Have you ever wondered how Mozilla gets paid by the privacy-hating mega-monopolies like Google? Simple; when you use the default search engine plugins that are packaged with the browser, parameters similar to these are added to your search query:
These parameters inform the search engine that you're using a Firefox/Mozilla product and that's all it takes for Mozilla to rake in the dough. If you do not wish to support highly unethical companies like Google, and/or value your privacy, read on...
Types of search engines
The two primary types of search engines are meta search engines and search indexes and it is important to understand the difference. Google, Yahoo and Bing for example, use software robots called "crawlers" to discover and index web content. In other words these companies actively seek out updated and fresh content to store in their databases so it's ready for you to find. On the other hand, meta search engines do not index the web and instead rely upon third parties like the aforementioned to provide their search results. When you use these so-called "alternative" search engines, such as DuckDuckGo, Startpage, Searx, etc., you are still subject to the filter bubbles and censorship that is employed by the corporate giants like Google. That said, the privacy-respecting meta search engines still make a great deal of sense since they offer a method to access the data-harvesting corporate giants without the privacy violations that accessing them directly would incur. Understand though that they are not true alternatives as they are often described, but rather proxies. These alternative search engines are also subject to local laws, such as secret surveillance requests issued by a government.
Indexing the web and storing the massive amount of data that results is an incredibly expensive proposition which requires a massive amount of infrastructure and this is why the much smaller meta search companies like DuckDuckGo, Startpage, Qwant and others rely heavily upon corporations like Alphabet's Google and Microsoft's Bing. There are better alternatives that both respect your privacy and are censorship resistant however. Ever hear of a peer-to-peer distributed search engine? Imagine a free, open-source, decentralized search engine where the web index is created and distributed by ordinary people using personal computers, each storing a piece of the whole. This is what the developers behind YaCy have done with their search engine and i think it's a great way to escape the filter bubbles created by big tech.
Possibly the easiest way to mitigate risks to your anonymity posed by the default Firefox search engines is to simply disable all of them and use alternatives such as the open source and highly customizable Searx meta search engine which you can host on your own server if you like, or you can use any one of a number of Searx instances hosted by others. Like DuckDuckGo, Startpage and others, Searx does not use robots to crawl the web and index content like Google, however the big difference between Searx and most of the other meta search engines is that it is capable of pulling results from many other indexes including Google, Yahoo, Bing, Wikipedia, DuckDuckGo, Startpage, Qwant and more, as well as decentralized peer-to-peer indexes such as YaCy. The Searx interface also offers a lot of configuration options for fine-tuning your search results, including the ability to select exactly what combinations of search engines you want to use for a particular type of search, of which there are currently 10.
One easy way to add Searx to Firefox is to locate a hosted instance which you like and which is preferably close to you geographically. After loading the search page, open the search bar menu or the address bar 3-dot menu and click the "Add" menu item. A potential pitfall with the third party Searx instances is that the server may be logging traffic, such as IP addresses, location, etc., so you'll have to decide whether you can trust them.
Most other search engines can be added to Firefox in the same way, but there are additional methods also. The Mycroft Project hosts tens of thousands of preconfigured search engine plugins for a variety of web browsers, the top 100 of which are listed here. They also have a form for writing your own search plugins. Although it is not possible to review the code from the main listing of search plugins, you can use their submission form to do so by mousing over the plugin name to reveal its numeric ID, then filling in that ID in their submission form page. Because Mozilla changed they way search engine plugins are added to Firefox, you'll need the Add Search Engine from Mycroft Project add-on to install the search plugins from Mycroft.
Another easy way to add a custom search engine to Firefox is with the Search Engines Helper add-on by Soufiane Sakhi which allows more control over the above methods, including the ability to define the website icon path or base64 code (a binary-to-text encoding scheme that encodes the site icon in text form). The advantage of using a base64 encoded version of the site icon is that the browser won't have to fetch the icon from the server. A great on-line resource for converting an icon to base64 code is the Base64 Encoder utility which can accept the icon URL or an uploaded file.
You can also use the mozlz4-edit Firefox add-on by 'serj_kzv' to add and edit the Firefox search engines. This slick extension allows you to edit the
search plugin file directly from within Firefox, though a browser restart is necessary before the changes are realized. It is in this file that Firefox stores the code for all of the search engine plugins. If you use this tool, be careful not to touch the default search engines that are packaged with Firefox, else all your changes will be lost. Instead you can create copies of the default engines and sanitize the copies. Read on...
Manually editing search.json.mozlz4
If you would rather avoid the hassle of manually editing the default Firefox search engine plugins, see the Pre-sanitized search plugins section below.
If you have already added custom search engines to Firefox, then the first thing to do before you start hacking is to create a copy of
and work with the copy, reason being that if you mess up, Firefox will will delete all of your search plugins and restore only the default ones. If you don't want to see or use the default ones, disable them in the search preferences of Firefox rather than removing them from the plugin file.
To edit the
file you first need to decompress it. There's at least a few utilities available that will handle this, but i would suggest using the mozlz4-edit Firefox add-on by 'serj_kzv' since it is very easy to use and it provides a basic code editor with syntax highlighting. If you use this tool to modify the default search engine plugins that are packaged with Firefox, you must make copies of them and edit the copies, else Firefox will rebuild the entire file and all your changes will be lost. Also be sure to give the new entries a different name since no two plugins can share the same name.
Download pre-sanitized search plugins
If you do not want to sanitize the default search engine plugins yourself you can download my pre-sanitized copy which contains a
file that should work for Firefox version 57 and up ("up" meaning until the next time Mozilla decides to break everything again). The download contains the default engines which come with U.S. English version of Firefox 62, plus the sanitized versions of them, plus all of the engines i personally use. All in all there's over 40 search engine plugins which you can edit or disable as you see fit. Many are already disabled since i only use them occasionally, so be sure to adjust as necessary in your Firefox Search preferences.
Sanitizing the default Firefox search engine plugins is a good start, but there is much more to do if you're interested in circumventing the risks to your privacy. For further information see the Tech section of this website.
corrected an error in the pre-sanitized Wikipedia search plugin and re-uploaded sanitized_search_plugs.zip
added information as suggested by 'Pants' in his comment below, particularly details and resources regarding the
system add-on in a new section titled "Removing the 'Follow On Search' system add-on"
added Hulbee and MetaGer to the search engine list
added a "Decentralized" column to the search engine table
added resource: 5 Best Search Engines That Respect Your Privacy - BestVPN.com
misc. cleanup and edits
corrected typo in metager URL
added "Requires JS / Cookies" column in search engine table
changed links for search engines in table to point to company/about page and added links to point to search page
added link to the 'lite' version of DDG
added a link to the uBO filters to block Startpage/Ixquick tracking images
misc. minor edits
added "Client Required" column to search engine table
corrected some info regarding the search engines in the table
minor misc. edits
added a link to the Duck Duck Go: Illusion of Privacy article
added findx to the search engine list
added Qwant to the search engine table
misc. edits and added info, nothing really important
very minor edits
moved the list of alternative search engines to it own page
minor change to the section 'Sanitizing the default search engine plugins' thanks to commenter 'nohamelin' - more changes coming shortly thanks to this persons comments
updated search plugin import/export instructions as per the very helpful comment left by 'nohamelin', the developer of the XML Search Engines Exporter/Importer add-on in which he made available Scratchpad scripts that work with FF v57+
corrected an error in the pre-sanitized search engine archive, added Startpage and re-uploaded a new archive
misc. minor edits
major changes, additions and deletions
fixed corrupted download files
added info about Add custom search engine add-on
added better instructions for installing the search plugin file,
rewrote the section on manually sanitizing search plugins
various minor edits
updated the search.json.mozlz4 file
updated the search.json.mozlz4 file
referred to my Firefox configuration guide for info on removing system add-ons
many changes - much was rewritten and some parts were removed
i removed the bulk of the instructions for editing the search.json.mozlz4 since it was obsolete - thanks to 'Damien' for contacting me about an issue with this article which reminded me that changes were needed
The following video will provide an overview of one aspect of what it is we're up against and why i wrote the Firefox configuration guides. I encourage everyone to view it, especially if you're one of the many people who aren't worried about surveillance because you 'have nothing to hide'.
This guide is long, boring, dry, tedious and somewhat technical, so if you don't feel comfortable digesting it, try the The Firefox Privacy Guide For Dummies! instead, however be aware that it doesn't offer the same degree of protection.
To understand my personal position regarding the ethical nature of the Mozilla Foundation, read The Mozilla Monster.
WARNING: This guide is not for use with the Tor browser. Configuring the Tor browser as outlined in this guide may/will result in potentially serious risks to your privacy.
Though this guide is centered around the Firefox web browser, users of other browsers, email clients and Mozilla products may find it useful. If you are interested in hardening the Thunderbird email client, see The Thunderbird Privacy Guide for Dummies!.
Many of us are aware of the immense threats to our on-line privacy and security posed by various technology companies, governments and malicious hackers, any of which may go to great lengths to monitor our electronic communications. Governments and their "intelligence" apparatuses not only spy on each other, but on the citizenry as well and they leverage the services of various companies to do so, including Microsoft, Google, Facebook, Verizon, Comcast, Amdocs and many, many others. While the data corporations collect may be used for relatively benign purposes such as targeted advertising, the intentions are often far more sinister. Governments present a whole new level of threat. Much of what Edward Snowden has brought to light is not new, but it seems Snowden has presented the information in a way that has captured the attention of a broader range of the public, prompting many to seek ways to mitigate such threats.
