ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

The Ultimate Firefox Privacy & Security Guide

"Out of the box", Mozilla’s Firefox browser is widely regarded as the most privacy-friendly mainstream browser available.Firefox Security and Privacy

However, there are still some Firefox security and privacy concerns to be had, even if you are using a VPN service!

In this guide, I'll show you how you can make Firefox more secure with just a few simple steps.

Firefox's privacy-friendly status comes down to the fact that Firefox is a fully audited open source software and that, unlike proprietary browsers such Google Chrome, Microsoft Edge, Internet Explorer, and Apple Safari, it does not track what you get up to on the internet.

Another reason for its popularity among privacy-heads is the large number of add-ons available that can greatly improve the privacy and security of your browsing. In addition to this, it is possible to access Firefox’s deep configuration settings in order to tweak its privacy and security parameters.

WebExtensions

In recent months Firefox has transitioned away from its old add-ons framework to WebExtensions.  As of Firefox 57 "Quantum", it is only possible to use WebExtensions add-ons. Most of the add-ons listed below have been transitioned to WebExtensions, or are expected to in the near future.

Please see Are we WebExtensions yet? for the latest news about which add-ons have been updated to the new platform.

Check out our guide to Firefox VPN web extensions for a detailed look at the best ones to use.

Browser Fingerprinting

The way in which your browser is configured (especially the browser plugins used), together with details of your Operating System, allows you to be uniquely identified and tracked with a worryingly high degree of accuracy.

A particularly insidious (and ironic) aspect of this is that the more measures you take to avoid tracking (for example by using the plugins listed below), the more unique your browser fingerprint becomes.

The best defense against browser fingerprinting is to use as common and plain vanilla an OS and browser as possible. The hardened Tor browser with Tor disabled is the usual recommendation here. However, we do cover some alternative secure web browsers in our secure browsers guide.

Unfortunately, this leaves you open to other forms of attack. It also reduces the day-to-day functionality of your computer to such an extent that most of us will find the idea impractical.

Panopticlick E1514559992258

For more information see my browsers and fingerprinting guide.

Things to Do When you First Install Firefox

Disable telemetry

By default, Firefox collects some telemetry information about you. This is mainly harmless, and is primarily to improve performance. Given that data collected in this way has privacy implications, however, it is a shame that Mozilla has decided to make it opt-out, rather than opt-in.

To disable telemetry in Firefox Desktop, go to:

  1. Open Menu (the three bars to the top right of the browser)
  2. Options
  3. Privacy & Security
  4. Firefox Data Collection and Use
  5. Uncheck both boxes.

Firefox Data Collection - Disable Telemetry

To disable telemetry in Firefox for Android, go to:

  1. Menu
  2. Settings
  3. Privacy
  4. Data Choices
  5. uncheck all three boxes

Firefox Disable Telemetry

Telemetry can also be disabled using about.config, as discussed below.

Change the default search engine

Firefox Quantum switched from using Bing to Google as its default search engine. There are no doubt sound financial reasons for this move, but neither of these are good choices for privacy.

Check out our private search engines guide to find a search engine that values your privacy.

Fortunately, it is very easy to change the default search engine. Just go to:

  1. Menu
  2. Options
  3. Privacy & Security
  4. Default Search Engine
  5. Pick an engine from the drop-down dialog box. A quick guide to adding StartPage is also available here.

Firefox Change Default Search Engine

From here you can also change the "One-click" search engine options and add new search engines.

Please Note: From Firefox 57+, each browser update will switch the default search engine back to Google. To prevent this, go to Menu > Options > General > Allow Firefox to > uncheck Automatically update search engines.

Firefox Search Engine Automatic Update

So which search engine should you change to? Please check out our Privacy Search Engines Group Review for a rundown of the best options available.

Enable Tracking Protection Globally

Tracking protection has been available for Firefox since 2015, but the option to enable it was hidden away in about:config (see below). Firefox 57+ brings tracking protection to the main interface, but by default it is only enabled in Private Browsing mode.

