A comprehensive list of Firefox privacy and security settings

Mozilla Firefox is without doubt the web browser that gives the most control to users in regards to privacy and security. Firefox users find some of those options listed in the graphical user interface, but full control over the browser is only granted if changes are made to the browser’s configuration.

This can be done on the about:config page, or by placing a user.js file in the profile directory of the Firefox user.

The following list is a work in progress. Firefox is updated regularly and preferences may change because of this. There may be new features and new preferences as well, and the idea of this guide is to get a discussion going that improves this list on a continuous basis.

I’d like to thank Ghacks’ reader Pants for creating the initial list and giving me permission to publish it here on the site.

mod apk

Note: If you prefer to use about:config to manipulate those entries, check out our overview of Firefox privacy and security about:config settings which lists all preferences and values you can set them to.

Loading the list

firefox privacy security preferences

It is highly suggested to go through the list before you place it in the Firefox profile folder as you may disable features that you require in the process.

You may edit the list in any plain text editor, and use comment syntax // at the beginning of each line to block a preference from being set.

Make sure you save it as a user.js file in the end.

  1. Type about:support in the Firefox address bar.
  2. Click the show folder link under application basics to open the profile folder on the computer system.
  3. Copy the user.js file into the root of the profile folder.
  4. Restart Firefox.

The list

You can download the most recent version of the list with a click on the following link: user.js-19-Aug-2015.zip (0 downloads)

* user.js * – This overrides any corresponding about:config entries on Firefox start – see: http://kb.mozillazine.org/User.js_file
*  date: 18 August 2015


// disable “slow startup” warnings, disk history, welcomes, intros, EULA, default browser check

user_pref(“browser.slowStartup.notificationDisabled”, true);
user_pref(“browser.slowStartup.maxSamples”, 0);
user_pref(“browser.slowStartup.samples”, 0);
user_pref(“browser.rights.3.shown”, true);
user_pref(“browser.startup.homepage_override.mstone”, “ignore”);
user_pref(“startup.homepage_welcome_url”, “”);
user_pref(“startup.homepage_override_url”, “”);
user_pref(“browser.feeds.showFirstRunUI”, false);
user_pref(“browser.shell.checkDefaultBrowser”, false);


// disable location-aware browsing

user_pref(“geo.enabled”, false);
user_pref(“geo.wifi.uri”, “”);
user_pref(“browser.search.geoip.url”, “”);

// disable GeoIP-based search results – https://trac.torproject.org/projects/tor/ticket/16254
user_pref(“browser.search.countryCode”, “US”);
user_pref(“browser.search.region”, “US”);

QUIET FOX- no (auto) phoning home for anything – you can still do manual updates

// up to you if you want safebrowsing & tracking protection – i don’t need their help in this regard

// disable browser auto update
user_pref(“app.update.enabled”, false);

// disable browser auto installing update when you do a manual check
user_pref(“app.update.auto”, false);

// disable search update
user_pref(“browser.search.update”, false);

// disable add-ons auto update
user_pref(“extensions.update.enabled”, false);

// disable add-on metadata updating
user_pref(“extensions.getAddons.cache.enabled”, false);

// disable auto updating of personas (themes)
user_pref(“lightweightThemes.update.enabled”, false);

// disable block reported web forgeries
user_pref(“browser.safebrowsing.enabled”, false);

// disable block reported attack sites
user_pref(“browser.safebrowsing.malware.enabled”, false);

// disable safebrowsing urls & download
user_pref(“browser.safebrowsing.downloads.enabled”, false);
user_pref(“browser.safebrowsing.downloads.remote.enabled”, false);
user_pref(“browser.safebrowsing.appRepURL”, “”);
user_pref(“browser.safebrowsing.gethashURL”, “”);
user_pref(“browser.safebrowsing.malware.reportURL”, “”);
user_pref(“browser.safebrowsing.reportErrorURL”, “”);
user_pref(“browser.safebrowsing.reportGenericURL”, “”);
user_pref(“browser.safebrowsing.reportMalwareErrorURL”, “”);
user_pref(“browser.safebrowsing.reportMalwareURL”, “”);
user_pref(“browser.safebrowsing.reportPhishURL”, “”);
user_pref(“browser.safebrowsing.reportURL”, “”);
user_pref(“browser.safebrowsing.updateURL”, “”);