While the primary goal of this guide is to help the reader thwart some of the more obvious efforts to track and profile us as we surf the web, as well as increase browser security and performance, understand that i am not an expert in computer security or privacy and there are surely many more variables and vectors for attack than i am aware of. While there are many known methods that can be used to compromise our digital well being, how many more are there of which we know nothing? Or what about techniques that most of us never consider? For example, even if you are a knowledgeable, technically proficient and privacy conscious individual who uses open hardware devices running secure, open source software and on a security enhanced operating system, and even if you connect to the internet only through Tor, you may still be at risk of being tracked because, disregarding everything else, your unique writing style can be used to identify you. It is not this level of sophistication that i will attempt to address here however. My goal is to share what i have learned over the years as a casual web surfer and computer user who has a hobbyist-grade interest in computer security and digital privacy. Having said that, i believe -- and please correct me if i'm wrong -- this guide is currently one of the more comprehensive of its kind in that it addresses many aspects of the Firefox web browser including configuration, extensions and optimizations. If you want to go further than this guide can carry you, see the resources section at the end which include the fine article, Improve Your Privacy in the Age of Mass Surveillance. I would also highly recommend using a VPN to help prevent spying by your ISP and other bad actors. That One Privacy Site is a good resource for choosing a VPN, as is TorrentFreak which publishes annual reports regarding many of the popular VPN service providers. Their 2018 report is here.
As with any modern and mainstream web browser, Mozilla Firefox is a highly complex beast consisting of millions of lines of code and hundreds of configuration options, many of which are interlinked, hidden, or undocumented. In at least soma ceases we have reached the point where our web browsers exceed the complexity and size of entire computer operating systems and things can go down the toilet really fast if one starts messing around with their settings willy-nilly. Poorly coded browser extensions are an additional weak point that can compound the problem. Here we will attempt to accomplish our goals in an efficient manner with a minimal number of carefully chosen browser extensions.
A trade-off must be expected when we tighten security and privacy insomuch as some websites will cease to function as we expect until the settings for those specific sites are adjusted. Anyone who has used a content filter such as uBlock, NoScript or Request Policy will understand that certain resources must be allowed for a given website to function in an acceptable way. Similar to NoScript however, the process of allowing required resources for a particular website usually consists of a few mouse clicks followed by a page refresh and once we have made these adjustments our workload will be greatly reduced. Nevertheless, be prepared to put a little more effort into your web surfing activities at the start and expect the occasional hard-case where more fiddling than usual will be required to get a particular site to work. The pay-off will be a much cleaner and faster web that is less able to track, profile and fingerprint you, as well as a Firefox that is more resistant to attack.
A note regarding user comments
When reading the user comments on this page, keep in mind that this guide has been around since 2015 and, given the very dynamic nature of the web and web browsers, some of the information in the comments, including information provided by myself, may no longer be applicable and, in some cases, entirely wrong. Nevertheless i decided to retain all comments because... nostalgia. If you have any questions, ask. I usually provide answers within a few hours or so.
Add-on/extension: I use these terms interchangeably. A web browser add-on or extension is a piece of software, typically developed by a 3rd party, that extends the capability of the browser. Web extensions, which leverage the WebExtension API (Application Programming Interface), have replaced the older legacy (XUL/XPCOM) extensions beginning with Firefox version 57. The newer API is essentially the same as used by Google Chrome and some other web browsers. The WebExtension API is severely limited compared to the older API and while this is a plus with regard to browser security and stability, it also strictly limits what extensions are able to do.
AMO: Addons.Mozilla.Org - the Mozilla Add-ons website.
Crapware/malware: I consider crapware/malware to be software that contains code which is not relevant to the functionality users expect. As such, the term crapware, or malware, refers largely to adware, tracking code and any other malicious code with regard to web browser extensions. Crapware is often added to browser extensions by a company or solo developer who wishes to monetize their work and often takes the form of profiling users and selling the data collected by the extension to a marketing company, however much worse is possible.
CDN: A Content Delivery Network is a service that hosts reusable content, such as graphics and libraries which developers can leverage to make building web platforms easier. CDNs often present a threat to our privacy by tracking our web activities. They are a formidable threat because a single CDN service may be used by many millions of websites and therefore its tracking capabilities can be used to track browsers across domains. The use of CDNs is so prolific today that many websites will not function without them and so blocking them is hardly an option.
CSS: Cascading Style Sheets are used primarily to apply visual styling to HTML elements, thus making web pages look pretty, however the capability of CSS has been expanded well beyond its original specifications to the point where it can now be used for nefarious purposes.
Domain/subdomain/TLD: In the example 'sub.example.com', 'example' is the root domain, 'sub' is a subdomain of the root domain and 'com' is the TLD, or Top Level Domain. You can think of root domains and subdomains as sort of different containers which are used to separate content for a single website. For example, let's assume kitties.com is focused primarily on information about kittens, but they also might have a web store where they sell paper bags. In order to keep the store content separate, they may host the store on the subdomain 'shop.kitties.com'.
HTTP/HTTPS: Hypertext Transfer Protocol and Hypertext Transfer Protocol Secure are communication protocols used by computers to transmit data over the internet. For HTTP an insecure, unencrypted connection is established between your web browser and the website you're visiting. This is dangerous because such a connection is vulnerable to ISP (Internet Service Provider) snooping and man-in-the-middle attacks. An HTTPS connection on the other hand offers a more secure connection because the data you send and receive is encrypted. Some web servers simply do not support HTTPS however and for this reason, as well as others, i would strongly suggest using a VPN.
Tracking: Once a unique identity for the browser has been established through fingerprinting, it is then possible to track your web browsing activities both within the same domain and across domains. See also the explanation for 'web storage'.
Web fonts/remote fonts: These are font packages typically hosted by a 3rd party, such as Google, which a web developer may use to specify how text is displayed on a website. Web fonts present a few problems regarding browser tracking and, potentially, security.
Web server: For the purpose of this document, a web server is a computer that is connected to the internet which hosts (serves) one or more websites.
You will need a decent code editor with syntax highlighting to edit Firefox's configuration files. Linux users should have something suitable installed by default, however if you're running Windows i might suggest Notepad++ or PSPad, the latter being the simpler of the two.
Unhide file extensions
If Windows is using you, the geniuses at Microsoft have taken it upon themselves to hide file extensions from the user. You will need to un-do that.
Though i recommend using the stable release version of Firefox, there are other versions such as the ESR (Extended Support Release), however it is usually an older version. There is also a Developer Edition which includes the very latest features (and bugs). While there are many 3rd party forks of Firefox, including Waterfox, Cyberfox, Pale Moon (or Basilisk from the same developer), etc., i do not recommend using any of them. The small development teams for these 3rd party builds often lag far behind regarding security patches and they can be buggy and incompatible with the latest add-ons (Pale Moon doesn't support the newer Web Extensions at all). While some forks may be more privacy-centric out of the box, we can accomplish essentially the same degree of privacy or better with the official Mozilla release version.
The user.js file
The user.js file is typically where your personal Firefox preferences are best kept, however in our case we will be using a preconfigured one and then storing our personal preferences in a user-overrides.js file which will be appended to user.js using a script.
After installing Firefox, and before you make any changes, back-up your current profile. If you don't know where it is, enter
in the address bar and click the 'Open Directory' button in the 'Root Directory' row. The easiest way to backup your profile is to select your profile folder under the
directory and press Ctrl+C to copy the folder, then Ctrl+V to paste it in the same place but with a different name. I might suggest keeping the original name and just appending
to the copy. From this point on, all changes should be made to your original profile, leaving your backup profile untouched in case something explodes. Next, delete everything from your original profile, keeping only your bookmarks and whatever else you need. See the article Profiles - Where Firefox stores your bookmarks, passwords and other user data if you need help with what data is stored in which file/folder.
Packaged with Firefox are a bunch of system add-ons which are installed without your consent and they are essentially hidden (they are not listed in about:addons). Some of these add-ons have been and may currently be used for controversial purposes such as collecting data about how users interact with search engines, the browser, etc.. Typically i remove all of them, however you may want to keep some them after researching what they do and whether they preserve your privacy. On Linux these add-ons may be found at
and for Windows in
\Program Files (x86)\Firefox\browser\features
. You can delete them in Linux using the terminal:
sudo rm *.xpi
These system add-ons will be reinstalled each time Firefox is upgraded. On Windows you can apparently use CCleaner to disable them. If you're running Linux with the pacman package manager (Arch, Manjaro), you can prevent their re-installation by editing the pacman configuration file, pacman.conf. Note that this will not work using Pamac, the GUI package manager, until this bug is addressed. In my case i find it easier to just bookmark the
folder in my file manager and run the command above each time i update Firefox.
Following are the add-ons required for this guide and their recommended settings. All of the add-ons listed here are of the WebExtension variety, meaning most should work with Firefox versions 57 to 59 and all should work with versions 60 and up. Download and configure each add-on as you go through the list. Each of these add-ons is important so don't skip any of them with the possible exception of uMatrix.
Description: Strips many tracking and other (mostly) unnecessary parameters from hyperlinks, such as the
tracking parameters used by Google Analytics. Unlike other similar extensions, ClearURLs uses a remotely updated list from GitLab and requires little or no interaction.