To enable tracking protection for all browsing, go to:

  1. Open
  2. Options
  3. Privacy & Security
  4. Tracking Protection
  5. Click the Always button

Tracking Protection

In Firefox for Android go to:

  1. Menu
  2. Settings
  3. Privacy
  4. Tracking Protection
  5. Enabled

Please Note: In addition to its privacy benefits, "Tracking Protection also enjoys performance benefits of a 44% median reduction in page load time and 39% reduction in data usage in the Alexa top 200 news sites".

Turn on Do Not Track

As with most browsers, Firefox offers a "Do not Track" (DNT) option. If enabled, Firefox will request websites you visit not to track you. Please note that compliance from websites is entirely voluntary, and it is sad fact that DNT requests are routinely ignored.

There is, however, zero harm in enabling this option, and it may work sometimes.   Go to:

  1. Open Menu
  2. Options
  3. Privacy & Security
  4. Tracking Protection
  5. Set the "Do Not Track" radio button to Always.

Firefox Do Not Track

In Firefox for Android go to:

  1. Menu
  2. Settings
  3. Privacy
  4. Do not track.

Disable WebRTC

Web Real-Time Communication (WebRTC) is a potentially useful standard that allows browsers to incorporate features such as voice calling, video chat, and P2P file sharing directly into your browser.

A good example of this is the new Firefox Hello video and chat client that lets you talk securely to anyone else using an up-to-date Firefox, Chrome, or Opera browser, without the need to download any add-on, or configure any new settings.

Unfortunately for VPN users, WebRTC allows a website (or other WebRTC service) to directly detect your host machine’s true IP address, regardless of whether you are using a proxy server or VPN.

Given that WebRTC is potentially useful, it is something of a shame that the only way to prevent it from leaking your true IP address when using a VPN is to disable WebRTC in your browser completely. But there you go.

Type about:config into the URL bar to enter Firefox’s advanced settings, and change the media.peerconnection.enabled value to false. See below for more about about:config. This works for both Firefox Desktop and Firefox for Android.

Disable WebRTC

Various Firefox browser add-ons can also disable WebRTC, including, uBlock Origin and NoScript.

Remove DRM (optional)

In order to watch videos on sites such as Netflix, Amazon Prime and Hulu, you must use Digital Rights Management (DRM). This encrypts the content and protects copyright by limiting what you can do with it.

Did you know? You can expand your Netflix library with a VPN? To find out how, check out our best VPNs for Netflix guide.

Back in 2015 Mozilla made the controversial decision to include DRM in Firefox. In many ways this was an understandable decision. Being able to play Netflix etc. content can be seen as necessary if Firefox is to stay cooperative with its rivals.

The decision infuriated many, however, because it requires bundling closed source code into the open source Firefox.  This code is probably doing nothing other than exactly what it says it is doing, but since it is closed source there no way to know this for sure.

In order to mitigate this problem, Firefox runs DRM in a separate sandboxed container. In theory, this should prevent the DRM from doing any harm, even if it wanted to.

Open source purists and privacy-heads, however, may prefer to remove DRM from Firefox altogether. Do note that doing so will reduce functionality, as Firefox will no longer be able to play DRM-protected content.

  1. In Firefox Desktop go to Menu -> Settings -> General -> Digital Rights Management (DRM) Content and uncheck Play Digital Rights Management (DRM) Content.
    This will completely remove all HTML5 DRM code from your hard drive.
  2. Go to Menu -> Add-ons -> Plugins and ensure Shockwave Flash is set to Never Activate.Firefox DRM Content
  3. Type about:supportinto the URL bar and hit enter. Scroll down to Application Basics -> Profile Folder and hit the Open Folder button.Disable Shockwave
  4. In the now open Profile Folder, find and delete the gmp-eme-adobe and gmp-widevinecdmsubfolders. Restart Firefox.Application Basics


It is not possible to remove all DRM from Firefox for Android, but it is possible to install Fennec F-Droid from the F-Droidrepository. This is a fork based on the latest Firefox release, but which strips out all closed source code from Firefox for Android – including DRM.

gmp-eme-adobe

Using a VPN with Firefox

Plenty of the industry's best VPN services now offer browser extensions for Firefox, Chrome, and even Safari. These add-ons are stripped-back versions of a full VPN client that you can toggle on or off as you browse, and are generally easier to install and use. They're great for folks who want a simple way to geo-hop from location to location, VPN newbies, or anyone who might be unable to download a full VPN client at work or school.

