Project moved to Codeberg
The Firefox Configuration Guide for Privacy Freaks and Performance Buffs has been moved to Codeberg however you can still leave comments and suggestions here if you wish. If that guide is too much for you, try The Firefox Privacy Guide for Dummies!.
A note regarding user comments
When reading the user comments on this page, keep in mind that this guide has been around since 2015 and, given the dynamic nature of the web and Firefox, some of the information in comments, including information provided by myself, may be obsolete or entirely wrong. Nevertheless i decided to retain all comments because... nostalgia. If you have any questions, ask.
496 thoughts on “Firefox Configuration Guide for Privacy Freaks and Performance Buffs”
HTTP UserAgent cleaner is under developing. But his fate is not clear, because it removed from AMO.
Download can be http://fxprivacy.8vs.ru/
Many many thanks for all your detailed efforts in creating this article. Very much appreciated! Kind regards, Sophie
2 words, Great Job!!!!!!
This is mine –> http://postimg.org/image/msye5hy61/
Hi, great work, thx alot!
I just recently found those 2 awesome addons uBlock + uMatrix, thanks to the newest version of Ghostery phoning home and not being able to easily disable that!
Compared to the way you run it, I prefer to have all domain-lists blocked by uMatrix and unchecked in uBlock.
That way you easily see which domains are blacklisted and they are nicely grouped at the bottom.
It’s a bit more work to setup initially to check which list contains domains and which are pattern-based but I think it’s worth it.
Amazing–keep up the good work. Wish I came across this guide earlier, but at least the information covered in this guide can confirm my understanding and justify my configuration.
Could you include a change log of specific changes you’ve made to your user.js like what entries you added, removed, or changed?
that’s a very reasonable request, but actually i really don’t wish to spend the time doing that … sorry
That’s fine, I can just download the latest version and diff it with a newer version in the future using a text editor–was hoping you could do that =P
good advanced tutorial for me first of all because of performance
Using your user.js as one profile, and another from a guy at github (https://github.com/pyllyukko/user.js/blob/master/user.js) This technical stuff is over my head but I value my privacy online and like to try to stay safe. Thank you dude.
hi john – thanks for the comment
the config by pyllyukko that you linked to is likely to cause you some headaches – he’s pretty aggressive with his settings and, for example, has disabled hardware acceleration and remembering form and password data, among other often useful things
having said that, my config may also cause you other problems unless you go through it and set it up to fit your personal situation
unfortunately, if you’re truly concerned with your web privacy, i don’t think you have much of choice other than to do some reading and learning – what i may do in the future is add another user.js config here which only includes the most basic security/privacy preferences for folks that don’t want to read through all of the settings
I would suggest changing the “user_pref(“browser.zoom.full”, false);” to true. For anyone on a “normal” widescreen display, but especially WQHD and beyond this makes the zoom feature all but useless. You can’t zoom Twitter or many bootstrap sites, this one included, to take up more than 1/3 of the space. You can’t zoom Youtube or most buttons break, Viewtube included. Also, you typically want to zoom the pictures, you really do.
i appreciate the suggestion, but i personally prefer ‘browser.zoom.full’ set to ‘false’ – these are my personal preferences which is why i suggest that people go through them and not just copy/paste them
You set uMatrix to delete non-blocked session cookies 15 minutes after the last time they have been used. If I’m not mistaken, that means that any site you have logged in on a background tab will automatically log out after 15 minutes if it has not been accessed. Do you simply sign in again every time? For someone who has certain sites (email, reddit, twitter, youtube, etc.) pinned and accessed every few hours or so, this seems like a hassle.
What’s your setup in terms of cookies management and passwords? I’m considering using Self-Destructing Cookies and KeePass. I’m curious on your reasoning behind whether you use these or not and perhaps specifics if possible (ex. Do you prevent all cookies except certain ones which you’ve whitelisted? Do you manually type in username/password every time you login for every site or do you have Firefox preserve the login state (is this a privacy/security risk assuming you’re the only one using the machine)?