Settings: Following are the most important settings. Others are optional.
Allow domain blocking: if you are not using any of the major ad filtering lists in uBlock, then enable this
Skip URLs on local hosts
Prevent tracking injection over history API
Filters ETag headers from requests
'Block hyperlink auditing' can be left disabled as long as
is enabled in your user.js or user-overrides.js.
Note: While this add-on is optional when using the 'arkenfox' user.js, i highly recommended using it since it provides more granular control over web storage and results in less website breakage while still protecting privacy.
There's basically two policies for handling web storage; 'default deny' and 'default allow'. Personally i much prefer and suggest using the 'default allow' method along with CAD. Note that
must be set to 'false' if you want to save web storage across sessions (it's set to 'true' in the 'arkenfox' user.js). You can either use my user-overrides.js in which this preference already exists, or create your own and add this preference to it in order to override the user.js setting.
If you do not use CAD and do not want websites to store data locally ('default deny' policy), you can alter the settings in
[SECTION 2700]: PERSISTENT STORAGE
of the 'arkenfox' user.js by copying the ones you want to change to your user-overrides.js and changing the values there. Again, i advise using CAD, but the choice is yours.
If you then want to save storage data for a website while using the 'default deny' policy, such as your log-on credentials or search engine settings, you will need to edit the permissions for each website for which you want to keep this data. There's two easy ways to access site permissions; you can right click within the page to open a context menu, then click the 'View Page Info' menu item, or you can click the padlock icon in the address bar, then the right-facing arrow, then 'More information'. Either way, click the 'Permissions' icon in the window that opens and scroll down until you see the 'Set Cookies' item. Finally, deselect 'Use Default' and select the 'Allow' option to keep your settings for the website after Firefox is restarted. Note that, unlike CAD, you won't have an option as to exactly what kind of storage you want to keep (you cannot differentiate between cookies and localStorage for instance).
Description: Upon domain leave (tab closure) CAD can automatically remove web storage per-host including cookies, cache, workers, indexedDB storage and plugin storage.
Enable all options on the 'Automatic Cleaning Options' section of the 'CAD Options' tab
Enable all options on the 'Other Browsing Data Cleanup Options' section of the 'CAD Options' tab
Note: This add-on is optional. Firefox with the 'arkenfox' user.js largely negates the need for LocalCDN. This add-on will speed-up page loading, so you may want to use it anyway, however it can break websites on rare occasions in which case the HTML filter option will need to be enabled, or LocalCDN can be disabled for the site.
Settings: Following are the most important settings. Others are optional.
Display injection counts on icon
Disable link prefetching
Strip metadata from allowed requests
Enabling the option to 'Block requests for missing resources' will further decrease threats to privacy, however this will break more websites and so the choice is yours.
Settings: I would recommend setting the 'Global mode' to 'aggressive' and enabling the 'Exclude root domain matches' option. If you not are using uMatrix, enable the 'Spoof cross-origin Referer' option. You can also add the following to the 'Exclusions area:
Description: Skips link redirections such as used by Google, AMO and many other companies and websites, thus helping to prevent tracking. Redirects are intermediate links, such as 'click-track.com/abc123' or short links, that forward the browser to the final destination.
Settings: The default settings are sufficient. You will likely have to whitelist sites that no longer work properly which Skip Redirect makes easy to do since you can copy the last skipped URL by right-clicking its toolbar icon and then adding that URL or domain to the blacklist.
Description: uBlock Origin is an excellent ad/content blocker that can use the same filter lists as Adblock Plus as well as many more. Make sure you use the original uBlock Origin by Raymond Hill and no other. If you choose not to use uMatrix, it is important that you enable advanced mode in uBO and learn how to use its dynamic filtering capabilities.
Settings: If you decide to use both uBlock Origin and uMatrix as suggested, the former will be used primarily for its static filtering capability (the filter lists for ads, tracking, malware, etc.) while the latter will be used primarily for its dynamic filtering capability (JS, cookies, frames, etc). To set up uBO, see the uBlock Origin Suggested Settings Guide. and use the settings in the 'Advanced guide settings' column.
Description: By the same developer as uBlock Origin, uMatrix is also a powerful content blocker that provides more granular control over web requests than uBlock does. Using uMatrix is somewhat optional, however if you choose not to use it then it is important that you enable advanced mode in uBlock Origin and learn how to use its dynamic filtering capabilities.
Once uMatrix is installed, click the toolbar button and then the title bar of the pop-up to open the Dashboard.
Following are the settings i recommend enabling.
Show the number of blocked resources on the icon
Hide placeholder of blacklisted elements
Spoof <noscript> tags when 1st-party scripts are blocked
I would not suggest enabling the option to 'Hide placeholder of blocked elements' since being able to see a blank area in a web page will provide a visual indication that something was blocked.
A note regarding the option 'Spoof
If you enable this option and have trouble with a site (you receive a notice that JS id disabled which you want to avoid, or you are forwarded to another page/domain that tells you to enable JS, etc.), you can always add an exception to the 'My rules' tab in the settings. For example, to disable this option for activistpost.com which (stupidly) refuses to display any content when this option is enabled, add the following:
It is unnecessary to enable the 'Block all hyperlink auditing attempts' setting as this is covered by the 'arkenfox' user.js.
If you enable (set to 'true') the
Firefox preference then it is unnecessary to enable the 'Strict HTTPS: forbid mixed content'. As with all custom preferences not covered by the 'arkenfox' user.js, or those you wish to modify, this preference should be added to your user-overrides.js.
Settings, My Rules:
Optionally, on the 'My rules' tab, you can add the following to the 'Temporary rules' pane, then save and commit your change:
no-workers: * true
As long as you're using uBlock Origin to control static filtering (the filter lists) you should disable everything in the 'Hosts files' section of the 'Assets' tab, purge the caches and save your changes. It is better to use uBlock Origin to control static filtering (ads and such) since it offers many more options by default, plus the hosts filters are more likely to break website functionality.
Also on the 'Assets' tab, you can enable the 'Ruleset recipes for English websites' option. On the uM toolbar pop-up you will notice a puzzle piece icon which you can use to quickly import a rule-set for resources used by the page you're visiting if it uses a 3rd party resource and if someone has created a rule-set for that resource. For example, if you visit a page with an embedded YouTube video, you can import the rule-set for YouTube instead of configuring the filters manually. You might want to switch to the global scope before doing this so that embedded YouTube videos will play on all websites.
Settings, My Rules
If you're using the LocalCDN add-on you need to add some rules to the 'My Rules' tab in the uMatrix Dashboard. You will find the rules in the preferences area of LocalCDN. There are rules different rules for uBlock and uMatrix, so be sure to copy the correct ones and paste them on a new, blank line in the 'My Rules' tab of uM. When adding the rules, be sure to remove any conflicting rules for the same domains if you have any (you won't if you're starting fresh). If you are allowing CSS globally (for all hosts) in uM, there are several CSS specific rules from LocalCDN that you can optionally delete from the uM 'My Rules' tab. To display them, filter the list using
, then delete all the rules except the
* * css allow
rule which will likely be the first rule. Don't forget to save and commit the changes.
If you're using uBlock Origin in addition to uMatrix, you need not add the rules for uBlock as long as advanced mode/dynamic filtering is not enabled.
The tl;dr version is: Do NOT enable automatic add-on updates. The longer version follows...
Regarding automatic add-on updates, which is enabled by default in Firefox, this function is disabled in the 'arkenfox' user.js file and i would strongly suggest keeping it disabled. Automatic checking for updates is fine and this is enabled in the 'arkenfox' user.js, but we do not want Firefox to update add-ons without our explicit consent. The problem here is that developers may, at any time, and without notice, monetize their add-on or sell their work to an unethical 3rd party and this often results in compromising your privacy. Examples of some currently or formerly popular add-ons which contain(ed) such crapware are Abduction, a screen capture utility; Quick Locale Switcher, a language switcher; FasterFox Lite, a largely useless utility which claims to speed-up Firefox but doesn't; BlockSite, a content blocker; Stylish, a very popular utility for changing the appearance of websites, and many, many others. Not all of these extensions contained crapware when they were first introduced which is why i strongly suggest keeping automatic add-on updates disabled and carefully reviewing the change logs, permissions and privacy policies each time an add-on update is available. For more about Firefox add-ons, see Firefox Extensions – My Picks.
This guide depends heavily on the 'arkenfox' user.js configuration file which alters hundreds of important Firefox preferences related to privacy and security, thus you need not worry about manually configuring anything from the Preferences menu of Firefox other than a search setting which we'll get to. If you choose to not use the 'arkenfox' user.js, then your job is likely to be considerably more difficult assuming your goals are similar. Still, you may find it helpful to refer to the 'arkenfox' user.js should you choose to start from scratch.
Search bar on navigation bar
I would suggest adding the search bar to the navigation bar and using it instead of the address bar for searching the web. Not only might you find it more convenient, but there are potential privacy concerns when searching from the address bar. To accomplish this, open the Firefox Preferences page, click the Search item on the left, then enable the option 'Add search bar in toolbar'.