A VPN (or Virtual Private Network) creates an encrypted tunnel for your traffic and conceals your original IP address. So, you'll be able to browse the web without worrying about who might be trying to monitor your activity (like your ISP, hackers, or even your government). This encryption vastly improves your online privacy and keeps your identity hidden, and also makes it possible to unblock content from around the globe! As a result, VPNs are vital for anyone looking to browse the web without restrictions, secure sensitive information, and boost their digital anonymity.

So, if you're interested in checking out a VPN browser extension for Firefox, we've listed our top five picks below – and be sure to visit our detailed guide for a more in-depth comparison of each of these services.

Extension limitations

Remember, a VPN browser extension will only secure your web browser! Any other apps (like Skype, Outlook, and your video games) won't benefit from its encryption – and you'll need to install a full VPN client onto your device in order to secure your entire network.

 

From $6.67/month

The best VPN for Firefox. A sleek, easy-to-use service that can unblock sites as easily as it secures your browser, with strong encryption and leak protection, and a 30-day money-back guarantee.

ProPrivacy TrustScore:
10 out of 10
Simultaneous connections
5
Server locations
160
Free trial
No

From $2.30/month

The best value VPN for Firefox. Users get unlimited simultaneous connections and access to virtually any streaming service out there, so unblocking content is a breeze. With a 30-day money-back guarantee.

ProPrivacy TrustScore:
9.9 out of 10
Simultaneous connections
Unlimited
Server locations
100
Free trial
Yes

From $2.19/month

The best secure VPN for Firefox. A privacy-oriented, zero-logs policy that packs superb encryption and a huge number of servers to choose from. Also includes a 30-day money-back guarantee.

ProPrivacy TrustScore:
9.8 out of 10
Simultaneous connections
Unlimited
Server locations
84
Free trial
No

From $1.19/month

The best all-rounder VPN for Firefox. It can bypass network blocks and geo-restrictions, offers 10 simultaneous connections, and a 30-day money-back guarantee.

ProPrivacy TrustScore:
9.7 out of 10
Simultaneous connections
10
Server locations
100
Free trial
No
HMA

From $3.99/month

The best streaming-friendly VPN for Firefox. A super-speedy service that can unblock Netflix US, and other sites, and boasts 188 dedicated streaming servers. With a 30-day money-back guarantee.

ProPrivacy TrustScore:
9.6 out of 10
Simultaneous connections
5
Server locations
290
Free trial
No

All Firefox add-ons are free and open source software (FOSS).

uBlock Origin

uBlock Origin is a lightweight but powerful ad-blocker that pulls double duty as an anti-tracking add-on. It uses a number of blocking lists to filter unwanted content from appearing in your browser. The lists it comes with are pretty good, but I recommend also adding those compiled by EasyList and Fanboy.uBlock Origin Logo

Blocking ads and tracking scripts can break some web pages, making uBlock Origin’s on-the-fly whitelisting feature very handy. You can also toggle which types of elements are blocked (pop-ups, large media elements, cosmetic elements and remote fonts), or use the Element picker and Element Zapper modes to customize what is permitted to run on a web page.

uBlock Origin works very well in tandem with  Privacy Badger, and I recommend using both together. It is also worth noting to avoid confusion, that uBlock Origin is recommended over the very similar uBlock add-on.

