it and they have the balls to beg for donations while they slurp up and sell your personal data. If you want to store personal data off-site so that it's accessible from your other devices, consider something like Nextcloud which is free, open source software. Also see the guidelines for choosing extensions in Firefox Extensions – My Picks.

Q: I read somewhere that enabling RFP would make the browser more unique.

A: Yes and no. When you test your browser fingerprint at one of the many test sites, you can usually disregard the results. One of the goals of RFP in Firefox, as with the Tor browser, is to make everyone look the same. Because few people use Firefox compared to Google Chrome, and fewer still enable RFP, you're going to look somewhat unique, but not totally.

There are a myriad of ways to fingerprint the browser, one being to grab the dimensions of the browser view port (the part that actually renders a web page) because it offers a high degree of entropy, though this relies on JavaScript being enabled. This is why, when RFP is enabled, Firefox starts with generic viewport dimensions rather than the size it was when it exited last, assuming you resized the window at some point. This is something i override with a user pref because i want it maximized, period, so again, it's a question of convenience vs. privacy.

Unless you're using the Tor browser in its default configuration with no additional extensions installed, i'm not sure it's possible to prevent fingerprinting entirely and the problem seems to be getting worse and worse.

Lastly, i don't pretend to understand all of the details of RFP as a lot of it is very technical and over my head. It is also incomplete at this time, but much has been done.

Q: If I run one of those fingerprint tests and I’m fingerprinted on FF, will I be tracked even if I create a new profile afterwards?

A: Don't think of fingerprinting as being something that's global or permanent. If you mess up and enable JS on a site where you didn't want to for example, you can ignore the mistake as long as you're using the 'arkenfox' user.js (or equivalent settings). As a precaution you can dump your entire history, including cookies, but there shouldn't be a need to create a new profile. Remember that dFPI isolates nearly all website storage on a per-domain basis, so storage set by one domain cannot be accessed by another. Furthermore, if you're using the 'arkenfox' user.js or similar settings, then most storage is automatically dumped as soon as you close Firefox.

Q: For what use case would you recommend using TOR browser? What's your thoughts on it?

A: I can't offer intelligent advice regarding the Tor browser or network because i'm simply not knowledgeable enough. That said, i'll offer my personal thoughts at this particular time which is simply that i don't trust Tor and that lack of trust is the result, in part, of reading horror stories about some of the people that are, or were, involved in the project and leaked emails between them and the MiB (the NSA or CIA as i recall) about known vulnerabilities and what appears to be a deliberate decision to not patch them in a timely manner for reasons unknown, but which we might speculate upon. Also Tor is funded in part by U.S. government agencies who use it to communicate secretly, or so we're told. So why then is Tor free, open source and available to the public you ask? My understanding is that the more people that use it, the more "noise" there is in the system, thus the harder it is for someone to identify who's communicating with whom.

As for the web browser the Tor project recommends, it's a hardened fork of Mozilla Firefox and much of what has been learned by the Tor developers has been ported to Firefox as part of the Tor Uplift Project.

On the user end, i personally think Tor is limiting and annoying because you're not supposed to use any browser extensions (uniformity among users is crucial) so you can kiss all your fav add-ons goodbye. Also you have little control over what exit node you connect to and bandwidth and latency are crap given 3 layers of encryption, potentially long hops and a less than stable network. Latency sensitive traffic, such as gaming, is out of the question and they also advise against torrenting. Even watching hi-def videos is sometimes not possible. Not being able to choose the exit node means you can't change locations as you can with a VPN and this can be problematic (imagine a YouTube video that's banned in Canada and your exit note is in Canada).

Then there's the question of who's running exit nodes and what damage they may be able do. Anyone can run an exit node, including those in the "intelligence" community or their contractors. Tor advocates have an answer for almost everything, but they don't convince me that Tor exit nodes can't be compromised in such a way as to identify where the traffic is coming from. That said, you cannot trust any VPN either, so take your pick (but do pick one). Using Tor and the Tor Browser is entirely free and Snowden promotes it, so there's that. Note however that Snowden isn't god, nor does he have intimate knowledge of all things technical.

The other thing to consider is who your foe is because the threat profile of a whistleblower or a journalist who is at risk of physical harm may be very different from your own. If it's your ISP and cannibalistic corporations like Google and Facebook and other lower level players (i.e. not the NSA, CIA, etc.) that you're worried about, then a good VPN should be enough. If it's the 3-letter agencies that concern you, well, good luck because hiding from them for any length of time might be somewhere between difficult and impossible since there's no way to know their capabilities. Our writing style alone is enough to fingerprint us, then there's backdoors in virtually all of our processors thanks to companies like Intel and AMD, the Unified Extensible Firmware Interface (UEFI) which boots most/all modern PC's, the baseband OS running in every phone, etc..