Firefox profile in RAM
With the wide adoption of speedy Solid State Drives (SSDs), the concept of sticking the Firefox profile in RAM for performance reasons may seem obsolete, however there are still benefits in doing so. If you don't want to disable disk caching, web storage and cookies globally, and thus break a lot of websites in the process, there will be substantial read and write activity for your storage media. Placing your Firefox profile in RAM will alleviate much of this, however doing so can be risky should a catastrophic failure occur, such as a power failure which could result in data loss or corruption. Fortunately there are ways to minimize this risk. If you use Windows you're on your own since i don't, suffice to say that there exists Windows compatible software that can manage RAM disks and backup your profile to your storage media. 'Bushdoctor' provides a method in a comment left on this article. Those using most any flavor of Linux have access to a very spiffy utility called Profile-sync-daemon (PSD) which is designed specifically for this task and it works with quite a few browsers. Check your package manager to see if it's available in your repository. To get PSD working, run
in a terminal or consult the guide on the Arch wiki. Setting it up was very easy in my case and it has worked flawlessly and transparently ever since.
Note that Firefox stores its web cache in a location other than the profile directory. On Linux it's kept at
. Normally you would have to deal with web cache separately if you wanted to store it in RAM also, however since disk caching is completely disabled in the 'arkenfox' user.js (cache is stored in memory) and the cache is dumped when you exit Firefox, you need not worry about it. If you're thinking it would be more efficient to keep the browser cache instead of having to re-download objects for the websites you visit frequently, you're right, however doing so can compromise your privacy. We won't exactly be dumping all of the browser cache either since we're using the LocalCDN add-on.
Keep the following hierarchy in mind as you read this section. When Firefox starts:
prefs.js is read by Firefox
user.js is read by Firefox - all preferences in the user.js file are copied to the prefs.js file and any preferences that are duplicated in both files are overridden by those in user.js - prefs.js is then used to generate what you see in about:config
user-overrides.js is never read by Firefox but these preferences are appended to the 'arkenfox' user.js with a script (preferred) or by manual copying - if using the 'arkenfox' user.js this is the only file you should edit and it is where all your custom preferences should be placed - this may defy conventional knowledge, so let me be clear:
If you are going to use the 'arkenfox' user.js file then you should never edit it, (nor the prefs.js file that Firefox creates) nor should you change important settings from about:config unless you're only testing something. All of your custom preferences should be placed in your user-overrides.js file and then appended to the 'arkenfox' user.js using their updater script.
One reason for this is because the 'arkenfox' user.js file is quite a large and is updated fairly frequently, so if you edit it and then update it, all your custom changes will be lost, whereas if you copy the preferences you want to alter from the 'arkenfox' user.js to your user-overrides.js and change the values there, then updating the 'arkenfox' user.js one will be a lot less painful. On the other hand, should you choose to not use the 'arkenfox' user.js, then you should add your changes to your own user.js instead of using my user-overrides.js and you can ignore everything stated here about the user-overrides.js. Either way, never edit the prefs.js file directly or by way of about:config unless you're just testing something.
If you do not have a general understanding of the the user.js file, you may want to read this on the 'arkenfox' wiki. You should also poke around elsewhere in the wiki for detailed information on using and maintaining their user.js file.
Obtaining and maintaining the user preferences files
In your profile folder, delete or rename your existing user.js file if you have one. You can transfer any needed settings later if they are not already covered in the 'arkenfox' one. Next, i might suggest downloading my user-overrides.js file. Go to the 12bytes.org/Firefox-user.js-supplement at my Codeberg.org repository and download the user-overrides.js file to your Firefox profile directory. The easiest way to get the file without messing up the formatting is to view the raw file, then press Ctrl+S to save it. Next, open the file for editing using your code editor and follow the instructions within.
Next we want the 'arkenfox' user.js file from the arkenfox/user.js/arkenfox/user.js GitHub repository but you need not download it directly. Instead, grab their updater.sh (Linux) or updater.bat (Windows) script by clicking the file name, then clicking the 'Raw' button in the new page and pressing Ctrl+S to save the file to your Firefox profile directory. Use the same method to get a copy of their prefsCleaner.sh (Linux) or prefsCleaner.bat (Windows) and place it in your Firefox profile directory. The prefsCleaner script will reset any depreciated, removed, or inactive preferences and it's important that you do this. If you're running Linux, don't forget to make the files executable. Next, run the updater script to fetch the 'arkenfox' user.js and append the contents of your user-overrides.js to it. In Linux run
in a terminal and follow the prompts. If you have given the file the executable flag and still get an error, try grabbing a new copy being careful to use the method i described earlier.
At this point it is important to go through the entire 'arkenfox' user.js file and read all of the comments and review each of the settings to be sure everything is configured the way you want. As stated above, any preferences you want to change in the user.js file should be copied to your user-overrides.js file in the appropriate section where you will then change their values. Note that if you ever add and then comment out or delete a custom preference in your user-overrides.js which is not contained in the 'arkenfox' user.js, and you have run Firefox after doing so, that setting will remain in the prefs.js file. The safest way to remove such preferences is to open about:config in Firefox and reset them (right-click the preference, click 'Reset').
Over time it is possible that your user-overrides.js file will contain preferences that are obsolete. The 'arkenfox' user.js file contains a list of some of these preferences in the section titled
[SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED
and these preferences should be removed from your user-overrides.js file. One very tedious way to do this is to go through the list line by line and see if they are duplicated in your user-overrides.js. An easier way is to use the
switch (documentation here) when you run the updater script which will output a 'diff' file containing the differences between the old user.js and the new one.
I suggest you run the updater script with the
switch (Linux only) every time you update the user.js file or make changes to the user-overrides.js file. This will create a "diff" file containing the differences between the old and current versions. You can read more about the updater script here and the cleaner script here.
Verifying the integrity of user.js
IT IS VITAL that you perform two integrity checks whenever the 'arkenfox' user.js file is updated or you have edited the user-overrides.js file if you're using it.
From the 'arkenfox' crew:
In FF60+, not all syntax errors cause parsing to abort i.e. reaching the last debug pref no longer necessarily means that all prefs have been applied. Check the console right after startup for any warnings/error messages related to non-applied prefs.
To perform this check, you might want to disable your network connection, then start Firefox and open the Browser Console from the Web Developer toolbox (Ctrl+Shift+J might work) and check for and preferences errors.
The reason it is suggested to disable your network connection is because, in the event there is a problem with an important preference, a network connection may allow data to flow in or out which you wanted to avoid.
Now we will further check the integrity of the user.js file and, by extension, also the user-overrides.js file since the content of the latter was copied to the end of former with the updater script.
You may have noticed a bunch of unusual looking
preferences in both files. These are used for troubleshooting syntax errors by quickly identifying a specific section in which the error lies. When you run Firefox for the first time after updating the user.js or making changes to your user-overrides.js, check the value of the troubleshooting preference by entering about:config in the address bar and searching for the
preference (it will likely be the first one listed without having to search). The value should match the very last
preference value in your user-overrides.js or, if you are not using a user-overrides.js, then it should be the last value in the 'arkenfox' user.js.
If you're using only the 'arkenfox' user.js, the value should be, "
SUCCESS: No no he's not dead, he's, he's restin'!
If you're also using my user-overrides.js, the value should be
"SUCCESS! USER SETTINGS LOADED"
If the value for the troubleshooting preference is not what you expect, then you can use it to quickly determine in which section of the user.js or user-overrides.js the syntax error lies. While it cannot narrow down the problem to a specific preference or line number, at least you will know where to begin looking.
Updating the user.js and user-overrides.js files
To update the 'arkenfox' user.js file, run the updater script with the
switch as explained earlier. To update my personal user-overrides.js file, just copy the contents of the new version to your user-overrides.js, then run the updater script with the
switch. Lastly, run the 'arkenfox' prefsCleaner script with Firefox closed.
The 'arkenfox' user.js is updated fairly frequently and so you'll need to check for updates regularly. There's two ways you can check for updates if you're running Linux and one if you're running Windows, however there's only (easy) way to actually update the user.js and that's by using the 'arkenfox' updater script.
If you're using a Linux-based OS you can use my user.js-notify.sh script to be automatically notified via a desktop notification when:
the 'arkenfox' user.js is updated
my user-overrides.js is updated
this guide is updated
The idea here is to add the script to your startup programs so it runs each time you log-on to your desktop. Instructions for implementing the script are contained within the script. Open the file with a code/text editor to read the instructions and edit a few options.
To check for a new user.js if you're running Windows, or to actually update the file, exit Firefox and run the 'arkenfox' updater script. If you're running Windows, or if you're running Linux and don't wish to use my user.js-version-checker.sh script, you should run the updater script every week or so in order to check for a new version. You always want the user.js version that corresponds to the major version of Firefox, so if the updater script says
Available online: * version 80-alpha
and you're running Firefox version 79.0.1, you'll want to cancel the update because 80 doesn't equal 79.
Each time you run the updater script, be sure to follow it up by running the prefsCleaner script.
To understand how HTTP Strict Transport Security (HSTS) works and how it can be used to track browsing history, as well as the implications of disabling it, read How to prevent HSTS tracking in Firefox on the arkenfox website. Setting the preference
' may disable HSTS and Public Key Pinning, however there is a security risk in doing so. If you set the preference to '
' and experience the error "The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset.", reset the preference. Likewise if you set the preference to '
' and experience the error "MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE", reset the preference.