Privacy Badger

Developed by the Electronic Frontier Foundation (EFF), this is an excellent anti-tracking add-on that does double-duty as an ad-blocker. Although there is some overlap in function, Privacy Badger and uBlock Origin complement each other and are best run together.Privacy Badger Logo

Rather than using blocklists, Privacy Badger keeps track of scripts that are embedded in web pages. If it detects that a source is tracking you, it "springs into action, telling your browser not to load any more content from that source".

Privacy Badger allows you see which tracking scripts are present on a web page and which ones are actually tracking you. You can then decide how to deal with them (block, block cookies, or allow), or let Privacy Badger decide.

HTTPS Everywhere

An essential tool. HTTPS Everywhere was developed by the Electronic Frontier Foundation and tries to ensure that you always connect to websites using a secure HTTPS connection -  if one is available.HTTPS Everywhere Logo

It works because many websites can accept HTTPS connections, but use regular insecure HTTP ones by default.  Just be aware that if no HTTPS connection is possible, HTTPS Everywhere will default to an insecure HTTP connection (although this can be changed in its settings).

It is, therefore, a good idea to keep an eye on the padlock icon in the URL that shows whether you are using an HTTPS connection.

NoScript

NoScript is a potent tool that gives you unparalleled control over what scripts are run on your browser. However, many websites will not play game with NoScript, and it requires a fair bit of technical knowledge to configure and tweak it to work the way you want it to.NoScript Logo

It is easy to add exceptions to a whitelist, but even this requires some understanding of the risks that might be involved. Not for the casual user then, but for web-savvy power-users, NoScript is challenging to beat.

Note that if you use NoScript, you do not also need to use uBlock Origin + privacy Badger or uMatrix.

See here for some tips on getting the best out of NoScript. The last one is particularly worth paying attention to. It is worth keeping NoScript installed even if you "Allow Scripts Globally", as this still protects against nasty things such as cross-site scripting and clickjacking

uMatrix

Developed by the team behind uBlock Origin, uMatrix is something of a half-way house between that and NoScript. It provides a great deal of customizable protection but requires a fair bit of work and know-how to set up correctly.uMatrix Logo

uMatrix is not as hard to configure as NoScript and does not break as many sites. But neither is it as comprehensive.

Note that if you use uMatrix, then it is not necessary to also use uBlock Origin + Privacy Badger or NoScript.

Cookie AutoDelete

A drop-in replacement for the popular but now defunct Self-Destructing Cookies,  Cookie AutoDelete automatically deletes HTTP (regular) cookies when you close the browser tab that set them. This provides a high level of protection from tracking via cookies without "breaking" websites.Cookie Autodelete

Cookie AutoDelete also provides some protection against Flash/zombie cookies and ETags, and cleans DOM storage (although it can't clean local storage yet).

Note that Cookie AutoDelete and BetterPrivacy complement each other, and I recommend running them both together.

BetterPrivacy

This add-on controls Flash cookies. It should be configured to remove these automatically on a regular basis.Better Privacy Logo

There is an argument that BetterPrivacy is now redundant as Flash is used much less by websites than it used to be. Personally, I think it is still worth running. It is recommended to run this add-on and Self-Destructing Cookies together.

Note that at time of writing BetterPrivacy has been removed by its author from official Firefox Add-on website. The WebExtensions version is in beta, however, so we should hopefully see it reappear soon.

Random Agent Spoofer

A web browser user agent tells website what type of computer, what OS, and what browser you are using. Many sites use this information to optimize their pages to improve user experience, but this information can be used for browser fingerprinting.Random Agent Spoofer Logo

Random Agent Spoofer randomly changes what user agent information is given to a website. For example, it can tell a website that you are accessing it on an iPhone using Safari, rather than on a PC using Firefox.

Note that there is some debate on how effective Random Agent Spoofer and similar add-ons are at preventing Browser Fingerprinting.  It is true that using an unmodified generic browser such as the Tor Browser is almost certainly better in this regard. But if you are using other add-ons which make your browser more unique, changing your user agent is probably useful.

