See the revision history at the end ... if you make it that far :)
Before embarking on this journey into the bowels of Firefox, you may want to first read, Tor verses a VPN – Which is right for you?. If you choose to use the Tor Browser, you need not bother with this guide.
The following video will provide an overview of one aspect of what it is we're up against and why i wrote the Firefox configuration guides. I encourage everyone to view it, especially if you're one of the many people who aren't worried about surveillance because you 'have nothing to hide'.
You're aware that unethical companies such as Facebook, Instagram, Google, YouTube, advertisers, your ISP and even governments are spying on your activities and buying and selling the data they harvest, even if you may not be aware of how they're doing it. You're concerned about this invasion of your privacy, but what can you do abut it?
Welcome to the 'for dummies' edition of the Firefox Configuration Guide for Privacy Freaks and Performance Buffs!!!
The goal here is to provide a simple guide, to the extent that's possible, which will yield a privacy enhanced configuration of the Firefox web browser whilst breaking as few websites as possible. That said, be prepared to put a little bit more effort into your surfing activities, at least until the dust settles. The pay-off will be a much faster, cleaner, less annoying web that is less able to track and profile you. Note that i said "less", not "not".
WARNING: This guide is not intended for use with the Tor browser which is an already hardened version of Firefox. Configuring the Tor browser as outlined here may result in doom.
Catching the Fox
You want the standard release version of Mozilla Firefox; no Pale Moon, no Waterfox, etc., so if you don't have it, get it. If you run a Linux-based operating system, look in your package manager. Since it's privacy we're interested in, we're way too smart to be screwing around with Google Chrome or Microsoft Edge, though if you have an
inferior alternative browser installed you could retain it as a backup.
Profiling the Fox
Start Firefox and enter
about:profiles in the address bar -- you can call it the "location" bar or the "awesome" bar, i call it the address bar -- then press your 'Enter' key to load that address. This is where Firefox keeps a list of all your profiles. Profiles are where most of your settings, bookmarks and other junk gets stored.
You can have as many profiles as you want, but by default there will be just one named 'default'. We need another one, so click the 'Create a New Profile' button and name the new one 'privacy'. You can change the name later, but leave it be for now. Once you're done, exit Firefox.
Firefox will now annoy you (and let it keep annoying you for the duration of these next few months we'll be spending together) by asking which profile you want to load every damned time you start it and you should (almost) always choose your 'privacy' profile.Pro Tip
There are many '
about:' pages in Firefox, but not all are accessible from the various menus. To see some of those that aren't, enter
about:about in the address bar, but be careful what you mess with in there!
Training the Fox
Restart Firefox and this time you should see the Choose User Profile window. Load your privacy profile but don't visit any web pages just yet, other than this one if you want. Firefox may load some default pages when is starts and that's something we'll fix later.Profile Tip
If you don't want Firefox whining about which profile to load every time it starts, you can select your preferred profile and check the 'Don't ask at startup' option, but don't do that yet! Another way is to create a shortcut to load any profile you want.
For more about profiles, see Use the Profile Manager to create and remove Firefox profiles and Multiple Firefox profiles.
For more about ticklish penguins, go here.
If you're running Windows you will need to un-hide file extensions, and i suggest you keep them un-hidden.
With Firefox up and running, load
about:preferences in the address bar or click the Hamburg icon on the toolbar, then 'Preferences'. Click the 'Search' menu item on the left and under where it says 'Search Bar', click 'Add search bar in toolbar'.
Next, go to the ghacks-user.js GitHub repository. We need their prefsCleaner.bat (Windows) or prefsCleaner.sh (Linux) file and the updater.bat (Windows) or updater.sh (Linux) file. Now before you mess up, hear me out: One by one, click on the file names, then click the 'Raw' button, then press Ctrl+S to save the files to your desktop. Failing to heed my advice can cause the file formatting to get messed up which will surely result in Russia launching its nukes. If you want to avoid those steps, here's the direct links to the files: updater.sh (Linux), updater.bat (Windows), prefsCleaner.sh (Linux), prefsCleaner.bat (Windows). Now if you're one of those wiz kids, you may have deduced that we're going to need that user.js file too but we'll grab that another way.