DNS over HTTPS (DoH)
In the alleged interest of privacy, Firefox has added code which allows to route all DNS look-ups over HTTPS to a resolver of your choice. Typically DNS queries are routed through your ISP, so while they cannot view your traffic as long as it's encrypted (HTTPS), they can see what websites you visit and this is a serious privacy concern. There are several ways to mitigate this, one of them being to use a VPN that provides DNS services. Another is to enable DoH within Firefox, however this will only protect your browser and not any other programs on your system that connect to the internet. Moreover, there seems to be a lot of controversy regarding DoH, so before you enable this setting you might want to watch the video, Paul Vixie talks about DNS over HTTPS, and read this on Wikipedia, and also the article, Mozilla is becoming evil.
Part of the DoH system in Firefox can be controlled with the preference,
, however it is easier to simply use the Preferences UI to do so (Preferences > General > Network Settings > Connection Settings). The default DNS resolver is Cloudflare, but given what i have read about this company, i would highly suggest not using it. You might want to do some research and locate a privacy-centric DNS resolver to use for DoH should you decide to enable DoH.
If you decide to use my user-overrides.js preferences file, note that it disables DoH by setting
to '0' (i use a VPN that provides DNS). You will need to change that if you want to enable DoH.
Thanks to 'AHappyUser' for reminding me about the policies.json configuration file which can be used to control how Firefox behaves, particularly in enterprise environments. 'AHappyUser' linked to the Controlling Firefox section of the article, Mozilla is becoming evil - be careful with Firefox, which provides a few examples of what can be done with the policies.json file. Note that all of the examples given can be controlled via preferences in your user.js file so there is no need to create the policies.json file, however i mention it because some folks may find it useful. For more information regarding what can and cannot be done with policies.json, see the Mozilla repository on GitHub.
Cookie AutoDelete (CAD) usage
Cookie AutoDelete is very easy to use, requiring little interaction. Your only interaction with it is likely to be whitelisting or greylisting those websites for which you want to retain their storage (cookies, localStorage, indexedDB storage, etc.), such as a search engine that you want to remember your settings, or a website you want to log on to automatically. If you greylist a domain, it's storage will be retained only for the current session (until the browser is restarted) whereas if you whitelist it, the storage will be retained across sessions.
CAD offers a choice of two host patterns when grey or white listing a domain from its toolbar pop-up. The upper choice is the root domain (example.com) while the lower one is the root domain prepended with an
which means it includes the root domain as well as all subdomains (example.com, www.example.com, store.example.com, etc.).
After white or grey listing a domain, you have the option as to what types of storage you want to keep. In many cases, but not all, keeping only 'cookies' is sufficient if you want to retain log on credentials or settings for a website.
!!! SET THE SCOPE, LOCK THE LOCK !!! Keep that in mind as you read this section.
You will likely be spending far more time with uMatrix (uM) than all the other add-ons combined and, being it is one of the most important ones in the pile, it is vital you understand how to use it, so read the wiki because i'm not going to go into great detail here.
When you first install uMatrix, it will allow all 1st party requests by default and we need to sledgehammer that, so load up 12bytes.org in a new tab and click the uM toolbar icon to display the main pop-up interface:
Because you have read the uMatrik wiki (you did, right?), you already know that YOU MUST REMEMBER TO SET THE SCOPE in which uM operates before making any changes. Failing to do this will threaten your privacy and/or security. You also know that any changes you make are temporary unless you save them. Since we first want to set some basic default filters that affect all websites, we need to change to the global scope:
Once we're operating in the global scope, i suggest setting up uMatrix to allow CSS, images and, if you're using Cookie AutoDelete, 1st party cookies, all globally. Optionally you may want to allow 1st party media and/or frames globally.
The configuration above will result in the following behavior:
1st party cookies will be allowed globally
CSS will be allowed globally, including 3rd party CSS
Images will be allowed globally, including 3rd party images
1st party frames will be allowed globally
Unless you only want your changes to be temporary, always remember to click the padlock icon to save them.
Note that in the screenshots that follow, the 1st party cookies block will not always be green as in the one above due to an oversight on my part when i created the screenshots.
Now load up this post in a new tab. Does it look like something's missing? Sure enough, if we open the uMatrix pop-up interface again, we see youtube-nocookie.com (or just youtube.com) in the resource list which should tell you that there must be a YouTube video in that post that is being blocked. It also tells you exactly what was blocked, in this case a single frame:
If uMatrix is hiding the subdomains and you don't see www.youtube-nocookie.com, click this little thing in the 'all' row and it will expand the list of domains:
In the screenshots above you can see we are operating in the local scope (12bytes.org). You will notice that i allowed all requests for the 1st party domain, 12bytes.org, because it's my site and i trust it. You need not do the same and, as a rule of thumb, you should not do the same, nor is it required to get the video to play, at least not on 12bytes.org.
So we want to get that YouTube video working, but do we want to allow embedded YouTube videos for 12bytes.org only, or for all websites? This is what you need to be thinking any time you create filter rules. Since you probably want to allow YouTube videos for all websites, we need to switch uMatrix to the global scope and unblock the blocked frame for either the youtube-nocookie.com domain or the www.youtube-nocookie.com domain. Which you choose depends on whether you want to allow the resource for the root domain, including any sub-domain, or only the sub-domain. In this instance i suggest keeping it simple and allowing the frame for the root domain and all subdomains as shown. Make sure you save the change.
Note that any time you allow frames you must reload the page, bypassing browser cache, rather than refresh the page. To reload the page, either hold the Shift key while clicking the reload/refresh icon on the uM toolbar, or use the native Firefox hotkey combo, Ctrl+F5, if the uM pop-up UI is not visible (F5 alone will only refresh the page).
Now when we refresh that page, we might expect to see that YouTube video, but we don't. Opening the uM pop-up again and switching to the global scope, we discover that allowing the frame for youtube-nocookie.com caused more stuff to show up, this time a script for www.youtube-nocookie.com as well as another for a new domain, ytimg.com:
Making sure your are working in the global scope, let's unblock scripts for ytimg.com and youtube-nocookie.com. Make sure to save your changes:
Now when you reload the post page, everything should look good. We see the video frame and a nice image. Great. Click the play button and... nothing! Open the uM pop-up once more and we find that we need to allow XHR for the youtube-nocookie.com domain. You know what to do, so go ahead and make the change, making sure you're working in the global scope and remembering to save your change afterwards. Refresh the page again and click the play button on the video. It still doesn't work! Again, open the uM pop-up and you'll see another new domain has appeared, this time googlevideo.com (in case you didn't know, Google owns YouTube). If googlevideo.com is not displayed in the list, hold your Shift button when clicking the reload icon on the uM toolbar in order to force a full page reload and bypass the browser cache. Having to do this is typical when dealing with frames. Again, make sure you're working in the global scope and unblock the XHR requests for googlevideo.com and save your changes:
Now refresh the page one last time and the video should play. If it does not, you probably messed something up and there's a fair chance it's because you made one or more changes in the wrong scope and tried to correct them. If you messed something up, open the uM Dashboard, click the 'My rules' tab and in the 'Temporary rules' pane, delete all of the rules you created related to YouTube videos and 12bytes.org, but be careful not to delete the default rules or the global rules we set up originally. To do this, select the rules and press your delete key, then click the 'Save' and 'Commit' buttons:
Once you've deleted those rules and committed the changes to the 'Permanent rules' list, go back to the first step and try again.
De-borking other websites is generally not as time consuming as it was to get embedded YouTube videos to play and is instead usually accomplished with a couple mouse clicks and a page refresh verses a page reload. Just remember to turn to uMatrix first when a website isn't working as expected. If uM is blocking something it will let you know by displaying a badge on the toolbar icon. uBlock Origin will do the same, but it won't usually be the cause of the problem since we offloaded its dynamic filtering to uMatrix by not enabling its advanced mode of operation. Again, make sure you read the uMatrix wiki.
Another way to get a website working quickly is to check if there any user created rule recipes available for the site you're visiting or the resource it wants to load. If there are, that little puzzle-piece icon on the uM pop-up interface will become active and from it you can click a rule-set to import. Make sure you set uM to operate in the scope you want before importing the rule-set and then save the changes if you wish to make them permanent. Also be aware that user created rule-sets may allow more than you want to allow, however you can always adjust as necessary before saving the changes. User rule-sets can be helpful in determining why a site does not function properly. By the way, you could have done this for YouTube videos on 12bytes.org instead of letting me drag you through the mud, but it's important that you understand how uMatrix works and how to work with it.
One caveat with uMatrix is that it will break some downloads when right-clicking a link and selecting the 'Save Link As...' context menu item. In some cases an error dialog will be presented that may state "The download cannot be saved because an unknown error occurred.". If you open the uM logger and try the download again, you'll find that uM is blocking something and often this seems to be an 'other' network request ('other' requests are requests that are not associated with a tab). There are a few ways to remedy the situation:
temporarily (or permanently) allow the 'other' request from the uM logger tab for the applicable domain and try the download again
temporarily (or permanently, but not recommended) allow the 'other' request globally from the uM logger tab or the main UI pop-up
drag the link to your desktop
Lastly i want to stress the importance of both the uBlock Origin logger and the uMatrix logger which are invaluable tools for troubleshooting tougher problems. You can get a better understanding of the uM logger by reading the documentation for the uBO logger since it is far more complete as of this writing, though some information is uBO specific.