Canvas Defender

Canvas Defender

Canvas fingerprinting is the most common form of browser fingerprinting. It uses a script that asks your browser to draw a hidden image, and uses tiny variations in how the image is drawn to generate a unique ID code which can then be used to track you. Canvas Defender helps prevent this by creating a unique and persistent noise that hides your real canvas fingerprint.

Note that at the time of writing, Mozilla has promised upcoming versions of Firefox will feature built-in canvas fingerprinting protection. If and when this becomes available, Canvas Defender should become redundant, Until then, however, I strongly recommend its use.

Decentraleyes

This add- aims to improve your privacy while browsing by hosting CND resources locally. When your browser requests one of these CDN resources, the application is blocked, and you are served up a local version instead.Decentraleyes Logo

If the above just sounds like techno-babble to you, please check out my Decentraleyes Review for a full explanation.

Bloody Vikings!

Bloody Vikings is an easy-peasy way to create temporary email addresses.Bloody Vikings Logo

Just right-click in an email registration field, select ‘Bloody Vikings’ (or expand to see a choice of services), and a newly generated email address will be inserted into the field while a new browser tab opens to the temporary mailbox.

Mailvelope

PGP is by far the most secure way to send private emails. But it is a pain in the butt to use. Such a significant pain, in fact, that few people bother. Mailvelope is a browser add-on that allows end-to-end PGP encryption within Firefox.Mailvelope Logo

It works with popular browser-based webmail services such as Gmail, Hotmail, Yahoo!, and GMX. It makes using PGP about as painless as it gets. However, it is not as secure as using PGP with a dedicated email client. Check out my detailed look at Mailvelope here.

keepasshttp-connector

KeePassis a fantastic open source password manager. keepasshttp-connector is a Firefox add-on that brings full browser integration to KeePass.PassIFox Logo

Please check out my KeePass Review for further details.

 Privacy Settings

Firefox allows quite fine-grained control of its privacy settings, but to do this requires accessing its advanced configuration settings using about:config. I describe how to do this, plus provide an extensive list of privacy-related settings below.Privacy Settings Logo

Privacy Settings, however, allows you easy ‘one-click’ control of many of these settings using a simple GUI interface. Because it merely flips configuration settings, you can install the add-on, disable whichever settings you prefer, and then uninstall Privacy Settings to save browser resources.

How to make Firefox More Secure Using about:config

Built into Firefox are a number of "under the hood" settings. These can be changed to improve your privacy and security when browsing.

To access Firefox’s advanced configuration settings, type about:config into the search bar, and hit enter.

Firefox about:config Settings

While it might be possible to do some damage, this warning seems a bit strong to us! Click "I accept the risk!" if you are feeling brave enough.

You will now see the configuration screen, with Preference Name’s listed in alphabetical order (by default).

Firefox about:config example

To change a boolean entry (i.e. it has a true/false value), simply double-click anywhere on the entry line. To change an integer (i.e. numeric value), double-click the entry and enter a numeric value.

about:config change

To change a string value, double-click the entry and enter the required text.

about:config change 2

When you see an option in bold in the about:config pane, it has been changed from its default value.

Where an entry is marked with an asterisk*, I strongly suggest that you follow my advice.

Warning: Some websites rely on features we discuss disabling for security reasons below. Disabling these features will therefore "break" some websites (causing problems when using them, or even causing them to refuse to load altogether).

The good news is that simply re-enabling the relevant features will un-break the affected websites, so you may require some trial-and-error to find the right balance between maximum security and accessing the services you use.

browser.privatebrowsing.autostart

The Private Browsing mode was introduced to stop you leaving any embarrassing trails of what you have been up to for other users of your browser to find. Most importantly it stops (most) cookies and does not record any History of websites you have visited or forms you have filled in.

The critical thing to remember is that Private Browsing is excellent for protecting your privacy from others using the same computer, but does little to protect someone from the outside seeing what you get up to (e.g. your ISP).