Q: What do you think about CanvasBlocker?

A: Firefox is getting better at protecting against fingerprinting through the Canvas API, however i think CanvasBlocker might still be a good addition to ones arsenal as long as you know how to un-break the sites that it breaks. Personally i no longer use it.

Q: What do you think about add-ons that alter the browsers User Agent?

A: Don't! Don't use any user-agent spoofing add-ons since they may very well raise entropy. The answer is to enable RFP and dFPI. With RFP enabled, load a User-Agent test site and you'll see that your UA has been spoofed without any add-ons, plus there's a lot more going on under the hood than any UA spoofing add-on provides.

Q: What do you think about ClearURLs/Neat URL?

A: I prefer ClearURLs because you can install it and forget it. Neat URL would be my 2nd choice, but it will probably break websites more often than the former.

Q: What do you think about Request Control?

A: I think Request Control is a good add-on that fills the gaps in uBlock Origin and uMatrix, however it isn't entirely a replacement and it isn't worth the additional hassle for me personally, but if spending a whole lot of time fiddling with its settings doesn't bother you, have at it.

Q: What do you think about cookie/storage cleaners like Cookie AutoDelete, Self-Destructing Cookies, SecretAgent and Site Bleacher?

A: The most recent versions of Firefox, along with version 96+ of the 'arkenfox' userj.js which employs Dynamic First Party Isolation (dFPI/network partitioning), makes storage cleaners largely obsolete. That said, if you still think you need one for some reason, Cookie AutoDelete would be my recommendation.

Q: What do you think about ETag Stoppa?

A: I think ETag Stoppa is a good add-on that helps to guard against object cache tracking and i really like the developer (he contributes heavily to the 'arkenfox' user.js project), however it isn't needed if dFPI is enabled or if you're using ClearURLs with the ETag option enabled. Also check out 'claustromaniac's' other add-ons, particularly POOP (Privacy-Oriented Origin Policy).

Q: What do you think about Header Editor?

A: Manipulating HTTP headers is useful in some specialized cases, such as to force CSS/script injection when Content Security Policy (CSP) forbids it, but i don't think many people need this and it can be dangerous.

Q: What about Smart Referer?

A: I don't use Smart Referer because the functionality to configure when and what referrer is sent to a website is available in Firefox, though i'm not sure it covers every bit of ground that Smart Referer does.

Q: Should I be blocking the referrer?

A: No. This would make your fingerprint more unique since very few people block the referrer. Instead you can spoof the referrer with the network.http.referer.XOriginPolicy preferences so that it sends the referring website only when the host matches (already done in the 'arkenfox' user.js). For example, normally if you open your browser to and then go to, will see that you came from If however you set network.http.referer.XOriginPolicy to '2', then will see as the referrer. On occasion this might break website functionality, such as for cross-domain logins.

Q: Trace seems to cover a lot of what the several extensions you recommend do. Would you recommend it?

A: I think it would be the berries if there was one good, comprehensive, super-add-on that could do it all, but Trace isn't it, not even close. Have a look at what 'Pants' of the 'arkenfox' user.js for Firefox project discovered after playing with Trace for a very short time.

Q: Is the browser easier to fingerprint if JS is allowed?

A: Absolutely! Many fingerprinting and tracking techniques rely upon JavaScript being enabled, which is why i *strongly* suggest disabling it globally, such as with uBlock Origin, then allowing it on a site-by-site basis only if you need it. Beyond the invasion of privacy there are serious security risks with JS as well. Also see the Changing how websites look or work section of the Firefox Tweaks and Fixes and Styles and Things page to learn how you can regain functionality without enabling JS in some cases.

Q: In my Firefox preferences I see it is set to deny trackers and scripts but only in custom mode, should I change it to Standard or Strict?

A: If you're using the 'arkenfox' user.js and appropriate filter lists in uBlock Origin, then no. uBO with the appropriate filters covers much more ground than the lists used by Firefox because Mozilla has to be super careful not to break anything, else they might have a few million irate users pounding down their door, not that that would be anything new.

Q: Should I delete cookies and site data on close?

A: Yes, for all sites except for those you want to keep such data.

Q: Will zooming a webpage make me more trackable/fingerprintable?

A: Good question. I don't know, but i doubt it, though it may depend on what you mean by zooming (with Ctrl + mouse wheel or with the layout.css.devPixelsPerPx preference). My response would be to ask how much convenience you're willing to sacrifice in the name of privacy. Also this would depend on JS being enabled.

Q: Is there a way to block font enumeration through flash player?