// disable tracking protection
user_pref(“privacy.trackingprotection.enabled”, false);
user_pref(“browser.polaris.enabled”, false);
user_pref(“browser.trackingprotection.gethashURL”, “”);
user_pref(“browser.trackingprotection.getupdateURL”, “”);
user_pref(“privacy.trackingprotection.pbmode.enabled”, false);

// disable extension blocklist
user_pref(“extensions.blocklist.enabled”, false);

// disable extension discovery – featured extensions for displaying in Get Add-ons panel
user_pref(“extensions.webservice.discoverURL”, “”);

// disable telemetry
user_pref(“toolkit.telemetry.enabled”, false);
user_pref(“toolkit.telemetry.server”, “”);
user_pref(“experiments.enabled”, false);
user_pref(“experiments.manifest.uri”, “”);
user_pref(“experiments.supported”, false);
user_pref(“experiments.activeExperiment”, false);

// disable mozilla permission to silently opt you into tests
user_pref(“network.allow-experiments”, false);

// disable health report
user_pref(“datareporting.healthreport.uploadEnabled”,    false);
user_pref(“datareporting.healthreport.documentServerURI”, “”);
user_pref(“datareporting.healthreport.service.enabled”, false);

// disable crash reports
user_pref(“breakpad.reportURL”, “”);

// disable new tab tile ads & preload & marketing junk
user_pref(“browser.newtab.preload”, false);
user_pref(“browser.newtabpage.directory.ping”, “”);
user_pref(“browser.newtabpage.directory.source”, “”);
user_pref(“browser.newtabpage.enabled”, false);
user_pref(“browser.newtabpage.enhanced”, false);
user_pref(“browser.newtabpage.introShown”, true);

// https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_mozilla-content
// This MUST be an https url, not blank
user_pref(“browser.aboutHomeSnippets.updateUrl”, “”);

// disable heartbeat
user_pref(“browser.selfsupport.url”, “”);

// disable hello
user_pref(“loop.enabled”, false);

// disable pocket, remove urls for good measure
user_pref(“browser.pocket.enabled”, false);
user_pref(“reader.parse-on-load.enabled”, false);
user_pref(“browser.pocket.api”, “”);
user_pref(“browser.pocket.site”, “”);

// disable “social” integration
user_pref(“social.whitelist”, “”);
user_pref(“social.toast-notifications.enabled”, false);
user_pref(“social.shareDirectory”, “”);
user_pref(“social.remote-install.enabled”, false);
user_pref(“social.directories”, “”);

BLOCK IMPLICIT OUTBOUND [not explicitly asked for – eg clicked on]

// disable link prefetching
user_pref(“network.prefetch-next”, false);

// disable dns prefetching
user_pref(“network.dns.disablePrefetch”, true);
user_pref(“network.dns.disablePrefetchFromHTTPS”, true);

// disable seer/necko
user_pref(“network.predictor.enabled”, false);

// disable search suggestions
user_pref(“browser.search.suggest.enabled”, false);

// disable link-mouseover opening connection to linked server
user_pref(“network.http.speculative-parallel-limit”, 0);

// disable pings (but enforce same host in case)
user_pref(“browser.send_pings”, false);
user_pref(“browser.send_pings.require_same_host”, true);


// disable location bar using search, give error message instead – don’t leak typos to a search engine
user_pref(“keyword.enabled”, false);

// disable location bar domain guessing
user_pref(“browser.fixup.alternate.enabled”, false);

// disable location bar dropdown
user_pref(“browser.urlbar.maxRichResults”, 0);

// display all parts of the url
user_pref(“browser.urlbar.trimURL”, false);