THE END (lie)
While there are many more things you could do if you're really concerned about protecting your privacy and browser integrity, i hope this guide has been of some use to the technically adept novice or intermediate web surfer at which it is aimed. Understand however that there are threats present in almost all computers which users have little or no control over regardless of what software or operating system is used. Such threats include the Unified Extensible Firmware Interface (UEFI) which has all but replaced the Basic Input/Output System (BIOS) for booting the computer. Intel's Management Engine (IME) and AMD's Secure Processor (SP) / Platform Security Processor (PSP) present a massive threat to security and privacy for virtually everyone using any Intel or AMD powered device.
Lastly, if you are using a proprietary operating system, be it Windows or any other, it is absolutely crucial that you move to a more secure, open source OS such as Linux. The importance of doing so cannot be overstated in my opinion. For more information, read the free book, Free Yourself from Microsoft and the NSA.
I welcome any questions or comments you may have, just please leave them in the comment section so others can benefit (you need not be logged in).
IMPORTANT: If you incorporate suggestions made in this guide, please subscribe to the Firefox category on the subscription page. This article is updated fairly often and it's the best way to stay informed.
I must thank all of the dedicated and skilled people who created, maintain and contribute to the arkenfox/user.js repository, especially Thorin-Oakenpants (aka, 'pants') and earthlng. This guide would never have been as comprehensive as it is without the benefit of that bunch of misfits :) Also i'd like to thank the many people who make privacytoolsIO possible. Their website is an excellent resource for those looking to protect their privacy and security.
Also i thank the many people who have left comments here, many of which have been very helpful in correcting, maintaining and improving this guide.
changed wording for the suggested uMatrix settings in the 'Settings, Convenience' section
updated info for the privacy settings for uMatrix
removed HTTPZ add-on and associated info - no longer needed since Firefox v83 as long as
added a note in ClearURLs settings regarding hyperlink auditing
minor clarifications, edits
minor edits and clarifications in the 'Terminology' section
changed recommendation for the use of CAD (i DO recommend it) - see sections 'Cookie AutoDelete by CAD Team' and 'Cookie AutoDelete (CAD) usage'
added info about the user.js-notify.sh script
reversed the order of this revision history so the latest changes are at the top - big sloppy kiss to 'Anon' for helping with that
added notes to CanvasBlocker, Cookie AutoDelete and LocalCDN stating that they are optional - the reason they are optional are because of settings in the 'arkenfox' user.js, particularly
and the clearing of storage on browser exit - many readers may see this decision as strange, in which case i'd recommend reading the Questions regarding compartmentalization, extensions and uniqueness thread in the 'arkenfox' user.js issues
for uMatrix several suggested settings in the "Settings, Privacy" section were removed, these being:
Delete blocked cookies
Delete non-blocked session cookies minutes after the last time they have been used
Delete local storage content set by blocked hostnames
Clear browser cache every minutes
Strict HTTPS: forbid mixed content
added info in the 'Cookie AutoDelete by CAD Team' section instructing how to save storage for a website if not using CAD
added info about how to automatically be notified when a new version of the 'arkenfox' user.js is available (Linux only) in the 'Updating the user.js and user-overrides.js files' section
replaced Site Bleacher with Cookie AutoDelete (CAD) - search for "Cookie AutoDelete" to see the edited content
added info about importing rules from LocalCDN to uMatrix - see the paragraph beginning with "If you're using the LocalCDN add-on"
removed info about manually cleaning the user-overrides.js file in favor of using the -c switch when running the updater.js/updater.bat script
added Site Bleacher to list of required add-ons
removed all info regarding containers as well as the Temporary Containers and Firefox Multi-Account Containers add-ons - i prefer to enable
(the default in the 'arkenfox' user.js) in combination with Site Bleacher (far less headaches)
replaced Neat URL with ClearURLs - while the former is a good extension, i think the latter is even better
replaced Smart HTTPS with HTTPZ
moved all add-on settings info to the required add-ons section
uBlock: added info for globally blocking 3rd party fonts while allowing 1st party fonts
added instructions for cleaning user-overrides.js of obsolete preferences
added a link to a comment by 'Bushdoctor' who was kind enough to provide information about loading Firefox profiles in RAM for Windows users
updated info on HSTS tracking
updated info regarding downloading my user-overrides.js file
clarify information regarding the downloading of the configuration files thanks to a commenter
fix minor typo
added some more info regarding HSTS tracking and the SiteSecurityServiceState.txt file based on user feedback - it appears some AV's might have a problem if this file is set to read only
added a new resources section specific to the 'arkenfox/user.js' GitHub repo
added Temporary Containers (TC) add-on and associated info - this results in several major changes throughout the guide
added Firefox Multi-Account Containers add-on and associated info - this is used in conjunction with the TC add-on
added 'Using containers' section
removed Canvas Blocker add-on - not needed with TC
removed Restrict to Domain add-on - not needed with TC
removed Don't touch my tabs! add-on - (probably) not needed with TC
removed Header Editor - not needed for what we were using it for since the function is handled by TC
edited some uMatrix info regarding its privacy settings to reflect changes as a result of the TC add-on
added more info about importing rule-sets for uMatrix
moved Smart HTTPS add-on to the required section
moved Skip Redirect add-on to the required section
removed the suggested add-ons section
corrected mistakes and updated info in the section regarding integrity checking of the user.js/user-overrides.js files
reworked and updated the entire user-overrides.js file
removed mention of the template user-overrides.js file and associated download link - user should use the one provided in my GitLab repo
several minor edits/clarifications
add notice about newsletter subscribing
corrected advice regarding spoofing the referrer which was suggested for both POOP and uM (now it's enabled in uM only)
dumped Cookie AutoDelete add-on - not needed when using uM and First Party Isolation, nor are any of these storage cleaning add-ons able to delete IndexedDB storage due to a shortcoming in the WebExt API, which is another reason to enable FPI
in user-overrides.js in order to enable First Party Isolation
added Restrict to Domain add-on to toggle
(FPI) via toolbar button
removed the list of optional add-ons (NoScript and Smart Referrer)
coming up: looks like i may be recommending to disable FPI in the very near future and use the Temporary Containers add-on instead - i'm playing with it now
added POOP as a required add-on and accompanying configuration information
configuration information for Neat URL was located in the wrong section
clarified much information regarding the user.js files as well as other parts
added more info about browser fingerprinting
added more detail regarding system add-ons
added a user-overrides.js template
updated Header Editor rules download
added several more 3rd party resources
misc. minor edits
added more info to the uMatrix section, particularly about indexedDB storage
added info about HSTS tracking
added info about using the user created rule sets for uMatrix, as well correcting some mistakes and clarifying other uM info
add Cookie AutoDelete as a highly recommended add-on and updated configuration information for uMatrix to allow 1st party cookies by default
removed information about the Forget Me Not add-on
added information about First Party Isolation
added rule to uM to prevent web workers
added information about the uBO and uM logging functions
corrected some mistakes
added uMatrix to the add-on pile again
added the uMatrix sections of this document
removed info about running uBlock in advanced mode since we're using uMatrix for dynamic filtering instead
several minor edits
lots of clarifications and polishing, added several resources
added the section 'Firefox profile in RAM'
misc. other minor edits
rewrote most of this guide, so if you read it before, read it again :)
removed cryptocurrency miner section
removed information about the OpenH264 Video Codec plug-in since it seems Firefox is no longer shipping it, at least not on Linux
removed the Load from Cache add-on
removed some information about uMatrix since uBlock Origin covers most everything uMatrix does and is better suited for removing advertisements, plus it's a much more active project.
updated some information
note that many more updates will occur in the next days, so i would suggest waiting until they are published before following this guide
updated some content to reflect the current state of Firefox and WebExtensions
misc. minor edits
added more info about IndexDB storage in the "Terminology" and "uMatrix configuration" sections.