A: Get! Rid! Of! Flash! Player! It's a proprietary, insecure, largely obsolete, privacy-hating piece of shit. In my daily surfing i have yet to come across any video anywhere that requires Flash. You likely don't need the Adobe PDF Reader plugin either, nor any other proprietary browser plugins.

Q: Is it not safe/private to have my most visited sites and search from Firefox home screen?

A: The built-in Firefox home/new tab page presents some privacy issues. It's hard to be more specific than that because Mozilla often changes the way they use the default home/new tab page, but there are always privacy issues. In my case i set the home/new tab page to about:blank.

Q: If I set a search engine like Duck Duck Go as my homepage, would that be OK?

A: You can set the new tab/home page to whatever you want, it's just recommend to not use the default Firefox one or any other resource that isn't serious about protecting user privacy.

Q: What is this CSP/Content Security Policy thing mentioned in the arkenfox wiki and how does it relate to Firefox?

A: Content Security Policy is used, in part, to protect web browsers against malicious behavior. Basically it consists of HTTP headers that instruct the browser what it can and cannot to do with a webpage and its contents and how it should interact with it.

Prior to Firefox v77 the CSP thing caused a significant problem with certain extensions, however this has been fixed... finally.

Q: I accidentally opened a website before installing all of the recommended extensions, so what should I do? Reinstall FF?

A: You never have to reinstall Firefox because everything that websites store is deposited outside of it's installation directory, mostly in your profile directory, and its cache is kept in RAM if you're using the 'arkenfox' user.js. If you want to refresh your profile, and thus Firefox, you can just delete your history (cache, cookies, site preferences, etc.) for the time range of 'Everything' and if that doesn't make you feel warm and fuzzy, you can create a new profile, import what you need, then delete the old one, but this is usually unnecessary in my opinion.

Q: So I verified the integrity of user.js and the first one to show on about:config is _user.js.parrot SUCCESS! USER SETTINGS LOADED, so it must have loaded correctly.

A: If you're using my user-overrides.js which is intended to be appended to the 'arkenfox' user.js, then yes, that's what you'll see if there were no syntax errors in either one, however if you're using only the 'arkenfox' user.js, you should see "SUCCESS: No no he's not dead, he's, he's restin'!". Don't forget to do the browser console check as well. This is important because if Firefox finds one little itty-bitty thing wrong in the user.js, it won't process anything after that point and thus the default settings will be loaded. Note that you only need to do these checks after you apply an update to the user.js or user-overrides.js, or you edit either file (and you should never be editing the 'arkenfox' user.js directly - all changes/additions need to be placed in a user-overrides.js).

Q: What settings should I change on the arkenfox to be able to access 'x' website? Q: I read that you recommend HTTPZ instead of HTTPS Everywhere because it just works without a list and human intervention so less prone to error, what about HTTPS by default and Smart HTTPS?

A: Actually i personally don't recommend either anymore since the functionality to forward HTTP sites to HTTPS has been incorporated into Firefox, though some folks still prefer HTTPZ over the in-built functionality. HTTPZ is basically an install-it-and-forget-it add-on. It's small, simple to configure, and it just works. There may have been advantages with the EFF's HTTPS Everywhere when you visit a secure site that pulls content from a non-secure one (think images). In this case i believe HTTPS Everywhere will attempt to upgrade the 3rd party requests whereas i don't believe HTTPZ will. On the flip side, HTTPS Everywhere may not upgrade an insecure site at all if it's not in their database. It also consumes significantly more memory than HTTPZ. In the end though, both are obsolete in my opinion.

Q: Also why should we use any HTTPS add-on when pretty much most sites today are already HTTPS?

A: Because "most" != "all". Anyone in between you and your destination can potentially see *and manipulate* traffic if it's not encrypted, starting with your ISP (and don't think they don't). This could include your neighbor if you're wireless. While this may be less of an issue if you're using a VPN, it's still an issue.

Q: What about bookmarks? Do those get sent to Firefox or only stored locally?

A: Both bookmarks and their accompanying site icons/favicons are stored locally unless you enable Firefox Sync in which case they're stored locally and remotely. I don't use, nor recommend using Firefox's Sync because i only want me to be in control of my data. If you want to share bookmarks and other stuff between Firefox instances on different devices, look into setting up your own "cloud" server.

19 thoughts on “FAQ: Firefox Hardening”

  1. I forgot to delete those default *.xpi in system files. What should I do now? Should I reinstall and delete again? What are the implications if I do reinstall and if I do not. Can you please explain in detail.