// disable URLbar autofill – http://kb.mozillazine.org/Inline_autocomplete
user_pref(“browser.urlbar.autoFill”, false);
user_pref(“browser.urlbar.autoFill.typed”, false);

// disable autocomplete
user_pref(“browser.urlbar.autocomplete.enabled”, false);

// disable history manipulation
user_pref(“browser.history.allowPopState”, false);
user_pref(“browser.history.allowPushState”, false);
user_pref(“browser.history.allowReplaceState”, false);
user_pref(“browser.urlbar.suggest.history”, false);

// limit history PER TAB (back/forward) – history leaks via enumeration
// default=50!! minimum=1=currentpage, 2 is good for some sites/pages to work, 4 may be more practical
user_pref(“browser.sessionhistory.max_entries”, 4);

// disable css querying page history – css history leak
user_pref(“layout.css.visited_links_enabled”, false);

// disable displaying Javascript in history URLs
user_pref(“browser.urlbar.filter.javascript”, true);


// disable disk cache
user_pref(“browser.cache.disk.enable”, false);

// disable disk caching of SSL pages – http://kb.mozillazine.org/Browser.cache.disk_cache_ssl
user_pref(“browser.cache.disk_cache_ssl”, false);

// disable memory cache as well IF you’re REALLY paranoid, you’ll take a performance/traffic hit
// user_pref(“browser.cache.memory.enable”, false);
// disable offline cache
user_pref(“browser.cache.offline.enable”, false);

// disable storing extra session data 0=all 1=http-only 2=none
user_pref(“browser.sessionstore.privacy_level”, 2);
user_pref(“browser.sessionstore.privacy_level_deferred”, 2);


// block rc4 fallback and disable whitelist
user_pref(“security.tls.unrestricted_rc4_fallback”, false);
user_pref(“security.tls.insecure_fallback_hosts.use_static_list”, false);

// override rc4 ciphers anyway – these will be deprecated anyway
user_pref(“security.ssl3.ecdhe_ecdsa_rc4_128_sha”, false);
user_pref(“security.ssl3.ecdhe_rsa_rc4_128_sha”, false);
user_pref(“security.ssl3.rsa_rc4_128_md5”, false);
user_pref(“security.ssl3.rsa_rc4_128_sha”, false);

// https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
user_pref(“security.ssl.enable_ocsp_stapling”, true);

// https://wiki.mozilla.org/Security:Renegotiation – eventually this will be set to true by default, ATM it breaks too many sites
// user_pref(“security.ssl.require_safe_negotiation”, true);
// display warning (red padlock)  for “broken security” – https://wiki.mozilla.org/Security:Renegotiation
user_pref(“security.ssl.treat_unsafe_negotiation_as_broken”, true);

// require certificate revocation check through OCSP protocol. – this leaks information about the sites you visit to the CA.
user_pref(“security.OCSP.require”, true);

// query OCSP responder servers to confirm current validity of certificates
// 0=disable, 1=validate only certificates that specify an OCSP service URL, 2=enable and use values in security.OCSP.URL

//and security.OCSP.signingCA for validation
user_pref(“security.OCSP.enabled”, 1);

// enforce strict pinning – https://trac.torproject.org/projects/tor/ticket/16206
user_pref(“security.cert_pinning.enforcement_level”,    2);


// disable websites downloading their own fonts – change this to 0 in FF41+. Note: 0=block, 1=allow
user_pref(“browser.display.use_document_fonts”, 1);

// but for FF41+ allow icon fonts (gylphs) through
user_pref(“gfx.downloadable_fonts.enabled”, true);

// https://wiki.mozilla.org/SVGOpenTypeFonts – iSEC Partners Report recommends to disable this
user_pref(“gfx.font_rendering.opentype_svg.enabled”, false);


// disable Referer from an SSL Website
user_pref(“network.http.sendSecureXSiteReferrer”, false);

// DNT HTTP header – essentially useless
user_pref(“privacy.donottrackheader.enabled”, true);