Next, go to the 12bytes.org/Firefox-user.js-supplement page at Codeberg.org and download my user-overrides.js file to your desktop. Again, click the 'Raw' button, then press Ctrl+S to save it (here's the direct link).
Next you'll need a decent code editor (no, not Notepad!) with syntax highlighting. If you're running Wintendo (that's one of my several derogatory names for Windoze), PSPad is nice, simple and free. If you're running Linux you've surely got something installed already, so poke around.
What you need to do now is open that user-overrides.js file in your code editor and follow the directions Very Carefully. Every single little tiny thing you could ever possibly want to know about that file is in there (except whatever i forgot to put in there).
Now that you've sifted through that convoluted mess (go you!), open Firefox's
about:profiles page again. Note that user profiles and web cache are stored in separate folders, thus why you may see more than one directory path for each profile. In the row labeled 'Root Directory' under your 'privacy' profile, click the 'Open Directory' button and then kill Firefox.
In your file manager you may notice that the folder containing your 'privacy' profile actually has a longer name with a bunch of gobbledygook in front of 'profile'. Ignore that like you ignore your goofy neighbor with the tinfoil wallpaper. If you see a prefs.js file in there, you're probably in the right place. Next, grab those files from your desktop you pirated earlier and stick 'em in your 'privacy' profile folder where the prefs.js file is.
Now we need to run that updater script. How to do that depends on whether......you're running Linux
You will need to make those .sh files executable. You could try meditation or sacrificing a goat, but it'd probably be quicker to just right-click on each of them to open the file properties dialog window and click the 'Is executable' checkbox on the 'Permissions' tab (or similar). If your file browser doesn't have such an option, see How do I run .sh files?.
We need to run that updater.sh script from a terminal, so open one and change the directory to your 'privacy' profile directory where the updater.sh file is. In the example below you'll need to change 'gobbledygook' to match the correct name of your profile folder:
Now run the updater.sh script by preceding the file name with a dot and a slash:
To run that updater.bat script, navigate to your Firefox profile directory, hold down the Shift key and right-click in an empty space where the file is, then select "Open Command Window Here". Enter
updater.bat and hit Enter. If you have trouble, see How to Run a BAT File on Windows: 13 Steps (with Pictures).
The updater script will spit out some introductory stuff and then prompt you to continue. If by chance everything in the universe is aligned just so, and you've followed the directions you didn't read, the script will download a fresh copy of the 'ghacks' user.js file to your profile directory and append the contents of your user-overrides.js to it just like it says on the tin.
The 'ghacks' user.js is updated fairly frequently so, with Firefox closed, you should re-run the updater script every couple weeks or so in order to check for a new version. Each time you run the updater script, be sure to follow it up by running the prefsCleaner script using the same method as described earlier for your operating system. The prefsCleaner script will reset any depreciated, removed, or inactive preferences and it's important that you do this.updater script Pro Tip
If you use Linux you can run the script with the
-c switch (
./updater.sh -c) which will create a 'diff' file that will list all the differences between the old user.js and the newer one.
To see all the options for running the updater script for both Linux and Windows, see the Updater Scripts article on the 'ghacks' wiki.
Fattening the Fox
Now we're going to go to the Firefox Add-ons website, AMO (Addons.Mozilla.Org). Start Firefox and select your 'privacy' profile, then come back here.Why does he say 'WE' and 'WE'RE' when 'I' am the one doing all the f'n work?!
Plausible deniability. If i screw something up that causes your computer to explode, it's your fault.
One at a time, middle click each of the links below to open their pages in a new tab, then Read What It Says for each add-on, then install it. If any of the links are dead, let me know and don't install something you think is equivalent because it almost certainly isn't.
- Clear URLs by Kevin R.
- CSS Exfil Protection by Mike Gualtieri
- HTTPZ by claustromaniac
- LocalCDN by nobody42
- Privacy-Oriented Origin Policy (POOP) by claustromaniac
- Site Bleacher by wooque
- uBlock Origin by Raymond Hill
Once you have all those installed, find the 'Customize' option in one of the Firefox menus or by right-clicking on an empty space on a toolbar somewhere. With the exception of Site Bleacher and uBlock Origin, you can drag the toolbar icons for the other add-ons, for those that have them, to the Overflow Menu since you will rarely be interacting with them.A note regarding add-ons...