I’ve read your entire guide as well as some other sites and configured Firefox in as many areas as was covered but left cookies/passwords as well as DNS last because I need to understand more of what experienced people are doing (DNSCrypt is easy to setup, but what about DNSSEC? Not many DNS servers, especially fast or major ones, support both and also don’t log its user’s activities).
hi – thanks for the comment
actually i have uMatrix set to dump session cookies at 360 minutes (my settings is different than the screen-shot) and, personally, i’ve never had an issue with this – in the description it states “Delete non-blocked session cookies x minutes after the last time they have been used.” – i understand that to mean that, if you are logged on to a site and continue to use the site, the cookies will remain until your activity ceases – all i can say is i’ve never had to re-log on for any site i use, but then i don’t FB, Twitter, etc., however i do use another social network and have remained logged in to it for very long times
cookie management is handled entirely by my user.js settings and uMatrix – no other add-on is used – this keeps cookie storage to a pretty bare minimum – i had been using Self-Destructing Cookies in the past, but i really see no need for it since it appears that uMatrix can preform essentially the same task of handling various types of browser storage – by default uMatrix is set to not accept cookies (for instance, right now i have less than 10 cookies stored and i’m logged on to 3 sites) – so yes, to answer your question, i whitelist cookies on a per-site basis with uMatrix
whether it’s smart from a security perspective to use the default Firefox password manager, i really can’t say – i think that really depends on what level of security you require – for example, if i were a journalist or whistle-blower transmitting very sensitive information, i might take a different approach, such as the KeePass-browser bridge – and yes, i am the sole user of this machine
when i ran Windows i used KeePass, now i use KeePassX on Linux (it’s not as good, but it works) – if you’re wondering whether i use the bridge function to interact with the browser, no, i do not – password storage is handled entirely by the default Firefox functionality – i do however have signon.autofillForms set to false in my user.js which means i have have to actually click in the user name field before the name and password auto-fills
a note regarding so-called “cookies” – if you read my guide i assume you already know this, but i just want to be sure; there are several types of web storage, of which “cookies” is only one and the term is used rather generically
CRAP!!! UMatrix 9.3.3 does not follow your guidelines
in what way? i’m using 0.9.3.3
> Removed HTTP UserAgent cleaner since it is no longer being developed
Http UserAgent Cleaner again distributed through the Mozilla add-ons gallery (https://web.archive.org/web/20200905195231/https://addons.mozilla.org/ru/firefox/addon/http-useragent-cleaner/). If you still have what you removed from the manual, you can add it back.
“browser.fixup.hide_user_pass” might preferably set/kept “true” (which is also default value in TBB = Tor Bundle Browser), otherwise the password is sent to the corrected URL, and if that suggested URL is NOT where we want to go, then we certainly don’t want to send our password along.
True (default): When attempting to fix an entered URL, do not fix an entered password along with it (i.e. do not turn http://user:password@foo into http://user:password@(prefix)foo(suffix) but instead http://user@(prefix)foo(suffix))
False: Include entered password in fixed URL
Don’t forget to restrict redicretion to max 2, 20 is way too generous and add-click rogues heaven.
Further on, network.http.pipelining.* should be set to “false”, it was usefull for 20 years ago or os with old modems when the turnaround was slow, in these days and age with ADSL etc it’s not ncessary and if we want to be “privacy and security freaks” there’s no reason to use pieplining.
In TBB pipelining is enabled, but for other reasons.
I didn’t check thoroughly through the prefs, just my 2 cents.
thanks for the comment
browser.fixup.hide_user_pass– i set this back to its default value as suggested – i think i misunderstood the description of this pref when i originally added it
network.http.redirection-limitonly affects HTTP redirects, not meta or JS, so i’m not convinced on how beneficial lowering it is and have personally found that legit sites sometimes use more than 2 redirects – that said, i did add the pref to the config, but set its value at 3
network.http.pipeliningis commented out by default