added section "A special note about cryptocurrency miners"
i didn't keep track of all the changes and many were made - you'll have to re-read the guide :)
added some add-ons to the recommended section
misc. minor edits
rewrote and updated much of the content pertaining to uMatrix
added section "Removing system add-ons"
added section "Sanitizing the default search engine plugins"
deleted the GitHub repository which i forked from Pants' 'arkenfox' repository and created a new repository which does not include his code
some changes to user.js
some major editing of this document mostly in regard to the creation and changes of the GitHub repositories
updated user.js to version 51r2 - see the GitHub page for the change-log
updated info here regarding the user custom preferences section of user.js
published my user.js on GitHub which was forked from Pants' code
removed my user.js code from this page and linked to it on the GitHub page instead
changed my versioning scheme to match Pants' where the user.js version coincides with the version of Firefox it was developed for, so v51r1 would equate to version 51.x of Firefox and the r1 signifies the revision, in this case the first revision
updated user.js to include v51 of Pants' config - no preference changes so far as i know, just added/removed/changed comments
updated text in user.js section to account for the new changes
changes to comments and troubleshooting preference names and values, other minor changes
switched to using Pants' config v0.11 and mostly just appending my settings to the end of his - because this is a major update, no history of changes to individual preferences will be published
removed Extension Defender from the list of recommended add-ons since it's home page is gone and the code hasn't been updated in two years
updated user.js file
removed duplicate preferences in use.js file (see change-log in the file for details)
changed the name of the troubleshooting/bogus preference to
and added values to indicate the point at which the file stopped loading - a huge thanks to commenter 'Pants' for suggesting the troubleshooting preference and also for suggesting a far better way of implementing it than what i had done (by the way, 'Pants' is the author of the user.js config file used in the 'arkenfox' article, A comprehensive list of Firefox privacy and security settings by Martin Brinkmann, so i'm very glad to have his input here)
corrected 'plugin.scan.*' values to be strings
added bogus preferences in the user.js file at the end of each section for troubleshooting potential loading problems
added some basic information for configuring the Clean Links add-on
set 'browser.fixup.hide_user_pass' back to its default value
corrected an error with pref 'layout.css.devPixelsPerPx' where the value was an integer instead of a string - this caused all prefs following it to be ignored
updated user.js file
minor grammar/spelling corrections
updated user.js file
updated guide information
updated user.js file and added a revision history to the file
updated user.js file contents
updated user.js file contents
updated user.js file
removed pcxFirefox as a suggested 3rd party build since i had display corruption issues with it
Minor edits for uMatrix usage text
added more info for uMatrix and IP Config test results
updated user.js file contents
various other edits
removed HTTP UserAgent cleaner since it is no longer being developed
removed Self Destructing Cookies add-on since its functionality can be handled by uMatrix
updated uBlock settings to match the current development version (0.9.9.2)
misc. minor updates
switched to Raymond Hill's version of uBlock
updated uBlock filter information
added Fetch information for new version of HTTP UserAgent cleaner
updated user.js file contents
misc. minor updates
added information for securing DNS traffic
misc. minor updates
minor updates to user.js file contents
updated user.js file contents
updated a few settings recommendations for HTTP UserAgent cleaner
updated list of recommended filters for uBlock
updated user.js file contents
added Pure URL as a suggested add-on
updated contents of the user.js file
added and edited some information for HTTP UserAgent cleaner
added more resources in the References section
updated HTTP UserAgent cleaner information to match changes in version 0.7.4.11a
updated the information for the Fonts filter on the HTTP tab of HTTP UserAgent cleaner
updated information for HTTP UserAgent cleaner, including adding descriptions for the newly added features, Canvas and Fonts on the HTTP tab
updated the user.js file
updated some definitions of terms used in this document
added some more resources
updated some HTTP UserAgent cleaner information
deleted information for 2 bugs regarding the X-Forward-For setting for HTTP UserAgent cleaner since they were not bugs
misc. other minor changes
updated information for HTTP UserAgent cleaner
updated user.js file
minor updates to uBlock information
misc. other minor changes
updated HTTP UserAgent cleaner information
for HTTP UserAgent cleaner settings, the suggested settings were split into Suggested global setting for casual browsing and Suggested global setting for best protection.
updated and added more information for uBlock
updated one HTTP UserAgent cleaner screen-shot
misc. other corrections/updates/edits
updated user.js file
switched uBlock versions since a new fork was created
updated uBlock images and documentation
added a "Current notices" section
misc. other corrections/updates/edits
updated user.js file
several other small updates and a few corrections
removed all Shim Storage add-on information since this functionality is duplicated in HTTP UserAgent cleaner.
almost all of the documentation for HTTP UserAgent cleaner was heavily revised.
various other edits and corrections.
Note that both reader and my comments, while they may have been accurate at the time, might be inaccurate today. This is a highly dynamic environment so please verify the accuracy of comment content should you wish to utilize it. Failing that, ask me and i'll give it a crack.
Mozilla Firefox is a popular web browser that is easily extended with add-ons, of which there are literally thousands. These are my favorites...
Mozilla Firefox is a popular, extensible, open source (mostly) web browser that is highly configurable and easy to use. Somewhat bare out of the box however, its functionality is easily extended with add-ons, or 'extensions' if you prefer, of which there are many thousands in the Mozilla add-on repository at addons.mozilla.org (AMO).
With so many "free" add-ons, the unsuspecting user might be tempted to install lots of them, however i would strongly suggest installing only those you really like or need since the potential to break things and compromise browser security and your privacy increases with every add-on you install.
Another problem is unethical developers who include unwanted and unnecessary functionality which is not relevant to the primary purpose of the add-on. Often this results in data collection, tracking your web activities or worse, all of which i categorize as malware.
The problem of malware at AMO has grown exponentially as a result of a very flawed automated review process for add-ons and the company's move to the WebExtension API which made it easy for unethical developers who have infected the Google Chrome Store to port their garbage to Firefox. Indeed, probably at least half of the add-ons at AMO are garbage. Although the WebExtensions are greatly limited as opposed to the older XUL/XPCOM extensions, tracking, data collection and advertising are permitted and, on occasion, far more dangerous add-ons escape detection.
Add-on selection guidelines
You've been warned! Many extensions will be accompanied by a warning on their AMO pages which indicates that the extension is not monitored by Mozilla and therefore is more risky to install. While monitored extensions (those with a 'recommended' label) are scrutinized more carefully and are likely to be more trustworthy in general, there are many others which are perfectly fine to install as long as you trust the developer and/or review the code yourself.
Tool-bar or FOOL-bar? Be very wary of all tool-bar add-ons since many of these contain 3rd party spyware/malware components for monetization purposes.
Who the hell are you??? Always check to see what other add-ons the developer has created and how those are rated. Be wary when the developer is named as a company and not an individual, or when their name is anonymous, such as "Firefox user" followed by a random string of numbers. See what kind of content is on the developers website if they link to one and look for marketing hype or unethical activity. Also be wary of developers that make it difficult or impossible to contact them or submit bug reports.
The 0-day 'bonus'. Never install newly released add-ons from a developer you don't trust, especially if it's their only add-on. Mozilla uses a deeply flawed automated system to evaluate add-ons, so wait at least a few days until others have had a chance to review it or flag it. If the add-on quickly disappears or gets poor reviews, be thankful you didn't take the bait.
When "free" isn't. Always check the software license and be wary of developers who use a restrictive license. Most ethical developers will use a liberal, open source license, such as the General Public License (GPL) or the Mozilla Public License (MPL).
Yes it can/no it can't. The Mozilla add-on website lists the permissions that add-ons require, though there seems to be some major problems at this time in that all permissions used by an add-on may not be listed, or permissions which the add-on does not use may be listed, so don't trust this completely. That said, look for permissions that seem unnecessary given the expected functionality of the add-on.
What's under the hood? In general it's best to avoid developers that attempt to hide their source code. Most ethical developers will publish their source code on platforms like GitLab, GitHub or Codeberg where people can submit proper bug reports and feature requests. In such cases there is usually a homepage and/or support link on the add-on page, or a link somewhere in the add-on settings, menus, etc., that leads to the code repository. If the source code is not published, you can still view it by decompressing the add-on or by using the excellent Extension source viewer (CRX Viewer) add-on. One thing you should always check is the extensions manifest.json file and you don't have to be a geek to do this. Open the address
in Firefox (or just remember the address
from where you will find the debugging page) and click on the 'Manifest URL' link for the extension you want to inspect. What you want to look for are any network links for unexpected addresses. For example, an add-on like Maximize All Windows (Minimalist Version) only modifies the behavior of Firefox, therefore there shouldn't be any remote addresses in the manifest. On the other hand, an add-on like uBlock Origin needs to communicate with every tab you open, as well as be able to download fresh filter lists and so on, and so its manifest contains
. Other add-ons may be dedicated to a single website, such as BitChute, and so bitchute.com should be the only remote address in the manifest.
He said, she said. Always read the user reviews to see how well an add-on is liked and be wary if it is rated 3 stars or less, or not rated at all, or was rated highly by only a few people. Sometimes a developer will be the first to "review" their add-on, giving it 5 stars. Regardless of the rating however, always check the comments of the people that gave it the lowest rating to see if their gripes seem legitimate and whether they were addressed. That said, there are many add-ons that have been rated very highly by hundreds or thousands of people that contain malware, so don't give too much weight to user ratings alone.
But EVERYBODY'S using it! Many developers of hugely popular add-ons have been contacted by malware distributing 3rd parties wanting to buy their add-on or strike a deal with them. Adblock Plus by Eyeo GmbH (Wladimir Palant) is used by millions of people, yet it is a glaring example of an unethical developer who created an ad blocking extension which allows ads by default. For larger entities, Eyeo GmbH charges advertisers 30% of the revenue from Adblock Plus users who click the ads, so not only does Adblock allow ads, it's also spying on its users. Giorgio Maone, the developer of the hugely popular NoScript add-on, engaged in similar chicanery a while back.
Should i or shouldn't i? If you're not sure whether you'll like an add-on, you can test it by downloading the .xpi file, then opening
in Firefox and clicking the 'Load Temporary Add-on' button.
It was always very important for me to be honest and fair to the users. I had very good offers to sell the extension, but I didn't want to see that AiOS turn into adware or spyware.
Lastly, i would strongly suggest avoiding any add-on that asks for or requires personal information or other data which could be used to identify, track, or profile you, or which could be monetized in any way. Such extensions include, but are not limited to, those which promote coupons, discounts, or have anything to do with shopping, some form fillers which automatically fill in website forms, those which store data remotely, including in the "cloud" such as many password, bookmark and synchronization related add-ons, cryptocurrency, banking and other financial related add-ons, site specific add-ons created by corporations or other entities to promote a product or service and many VPN (Virtual Private Network) add-ons.