More add-ons = more bad (generally speaking).
It's pretty important, and especially so if you're new to the game, to NOT install add-ons willy-nilly. The more you install, the more likely it is that things will break and that your privacy will be compromised, so DON'T GO OVERBOARD with add-ons.
The selection of recommended add-ons in this guide accounts for not only how your privacy and browsing experience is affected, but also how they interact with each other as well as with a Firefox that has been extensively modified by the 'ghacks' user.js. If you install certain additional add-ons that you *think* will guard your privacy, you could very well wind up with an opposite result. In particular, stay away from any User-Agent spoofing add-ons.
Firefox has built-in mechanisms which help to prevent browser fingerprinting and safeguard your privacy. Alone they are not enough, which is why you're here, but they do cover some very important ground.
For more on the subject and what to look for when considering add-ons, see Firefox Extensions – My Picks.
We need to configure some of the add-ons we installed, but first a word to the wise: Unless you know what you're doing, i strongly suggest you configure these add-ons as outlined here, else Russia.
To configure your add-ons, load
about:addons in the address bar or find the 'Add-ons' menu item in one of the Firefox menus.
Clear URLs: In the preferences, enable the following options where an [X] indicates the option is enabled:[_] Allow domain blocking (if you're not using any of the major ad filtering lists in uBlock, then enable this).
[X] Skip URLs on local hosts
[X] Prevent tracking injection over history API
[X] Block hyperlink auditing
[X] Filters ETag headers from requests
The rest of the options are just that; optional :)
LocalCDN: In the preferences, enable the following options where an [X] indicates the option is enabled:[X] Display injection counts on icon
[_] Block requests for missing resources 1
[X] Block Google Fonts
[X] Disable link prefetching
[X] Strip metadata from allowed requests
[_] Enable logging in browser console
[_] Disable release notes
Footnotes: Enabling this will enhance privacy, however this option will break some websites.
Lastly, don't forget to add the LocalCDN rules for uBlock Origin to 'My rules' tab of the uBO settings (see my uBlock Origin Suggested Settings guide after reading the 'uBlock Origin' section below).
Privacy-Oriented Origin Policy: On the 'Preferences' tab, configure it like so:
Set the 'Global mode' to 'relaxed'.
In the 'Exclusions' section, enable 'Exclude root domain matches', then paste the following code in the big text box below that. It'll come in handy if you ever switch POOP to its 'aggressive' mode:
In the 'Other' section, make sure 'Spoof cross-origin Referer' is enabled.
uBlock Origin: This is a huge biggie! I know, supposed to be the 'for dummies' guide and all, but you really gotta learn how to use uBlock Origin (uBO). The good news is that it's got a 'dummy' mode and it's enabled by default!
To set up uBO, read my uBlock Origin Suggested Settings guide.
Of particular importance, DO NOT select the 'I am an advanced user' option! Don't look at it. Don't think about it. Don't think about looking at it ... at least not until you read all that 'required reading' stuff and understand fully what uBO is, does, how to configure it, and how easy it is to break the entire interwebs if you don't know what you're doing.
Now it's really important that you read this and this and this, but only up to the 'Medium mode' part for the last one. Once you complete that you'll be a Semi-Certified uBlock Origin Web Filtering Engineer Apprentice.Break time...
Training the Foxineer
With that all done and Firefox running, close all tabs and click the Hamburger button again to open the Preferences window, then click the Privacy & Security menu item, or load
about:preferences#privacy in the address bar. Scroll down to the Cookies and Site Data section and click the Manage Data button. In the Manage Cookies and Site Data window that opens, click Remove All. This will remove (almost) all of the stored data that Firefox has accumulated so far. We're just doing this to nuke anything that was stored before we installed our privacy add-ons, plus so that you know how to nuke Firefox storage.