// REFERER – http://kb.mozillazine.org/Network.http.sendRefererHeader
// It is better to leave these at default (2, false) and use an extension to block all and then whitelist ( eg RefControl )
// otherwise too much of the internet breaks
// user_pref(“network.http.sendRefererHeader”,2);
// user_pref(“network.http.referer.spoofSource”, false);


// set default plugin state to never activate – 0=disabled, 1=ask to activate, 2=active – you can override individual plugins
user_pref(“plugin.default.state”, 0);
user_pref(“plugin.defaultXpi.state”, 0);

// enable click to play and set to 0 minutes
user_pref(“plugins.click_to_play”, true);
user_pref(“plugin.sessionPermissionNow.intervalinminutes”, 0);

// make sure a plugin is in a certain state: 0=deactivated 1=ask 2=enabled – flash example below
// you can just set all these plugin.state’s via add-ons>plugins NOTE: you can still over-ride individual sites eg Youtube/ via site permissions
// user_pref(“plugin.state.flash”, 1);
// remove plugin finder service

user_pref(“pfs.datasource.url”, “”);

// disable plugin enumeration
user_pref(“plugins.enumerable_names”, “”);
user_pref(“security.xpconnect.plugin.unrestricted”, false);

// disable scanning for plugins – http://kb.mozillazine.org/Plugin_scanning
// .all = whether to scan the directories specified in the Windows registry for PLIDs – includes: RealPlayer, Next-Generation Java Plug-In, Adobe Flash
// user_pref(“plugin.scan.plid.all”, false);
// Acrobat, Quicktime, WMP are handled separately – integer refers to min version number allowed
user_pref(“plugin.scan.Acrobat”, 99999);
user_pref(“plugin.scan.Quicktime”, 99999);
user_pref(“plugin.scan.WindowsMediaPlayer”, 99999);

// disable? OpenH264
// user_pref(“media.gmp-provider.enabled”, false);


// disable webRTC
user_pref(“media.peerconnection.enabled”, false);
user_pref(“media.peerconnection.use_document_iceservers”, false);
user_pref(“media.peerconnection.video.enabled”, false);
user_pref(“media.peerconnection.identity.timeout”, 1);

// disable WebRTC – firefox making automatic connections#w_media-capabilities
user_pref(“media.gmp-gmpopenh264.enabled”, false);
user_pref(“media.gmp-manager.url”, “”);

// disable EME bits – https://trac.torproject.org/projects/tor/ticket/16285
user_pref(“browser.eme.ui.enabled”, false);
user_pref(“media.gmp-eme-adobe.enabled”, false);
user_pref(“media.eme.enabled”, false);
user_pref(“media.eme.apiVisible”, false);

// getUserMedia – https://wiki.mozilla.org/Media/getUserMedia
user_pref(“media.navigator.enabled”, false);

// disable webGL, force bare minimum feature set if used & disable webGL extensions
user_pref(“webgl.disabled”, true);
user_pref(“pdfjs.enableWebGL”, false);
user_pref(“webgl.min_capability_mode”, true);
user_pref(“webgl.disable-extensions”, true);

// disable video statistics fingerprinting vector – javascript performace fingerprinting
user_pref(“media.video_stats.enabled”, false);

// disable speech recognition
user_pref(“media.webspeech.recognition.enable”, false);
// disable screensharing

user_pref(“media.getusermedia.screensharing.enabled”, false);
user_pref(“media.getusermedia.screensharing.allowed_domains”, “”);

// disable camera stuff

user_pref(“camera.control.autofocus_moving_callback.enabled”, false);
user_pref(“camera.control.face_detection.enabled”, false);

UI meddling

// see http://kb.mozillazine.org/Prevent_websites_from_disabling_new_window_features
// disable website control over rightclick context menu
user_pref(“dom.event.contextmenu.enabled”, false);