Regarding VPN add-ons, there are 173 of them at the time of this writing and most of them are highly suspect, yet millions of clueless people are using them. Furthermore, a VPN add-on for a web browser may protect only the browser while leaving all other network traffic unprotected, such as email if you use a local email client and, potentially, DNS look-ups. If you want to use a VPN, and i would certainly recommend considering it, it should be incorporated at the system level or, even better, at the router level.
ClearURLs replaces Neat URL as my preferred link cleaner. ClearURLs removes many tracking parameters from links you click, such as the Google
garbage which is used to track where you go on the web. Unlike all of the other link cleaners i've seen and used, ClearURLs doesn't include a static list of parameters, nor does it have any options or whitelist that you need to mess with. This neat little extension pulls a file from the developers GitLab repository which negates having to update the extension when there's a change to the list of parameters. Though i was sure i was going to miss the ability to whitelist certain domains, i have yet to see anything break because of this extension.
Cookie AutoDelete, or CAD for short, is a storage cleaner that can automatically clean local storage, indexedDB storage, plugin storage, workers, cache and cookies automatically on a per-host basis when you close the last tab for the host, or when the browser is restarted. CAD offers quite a lot of options yet is simple to use, requiring little or no interaction once the user whitelists or greylists the domains for which they want to retain storage items.
Caveats: May break some websites, however the add-on includes whitelist and greylist functionality.
Dark Background and Light Text replaces Dark Reader as my preferred add-on for darkening the entire web. These 'darkify' add-ons, of which there are many, change the colors used by all websites to a darker theme and this one seems to be the best of those i have tested and i've tested many.
If you want this extension to work on domains owned by Mozilla, such as addons.mozilla.org, you will need an extension that can modify HTTP headers, such as simple-modify-headers by Didierfred. The header to modify is
and the value is
. You want to set the 'Action' to 'Delete' and the 'Apply on' setting to Response'. The 'Url Patterns' field can be set to
or, if you want to remove this header for all sites, just set it to an asterisk (
Caveats: All of these 'dark web' add-ons fail miserably in some cases and this one is no exception, however it seems to work better overall than all of the others i've tested and it does offer a few different styles that can be assigned to specific websites when the default style fails. Due to a shortcoming in the code, this add-on cannot be disabled for local content, such as paths beginning with
Enforce Browser Fonts allows one to choose whether to use the fonts specified by the website, or those that you have defined in Firefox preferences (Language and Appearance). Personally i hate when websites override my personal font choices and this extension takes care of that. Enforce Browser Fonts defaults to enabled and will remember the websites for which you disable it.
Caveats: For the privacy minded that enable
, forcing the use of your preferred fonts will increase the likelihood of your browser being uniquely identified. It can also uglify some websites.
Extension source viewer is a handy and well thought out utility to quickly view the source code of a Firefox extension right from the Mozilla add-ons website without having to download and unpack it manually. The extension has the ability to search the contents of the files in the source code by prefixing the search with '
Caveats: For advanced users. Installing user scripts without reviewing the code can present a security and/or privacy risk. While this holds true for extensions as well, user scripts are generally not scrutinized to the degree that extensions are when they are download from Mozilla.
Flagfox is a neat utility that adds an icon to the address bar which represents the flag of the country in which the web server is located. When the icon is right-clicked, a context menu is revealed with many more tools, such as a WHOIS lookup, URL shortening services and more. You can also add your own services.
Caveats: If you choose to display the menu icons, they are not stored locally and have to be fetched the first time you open the menu which some might see as a privacy issue.
Format Link offers flexible solutions for copying content and formatting it in different ways, such as HTML, markdown, plain text, , etc., before pasting it somewhere. For example, i use it a lot to copy a linked headline/page title and excerpt from articles that i paste in my News Bytes posts. I don't like it as much as Link Text and Location Copier, however that add-on is unmaintained and bugs are a problem.
Caveats: Format Link is a little buggy and needs some attention, but it's still a better solution than Link Text and Location Copier. If you have trouble copying content, try pausing for just a second after initiating Format Link. I've found that if you switch tabs too soon, the content may not be placed on the clipboard.
Caveats: Could potentially break some websites, though this seems to happen very rarely in my experience. There are 'Filter HTML source code' and whitelist options to address such problems.
mozlz4-edit allows one to edit, format and otherwise manipulate several types of compressed files including the
file which is where Firefox stores all of its search engine plugins. If this is too much for you, try the Search Engines Helper add-on below.
Privacy Oriented Origin Policy (POOP) helps protect your privacy by preventing Firefox from sending Origin headers, though how it works is configurable.
Caveats: For advanced users. May break some websites, though it is easily disabled and sites can be whitelisted. There is a lengthy discussion about what led to the development of this add-on on GitHub if you're interested.
Privacy Redirect redirects requests to several privacy-hating platforms to their privacy-friendly alternatives. YouTube videos, including embedded, can be redirected to several alternatives, as can Twitter, Bibliogram and Google Maps requests.
Caveats: Sometimes the requested alternative service may be overloaded or down, however you can always switch to another provider very quickly from the toolbar icon.
Reverse Image Search is a privacy friendly add-on used to find different versions of a given image using 3rd party services such as TinEye. Reverse image searching is a great way to find higher resolution versions of an image or to find when an image may have first been published to the web, the latter of which can be beneficial for researchers. Reverse Image Search also allows to add custom services to its menu.
RSS Preview simply displays a styled and formatted version of news feeds like Firefox used to do before the geniuses at Mozilla removed it. In addition it has an option to provide your own CSS. Here's the CSS i use if you'd like a dark theme:
Scroll Up Folder adds an icon in the address bar that, when clicked, opens a list of the segments of the current document address. Clicking the list items makes it really easy to navigate up to a higher level of the address without having to manually edit it.
simple-modify-headers allows one to modify request and response headers. For example, i use this add-on to remove the
policy of the Content Security Policy (CSP) response header for websites that prevent CSS injection (addons.mozilla.org being one of them).
Caveats: For advanced users only! It is very easy to compromise security and break things with this add-on.
Redirects sometimes happen when you click on a hyperlink expecting to go directly to the destination and, instead, your request is passed through an intermediary. Redirects are often used to track your browsing history or display ads before you are forwarded to the target domain. Skip Redirect simply tries to bypass this annoying behavior. I would suggest keeping the notification enabled when Skip Redirect does its thing as this makes it easy to troubleshoot a problem.
Caveats: May break the functionality of some websites in which case they can be added to a whitelist.
Smart RSS Reader is a 3-pane news feed reader and a pretty good one at that. There are some little niggles with it and it's missing some features, but it functions quite well as a basic feed reader and the developer is friendly and open to suggestions.
While there is no default dark theme for Smart RSS yet, it does have an option to add your own CSS. Here's my CSS for a dark theme. This works for the vertical 3-pane layout:
Stylus is used to write, store and inject custom CSS styles into websites, or even the entire web if you wish. Though you can use FireMonkey for this, working with Stylus is so much nicer. Note: Do not use Stylish, a similar add-on which the developer sold to an unethical party.
Caveats: For advanced users that have at least a basic knowledge of CSS.
uBlock Origin is a superior content filter (or firewall, if you like) that can replace several other content/ad blockers including Adblock Plus/Edge, NoScript, etc.. It is capable of using the same filter lists as Adblock Plus/Edge as well as many more that they cannot. Two of the most welcome differences with uBlock Origin is that it does not slow page loading to any noticeable degree and it uses less memory then the competition. Another major advantage is that it can block both 1st and 3rd party requests for images, scripts and frames when configured to use its advanced mode. See my Firefox Configuration Guide for Privacy Freaks and Performance Buffs article for more information regarding uBlock Origin. Lastly, use only uBlock Origin by Raymond Hill and not any other ripoff.
Caveats: For advanced users. As with any content filtering extension, uBlock Origin has the potential to break website functionality until it is configured correctly.
uMatrix is another powerful content blocker by Raymond Hill and though it is similar to uBlock Origin, it offers more granular control like blocking cookies, CSS, images, plug-ins, scripts, XHR, frames and more. You can use uMatrix and uBlock Origin together. See my guide, Firefox Configuration Guide for Privacy Freaks and Performance Buffs, for further information.
Caveats: For advanced users. As with any content filtering extension, uMatrix has the potential to break website functionality until it is configured correctly.
The development of uMatrix was halted as of September, 2020. however i suspect it is likely that someone else will pick it up.
Web Archives makes it easy to find archived version of webpages. It is fairly configurable, though it does not have an option to add your own archive resources, nor does it have an option to send a webpage to an archive, however i find the latter unnecessary since the archive sites i use allow you easily archive a page if one isn't isn't found.
While i'm sure there's a more geeky way of listing extensions which one has removed, this one works for me: In your Firefox profile folder, navigate to
and there should be folders with the names of the removed extensions. You can delete this folder if you like.
Doing it without an add-on
The fewer add-ons you install, the better, and there's a lot of things you can do to customize Firefox without add-ons.
If you like an add-on, or any other free and open source software, please donate to the developer. Trust me when i tell you that most developers of free software usually receive little or nothing for all the hours of hard work and support they provide. Developers are usually very appreciative of a donation regardless of how small it may be.
This list contains only the most recent changes
removed HTTPZ - this shouldn't be needed anymore since Firefox v83 (note that
must be enabled).
removed Maximize All Windows (Minimalist Version) - no longer needed, at least not on my system (KDE window rules can now be used)