If you've used Firefox before there's going to be some changes, one of them being that you'll be searching from the search bar (or a web page that isn't Google hopefully) instead of the address bar. The reason for this is a little creepy, suffice to say it's a privacy/security thing. Live search suggestions will be disabled because it's also a creepy thing, though the search bar will still suggest stuff from your history, bookmarks and previous searches.
Now for the really important stuff...
Start Firefox and load up your privacy profile, then middle-click this link to open it in a new tab and click some of the colors on the color swatch and…… well that was boring, but WAIT! THERE'S MORE! Now click the uBlock Origin button on your toolbar and in the lower right corner there’s an icon that looks like a
Importing stuff from an old profile
If you're not a first-time Firefox user and you have important bookmarks or other stuff you want to import to your new privacy profile, make a backup copy of your profile and then go ahead and read this.
What to do when the Fox bites
To make a broken website function again, you'll need to use uBlock Origin to enable the functionality you need for those websites you trust. If you cannot get a website to cooperate by making site specific changes in uBlock, you can always spin-up a fresh, empty profile, but understand that you will be at the mercy of a completely default Firefox configuration with all of our extra privacy protections removed. For websites you don't trust, why are you visiting them? Porn? Warez? If you value your privacy and digital integrity, forget that stuff. Seriously.
Another 'gotchya' that will likely creep up at some point is a website not saving settings that you wanted to save or cross-domain logons failing. This is likely the fault of the Site Bleacher add-on which deletes most of the data that websites store locally, including 'cookies', so if you want to save settings for a particular website or preserve the ability to log-on automatically, then click the little bleach bottle icon on your toolbar and whitelist the website domain.
Regarding cross-domain logons, this is where you visit site 'A' but when you click the link to logon you are forwarded to site 'B' before returning to site 'A'. Site Bleacher may cause the logon to fail because it will delete the storage (cookies) from site 'A' as soon as you are forwarded to site 'B'. One way around this is to whitelist the site 'A' domain in Site Bleacher and another way is to open the logon link in a new tab if possible (you may have to refresh (F5) the site 'A' page to see that you're logged on).
I would NOT suggest whitelisting any privacy-hating social media or mainstream search websites such as Google, Yahoo, Bing, Facebook, Instagram, Twitter, etc.. If you want to learn more about alternative search engines, read Alternative Search Engines That Respect Your Privacy.
The Fox hole
Even with everything we've done, you're still vulnerable to being tracked and profiled, however you're in a better position now then when you started out, except for one little problem: Your Internet Service Provider!
At the very least your ISP can see what websites you visit, when you're surfing the web and when you're not. They may even inject ads, malware or other garbage in your data stream. The solution: Hijack your neighbors unprotected WiFi and... Kidding! Listen, you and i have gotten to know each other throughout this long and difficult ordeal. We're kinda like buddies now. Kinda. And i can already tell you're ethics are of a higher caliber than
One solution to the problem is a Virtual Private Network (VPN). Ever wanted to be in 30 places at once?
A VPN works by encrypting the traffic between you and another computer run by the VPN service provider which we'll call an 'exit node'. That exit node could be anywhere in the world. From the exit node your traffic flows as normal to whatever website you want to visit and the website then sends the kitty video you clicked on back to the exit node thinking IT is YOU, but alas, IT AIN'T! YOU FOOLS! The kitty video then secretly makes its way back to you through this secret tunnel which was secretly established between you and the exit node. So far as the website is concerned, it doesn't know where the hell you really are and so far as your ISP is concerned, all it sees is gobbledygook that looks like Braille to a quadriplegic tuna. Ever annoyed by that galactically stupid "Sorry, this video is not available in your country" crap? Pfff.
There are truck loads of different VPN service providers and it seems the vast majority do not take customer privacy seriously, however i think both NordVPN and AirVPN are good companies that offer a good service at a good price. I've used both and i like both. Both have servers (think 'exit nodes') all around the globe and neither restrict any protocols (think 'BitTorrent'). Both offer client applications that you can install to make using their service stupid simple. If you'd prefer to pick a VPN provider yourself however, i recommend you visit That One Privacy Site and browse the fantastic spreadsheets the dude puts together. Another good resource is TorrentFreak's annual VPN reviews. Here's the one for 2018. I would strongly advise against any VPN add-on on the Mozilla add-ons site for a few reasons, one of them being that they very likely suck from a privacy perspective and another being that it's only your browser that will benefit and not the rest of your OS and software. Lastly, NEVER trust any "free" VPN provider. Ever.