    1. don’t sweat it – you should never have to reinstall Firefox to solve such an issue – just go ahead and delete the system add-ons *if you wish* – you don’t have to, i just personally prefer to given some of the shit Mozilla has pulled in the past with these system add-ons, plus i have no use for any of them

  2. Hello, good day, I’m having problems when logging into a website through my google account, which redirects me to google login. I Disabled the privacy.firstparty.isolate option to false but I still have the same problem. That i’m stuck at the window “wait a moment”

  3. What is your opinion on Firefox’s setting: “Query OCSP responder servers to confirm the current validity of certificates”?
    From my understanding, OCSP request is not encrypted if the site didn’t respond with OCSP Stapling. Should i turn it off for privacy or should i leave it on for the perceived security?

    1. personally i think security.OCSP.enabled should probably not be disabled unless one is well aware of the risks – i disable it in my overrides js to avoid the query (added latency) and for privacy reasons, but i don’t do anything like on-line banking either

      like it says in the ‘arkenfox’ user.js, “It’s a trade-off between security (checking) and privacy (leaking info to the CA)”

      sorry i’m not able to offer a more concrete answer

  4. I’ve heard that turning off Javascript actually makes you more identifiable, much like turning on DNT. Is this true? Can a web server know if you have Javascript turned off (maybe by detecting no javascript ping response sent or something), and thus flag/profile you as a potential ‘advanced user/privacy paranoid user’, which in turn puts you in some sort of ‘user to track’ watchlist?

    1. that’s a really good question

      if you disable JavaScript (JS) then, yes, the website absolutely *can* (but not always) know that you’ve disabled it and indeed very few people disable JS, so yes, overall your browser is more fingerprint-able

      on the other hand, a huge part of websites being able to fingerprint your browser relies on JS being enabled … so there’s the conundrum

      so ignoring all other fingerprinting techniques, if you disable JS, i would think that you fall into a small bucket of people, however if you leave it enabled, you fall into a potentially much smaller bucket, meaning that your browser is even more unique because of all the data that can be harvested by JS, not that every website is looking at all the possible metrics, but some are looking at more than others

      so… i absolutely recommend that JS be disabled GLOBALLY and then allowed *only where it’s needed*

      on top of that i recommend using a VPN

      DNT is useless – there’s no obligation for websites to honor this preference – and again, if it’s enabled, you may fall into a smaller bucket, but it still doesn’t make you unique

    2. ps: all that said, if you allow JS globally and use the ‘arkenfox‘ user.js, along with some recommended extensions (uBlock Origin especially, and/or uMatrix), than your browser is far less fingerprint-able than if you weren’t using them

      there are a myriad of ways to fingerprint a browser and enabling RFP (privacy.resistFingerprinting) in Firefox is a huge part of combating this (this is enabled by default in the ‘arkenfox’ user.js, along with FPI (privacy.firstparty.isolate))

      really though, there is no way to avoid being fingerprinted in my opinion – see this or this for instance

      i fall into a very small bucket, at best, because of my writing style – i don’t generally capitalize and i use hyphens instead of periods, plus there are several other nuances that i’ve noticed with the way i write and who knows how many others that could be recognized by an algorithm

      the point is, what precautions you need to take depend largely upon the threat you wish to mitigate – if it’s an ISP or an advertiser, the solution is simple, but if it’s the government or the “intelligence” community you wish to avoid, good f’n luck with that

  5. A noob question about FPI. If I open several sites on the same tab they will be isolated or does the FPI work like the containers where each tab/container has its own isolated content?

    Does enabling the history offer any risk to privacy?

    Note: Sorry if I made any English mistake, I’m using a translation tool to convert Brazilian Portuguese > English.

    1. FPI isolates storage by domain, so if you open site ‘a’ in a tab, then site ‘b’ in the same tab, the storage for both sites is isolated from one another, thus FPI works differently than Firefox’s built-in containers

      the Temporary Containers add-on enhances the built-in container functionality to achieve domain level isolation very similar to what FPI does which is why i personally don’t use containers or the Temporary Containers add-on which, in my view, just add an unnecessary layer of complexity

      as for history, if you enable the option to color visited links ( layout.css.visited_links_enabled ) it is possible for a website to use some CSS and JS to see if you have visited a link(s) before – to my knowledge this exploit depends on having JS enabled – personally i enable the option to color visited links differently

          1. Perhaps I misunderstood, thought you were using a different method, this is what I was referring to in a previous comment:

            “as for history, if you enable the option to color visited links ( layout.css.visited_links_enabled ) it is possible for a website to use some CSS and JS to see if you have visited a link(s) before – to my knowledge this exploit depends on having JS enabled – personally i enable the option to color visited links differently

Leave a Reply

Your email address will not be published. Required fields are marked *