// UI SPOOFING: disable scripts hiding or disabling the following on new windows
user_pref(“dom.disable_window_open_feature.location”, true);
user_pref(“dom.disable_window_open_feature.menubar”, true);
user_pref(“dom.disable_window_open_feature.resizable”, true);
user_pref(“dom.disable_window_open_feature.scrollbars”, true);
user_pref(“dom.disable_window_open_feature.status”, true);
user_pref(“dom.disable_window_open_feature.toolbar”, true);

// POPUP windows – prevent or allow javascript UI meddling
user_pref(“dom.disable_window_flip”, true); // window z-order
user_pref(“dom.disable_window_move_resize”, true);
user_pref(“dom.disable_window_open_feature.close”, true);
user_pref(“dom.disable_window_open_feature.minimizable”, true);
user_pref(“dom.disable_window_open_feature.personalbar”, true); //bookmarks toolbar
user_pref(“dom.disable_window_open_feature.titlebar”, true);
user_pref(“dom.disable_window_status_change”, true);
user_pref(“dom.allow_scripts_to_close_windows”, false);


// disable dom storage
user_pref(“dom.storage.enabled”, false);

// disable website access to clipboard (will break some sites functionaility such as pasting into Facebook)
user_pref(“dom.event.clipboardevents.enabled”, false);

// disable scripts changing images eg google maps – will break a lot of web apps
// user_pref(“dom.disable_image_src_set”, true);
// disable JS storing data permanently – NOTE disabling this could break extensions (started in FFv35) – this bug has now been fixed
user_pref(“dom.indexedDB.enabled”, false);

// https://wiki.mozilla.org/WebAPI/Security/WebTelephony
user_pref(“dom.telephony.enabled”, false);

// disable gamepad API  – fingerprinting – USB device ID enumeration
user_pref(“dom.gamepad.enabled”, false);

// disable battery API – fingerprinting vector
user_pref(“dom.battery.enabled”, false);

// disable network API – fingerprinting vector
user_pref(“dom.network.enabled”, false);

// disable giving away network info – https://developer.mozilla.org/en-US/docs/Web/API/Network_Information_API
user_pref(“dom.netinfo.enabled”, false);

// disable User Timing API – https://trac.torproject.org/projects/tor/ticket/16336
user_pref(“dom.enable_user_timing”, false);

// disable resource/navigation timing
user_pref(“dom.enable_resource_timing”, false);

// https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI  –  javascript performace fingerprinting
user_pref(“dom.enable_performance”, false);

// disable virtual reality devices
user_pref(“dom.vr.enabled”, false);

// disable shaking the scteen
user_pref(“dom.vibrator.enabled”, false);

// disable SharedWorkers for now – https://www.torproject.org/projects/torbrowser/design/#identifier-linkability  (see no. 8)
user_pref(“dom.workers.sharedWorkers.enabled”, false);

// max popups from a single non-lick event – default is 20!
user_pref(“dom.popup_maximum”, 3);

// disable idle observation
user_pref(“dom.idle-observers-api.enabled”, false);


// disable sending additional analytics to web servers – https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon
user_pref(“beacon.enabled”, false);

// CIS 2.3.2 disable downloading on desktop
user_pref(“browser.download.folderList”, 2);

// always ask the user where to download
user_pref(“browser.download.useDownloadDir”, false);

// https://bugzil.la/238789#c19
user_pref(“browser.helperApps.deleteTempFileOnExit”, true);

// don’t integrate activity into windows recent documents
user_pref(“browser.download.manager.addToRecentDocs”, false);

// disable hiding mime types in prefs applications tab that are not associated with a plugin
user_pref(“browser.download.hide_plugins_without_extensions”, false);

// disable page thumbnails – privacy
user_pref(“browser.pagethumbnails.capturing_disabled”, true);

// disable JAR from opening Unsafe File Types
user_pref(“network.jar.open-unsafe-types”, false);

// disable insecure active content on https pages – mixed content
user_pref(“security.mixed_content.block_active_content”, true);