Even if you are the sole user of a computer, it is still a good idea to always surf the internet in Private Browsing mode, thanks to its cookie blocking features in particular.

By setting this Preference to true you will automatically start Firefox in Private Browsing mode, so you will never forget to turn it on.

browser.safebrowsing.phishing.enabled*

Firefox ships with the Google Safe Browsing extension built-in and enabled by default. Designed to prevent phishing, it compares the websites you visit to a Google-run blacklist. This means that Google is constantly able to track you.

If you have installed our recommended Firefox extensions (see above) then you will gain no additional protection from Google Safe Browsing, while telling Google a great deal about your browsing history. I therefore strongly recommend that you turn it off by setting the value to false.

browser.safebrowsing.malware.enabled*

Safe Browsing (now renamed Phishing Protection) is basically a version of Google Safe Browsing licensed to Mozilla (but which still reports to Google). I, therefore, recommend that you set it to false, for the same reasons as above. Click here for the Mozilla help entry.

Note that there are a lot of browser.safebrowsing.xxx settings, and it may be worth going through them all and disabling them/deleting their string values.

browser.startup.homepage

By default, Firefox will start on the Mozilla Firefox Start Page, displaying a Google search box. Google (along with most major commercial search engines such as Bing! and Yahoo!) stores a great deal of information about you, including a record of the searches you make.

To start on a different page, simply enter the website address of your preferred choice. I use StartPage, but please check out our Privacy Search Engines Group Review for a rundown of the best options available. Click here for the Mozilla help entry.

browser.startup.page

If you prefer to start Firefox on a blank page, change this setting to ‘0

datareporting.healthreport.uploadEnabled

You can see details about your Firefox browser’s performance and stability any time by reviewing the Firefox Health Report (Firefox tab -> Help -> Firefox Health Report). By default, this report is periodically sent to Mozilla (in anonymous aggregate form) to help it understand problems and plan future developments.

For maximum security, you should prevent this by setting this entry to false (you will still be able to see your report, it just won’t be sent to Mozilla).

dom.event.clipboardevents.enabled*

If you cut, copy or paste something from a website, then the website owners can get notified of exactly which part of a webpage you have cut, copied or pasted. If they wish, they can then record or modify the text, or prevent you from copying (etc.). They can also prevent you from pasting text into online forms.

By setting this entry to false you prevent websites knowing where you pasted their text, and as a side benefit will be able to bypass restrictions on cutting and pasting).

dom.storage.enabled*

I discuss the dangers of DOM storage (also known as web storage) in "More things that go bump in the night: HTTP ETags, Web Storage, and ‘history stealing". Basically, this way of storing information within web browsers is one of the most pernicious methods used by commercial internet companies to track you across the web and is growing in popularity as netizens become more aware of the danger of ‘regular’ cookies.

Fortunately, DOM storage is easy to turn off by setting this entry to false.

Update: Thanks to feedback from readers, it is clear that setting dom.storage.enabled to false can "break" some website. Changing this setting should, therefore, be done with caution.

geo.enabled*

When you visit a "location-aware" website you will be asked if you want to share your location. If you answer yes then Firefox will send information about nearby wireless access points and your computer’s IP address to Google Location Service, and then pass that information on to the website (a random client identifier is also assigned by Google, which expires every 2 weeks).

Although you should be asked every time this happens, and need to give your explicit consent, you can prevent giving consent accidentally or through carelessness by turning this feature off (set the value to false). Click here for the Mozilla help entry.

geo.wifi.uri

This setting determines the geolocation service used (Google Location Service by default). If you set geo.enabled (above) to false, then this setting shouldn’t matter. If it makes you feel better, however, then you can change it to 127.0.0.1 (also known as localhost or the ‘loopback address’).

In theory, this setting could point to an alternative service, but none such really exist at the moment. Click here for the Mozilla help entry.

media.peerconnection.enabled

Web Real-Time Communication (WebRTC) is a potentially useful standard that allows browsers to incorporate features such as voice calling, video chat, and P2P file sharing directly into your browser.