- Though VPN services are cheap, it's still an additional expense
- VPN exit node IP addresses can get blacklisted which could cause problems sending mail and accessing certain websites and services, however in my experience this hasn't been a huge issue and, even if is is, it's usually just a couple of mouse clicks to switch exit nodes
- Latency (the time between the mother-in-law walking in front of your car and your realization that you need to slam on the breaks) and bandwidth (how many tweets per second you can send notifying your friends of the "accident") will be affected, but in my experience the difference isn't huge
In short, i think the pluses of using a VPN outweigh the minuses. That said, you can never trust any VPN service 100%, but any reputable one will help to protect your privacy and should certainly prevent your ISP from spying on you. If it's the NSA you're worried about, well, that's another story, but i'm not at all convinced there's any way to thwart that threat.
WHAT THE FOX!
So now you're all smitten thinking you're invincible and ready to hack the NASA to see if aliens really built Taco Bell's on the back of the moon (they did, pretty sure). You're not, but you've taken one, small step for man, and..... Truth is, there's far more vectors for attack than you and i and the so-called "experts" may ever know about, so don't get all uppity. Perfect privacy on the web, as in real life, is a pipe dream and it wasn't the goal here anyway. We've covered a some important bases that will help prevent nasty corporations and your ISP from spying on you, but not all of them. Remember that when you're creating fake profiles on Facebook to stalk your ex.
After you've taken plenty of time to get comfortable with your new Firefox configuration, i suggest reading everything in the uBlock Origin wiki and learning how to use it in its advanced mode. And after that, it's the Firefox Configuration Guide for Privacy Freaks and Performance Buffs.
Be safe. Be ethical. And if you need help (after you've tried to help yourself), leave a comment or check the FAQ: Firefox Hardening page.
IMPORTANT: If you incorporate suggestions made in this guide, please subscribe to the Firefox category on the subscription page. This article is updated fairly often and that's the best way to stay informed.
RevisionsClick to expand...
- first (pre) release
- added more info about using the user.js updater and prefsCleaner scrips
- many small changes and polishing
- polishing, clarifications
- clarified a lot of stuff that may not have been clarified clearly enough
- eliminated the 'relaxed_user-overrides.js' file - the user-overrides.js is now used for both the advanced and dummy guides
- updated the user-overrides.js file
- lots of minor edits, corrections
- clarified info regarding the downloading of the configuration files
- added better description and screen-caps for how to download user-overrides.js
- minor edit
- minor edit
- added HTTPZ
- added Site Bleacher and associated information
- removed temporary profile info
- lots of minor edits
- added instructions for enabling the search bar in the navigation bar since setting the preference alone in user.js doesn't work for some reason
- minor edits
- added a warning about using this guide with Tor
- added a resources section
- rewrote several bits of the guide in an attempt to clarify things and make it a bit shorter
- edited some content to bring it up to date with the newest version of Firefox
- adjusted settings for uBO
- stuck the uBlock config stuff on its own page
- misc. edits and clarifications, nothing too drastic
- added a more extensive warning about installing add-ons in addition to those recommended herein
- minor edit
- added ETag Stoppa to extensions section
- added link to 'FAQ: Firefox Hardening' page
- minor edits throughout
- removed 'First Party Isolation' add-on
- added 'Font Fingerprint Defender' add-on
- minor edits
- removed 'Font Fingerprint Defender' add-on - i got word that the extensions may be problematic
- added more info about circumventing website logon problems due to Site Bleacher add-on
- minor edits
- removed ETag Stoppa since ClearURLs covers eTag storage filtering
- added settings details for CLearURLs
- updated the URL for the uBlock Origin Suggested Settings Guide
- added the video, Prof Shoshana Zuboff on surveillance capitalism
- replaced Decentraleyes with LocalCDN
- removed the 'Don't touch my tabs!' add-on (obsolete since Firefox v79)