// disable WebIDE to prevent remote debugging and addon downloads
// https://trac.torproject.org/projects/tor/ticket/16222
user_pref(“devtools.webide.autoinstallADBHelper”, false);
user_pref(“devtools.webide.autoinstallFxdtAdapters”, false);
user_pref(“devtools.debugger.remote-enabled”, false);
user_pref(“devtools.webide.enabled”, false);

// disable SimpleServiceDiscovery – which can bypass proxy settings – eg Roku
// https://trac.torproject.org/projects/tor/ticket/16222
user_pref(“browser.casting.enabled”, false);
user_pref(“gfx.layerscope.enabled”, false);

// disable device sensor API – fingerprinting vector
user_pref(“device.sensors.enabled”, false);

// disable SPDY as it can contain identifiers – https://www.torproject.org/projects/torbrowser/design/#identifier-linkability  (see no. 10)
user_pref(“network.http.spdy.enabled”, false);
user_pref(“network.http.spdy.enabled.v3-1”, false);

// disable http/2 for now as well – need more info
user_pref(“network.http.spdy.enabled.http2”, false);
user_pref(“network.http.spdy.enabled.http2draft”, false);

// disable auto-filling form fields (can leak in cross-site forms) – http://kb.mozillazine.org/Signon.autofillForms
// password will still be set after the user name is manually entered
user_pref(“signon.autofillForms”, false);

COOKIES – personal choice

// disable cookies on all sites (you can still use exceptions under site permissions or use an extension – eg Cookie Controller)
// 0=allow all, 1=allow same host, 2=disallow all, 3= allow 3rd party if it has already set a cookie
user_pref(“network.cookie.cookieBehavior”, 2);


// disable backspace
user_pref(“browser.backspace_action”, 2);

// disable annoying warnings
user_pref(“general.warnOnAboutConfig”, false);
user_pref(“browser.tabs.warnOnClose”, false);
user_pref(“browser.tabs.warnOnCloseOtherTabs”, false);
user_pref(“browser.tabs.warnOnOpen”, false);

// disable new search panel UI
user_pref(“browser.search.showOneOffButtons”, false);

// disable autocopy default (use extensions autocopy 2 & copy plain text 2)
user_pref(“clipboard.autocopy”, false);

// disable closing browser with last tab
user_pref(“browser.tabs.closeWindowWithLastTab”, false);

// custom settings – what to clear when firefox closes
user_pref(“privacy.sanitize.sanitizeOnShutdown”, true);
user_pref(“privacy.clearOnShutdown.cache”, true);
user_pref(“privacy.clearOnShutdown.cookies”, false);
user_pref(“privacy.clearOnShutdown.downloads”, true);
user_pref(“privacy.clearOnShutdown.formdata”, true);
user_pref(“privacy.clearOnShutdown.history”, true);
user_pref(“privacy.clearOnShutdown.offlineApps”, true);
user_pref(“privacy.clearOnShutdown.passwords”,    false);
user_pref(“privacy.clearOnShutdown.sessions”, false);
user_pref(“privacy.clearOnShutdown.siteSettings”, false);

// custom settings (to match above) – auto selection of items to delete with Ctrl-Shift-Del
user_pref(“privacy.cpd.cache”, true);
user_pref(“privacy.cpd.cookies”, false);
user_pref(“privacy.cpd.downloads”, true);
user_pref(“privacy.cpd.formdata”, true);
user_pref(“privacy.cpd.history”, true);
user_pref(“privacy.cpd.offlineApps”, true);
user_pref(“privacy.cpd.passwords”, false);
user_pref(“privacy.cpd.sessions”, false);
user_pref(“privacy.cpd.siteSettings”, false);

Now You: Please leave comments below suggesting new entries and changes. Feel free to add other information, such as compatibility, links to resources or suggestions on how to organize the list better.


Article Name

A comprehensive list of Firefox privacy and security settings


Martin Brinkmann


A list of Firefox privacy and security preferences in a user.js file to modify the browser and harden it against privacy and security leaks.

You are here: Home > Firefox > A comprehensive list of Firefox privacy and security settings

This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.