A good example of this is the new Firefox Hello video and chat client that lets you talk securely to anyone else using an up-to-date Firefox, Chrome, or Opera browser, without the need to download any add-on or configure any new settings.

Unfortunately for VPN users, WebRTC allows a website (or other WebRTC service) to directly detect your host machine’s true IP address, regardless of whether you are using a proxy server or VPN. Some modern VPN clients will block WebRCT leaks, but it is safest to disable in your browser entirely. To do so, change this value to false.

If you use a good cookie manager such as Cookie AutoDelete (recommended), then you will not need to touch this preference. If not, then it is probably a good idea to set it to ‘1’ (only cookies from the originating server are allowed).

Again, using the Cookie AutoDelete add-on is probably the best policy, but if you prefer not to, then you can control when cookies expire by setting this setting to ‘2’ (the cookie expires at the end of the session (when the browser closes)).

network.dns.disablePrefetch

Firefox improves page load times by resolving domain names ‘proactively and in parallel’ (i.e. it pre-fetches the information).  In their paper ‘DNS Prefetching and Its Privacy Implications: When Good Things Go Bad’, Srinivas Krishnan and Fabian Monrose argue that this practice can lead to "privacy threats that are ripe for abuse. More specifically… where it is possible to infer the likely search terms issued by clients using a given DNS resolver".

DNS prefetching can be turned off by setting this value to true. If you can’t find this setting then you will have to add it manually by right-clicking on the about:config screen, selecting ‘New’ -> ‘Boolean’ and entering ‘network.dns.disablePrefetch’ into the dialog box.

network.http.sendRefererHeader

When you click on a hyperlink, the page you go to can request information about the page you clicked the link from. This information is contained in the ‘referer header’, and can be used to track you across a website.

Furthermore, Javascript scripts can "see" and reference the referrer header if this setting is turned on. Although Mozilla cautions that disabling referrer headings may cause problems with some websites, we advise changing the setting to ‘0’ (never send the referer header or set ‘document.referrer’).

network.http.sendSecureXSiteReferrer*

More or less the same as the entry above, except that it allows you to be tracked across websites. You can disable this setting by changing the value to false.

network.prefetch-next*

Firefox speeds up the browsing process by scanning links on a webpage, and pre-downloading linked-to webpages when idle. Although disabling this preference will slow down browsing somewhat, from a privacy perspective you really should set it to false. .

privacy.donottrackheader.enabled*

Most modern browsers now support a "Do not track’ feature, which asks websites not to track you, and Firefox is no exception. While this should most certainly be turned on (set to true), you should be aware that compliance from websites is entirely voluntary. So the protection it affords can be considered fairly minimal.

privacy.donottrackheader.value*

While the privacy.donottrackheader.enabled (above) setting determines whether a ‘Do not track’ instruction is sent to a website, this setting determines what that instruction actually says.

You should, therefore, set it to to request that websites do not track you (a header stating consent to being tracked is sent to all websites if privacy.donottrackheader.enabled is set True).

privacy.trackingprotection.enabled

This enables a blocklist based on Disconnect’s blocklist, to help prevent cross-site tracking. Once Tracking Protection is activated, you will see a shield in your address bar whenever Firefox is blocking either tracking domains or mixed content.

As a side-benefit, this setting also causes pages to load 44 percent quicker on average, data usage drops by 29 percent when connecting to the top 200 Alexa websites, and the number of HTTP cookies stored by the browser falls by 67.5%.

toolkit.telemetry.enabled

Telemetry covers all sorts of statistical data related to your browser’s performance, usage, and responsiveness. Firefox can send anonymous reports with this data to Mozilla, which is of great assistance to developers, and for this reason, you may consider turning it on, but for maximum privacy, you should check that it is false. Click here for the Mozilla help entry.

Additional Notes

Private Browsing (aka incognito mode)

Like most modern browsers, Firefox offers a Private Browsing mode. Unfortunately, this feature is often poorly understood. This can be very dangerous.

When you open a Private Window, pages you visit are not added to the browser’s History, text you enter into forms and search bars is not saved, passwords, downloads, cookies, and temporary internet files are also not saved.

This makes Private Browsing great at hiding what you get up to on the internet from family members and others who have access to your computer. There is a reason private browsing is often referred to as porn mode!

Firefox 57+ enables Tracking Protection in Private Browsing by default, but in general, Private Browsing does not hide what you get up to on the internet from your ISP. Nor does it hide your real IP address from websites you visit.

Private Browsing is therefore great for hiding what you get up to online from your family, but will not hide what you get up to online from anyone else. To hide what you get up to online from the rest of the world, you need to use a VPN or Tor.

Firefox Privacy Conclusion

Firefox is an excellent browser for privacy and security, but there are lots of things you can do make it even more so! The elephant in the room is that modifying your Firefox browser in many ways makes you more unique, and therefore more susceptible to browser fingerprinting techniques. Unfortunately there is currently no way to square this circle.

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

60 Comments

Al
on May 7, 2020
I noticed after implementing these changes I get an error when trying to login to my wordpress website with Firefox: "401 Unauthorized Proper authorization is required to access this resource!" This error does NOT occur with chromium so I know its these settings. I can't seem to figure out which one is causing this. Please advise if you know which setting it is. Thanks!
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small_webp.webp
Douglas Crawford replied to Al
on May 8, 2020
Hi Al. Yeah. As I note in the text, changing some settings can break some websites. A little trial and error is needed to find what works for you. It should also be noted that this whole article is in need of an update as Firefox has been evolving fast in the last couple of years.
Mozillan
on February 10, 2020
Many of the Mozilla Help Entry links are dead, there are also many preferences that you set in About:Config that are already set via the regular privacy settings.
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small_webp.webp
Douglas Crawford replied to Mozillan
on February 11, 2020
Hi Mozillan. Thanks for letting us know. The article is a few years old, so it's not very surprising. When time permits, I will go through it to check that all information is up-to-date and all links are current.
thank you Douglas replied to Douglas Crawford
on February 21, 2020
thank you Douglas will wait your review ;) good job my friend
ZK
on January 9, 2020
Douglas thanks for sharing your knowledge. Your commentary gives this guide a special place on my list because it goes further than most in terms of shedding light on what (to most of us) is a pretty esoteric tech landscape... yet of course crucial to understand. Are there links to other pages where you offer similar tips?
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small_webp.webp
Douglas Crawford replied to ZK
on January 10, 2020
Hi ZK. Thanks! You might want to check out our Guides sections herer and here for lots of privacy-related goodness (I'm not sure why we have two guides sections, and have flagged with our devs!).
Roger
on September 9, 2019
Hi Douglas, Thank you for this very helpful article. There has been a slight change to Firefox since this article was last updated. In the latest version of Firefox, 'Tracking Protection' has been replaced with 'Content Blocking', and offers three options to choose from (Standard, Strict, or Custom). Which would you recommend we use? Thanks again!
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small_webp.webp
Douglas Crawford replied to Roger
on September 10, 2019
Hi Roger. Yup, at some point I will need to update this article properly. As you say, Tracking Protection is now part of content blocking. I'm not sure there is a correct answer to your question as it all depends on how much functionality you are willing to lose in pursuit of privacy. The Standard option probably offers thew bang for your buck - it will stop a great deal of tracking in a way that causes minimal disruption to your browsing. Strict mode offers greater tracking protections but is more likely to break sites.
Gina Ferrari replied to Douglas Crawford
on January 1, 2020
I have volunteered to teach seniors about security and privacy while browsing. While they are not capable of following or understanding everything in this article, I have walked them through installing add-ons, etc. I have followed all your recommendations with regards to Firefox on my iMac. If you update these instructions, how will readers of these instructions know? Many thanks for your clear, concise, and easy to follow instructions. Gina.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service