GUIDE

How to make Firefox more secure using about:config

We have written a lengthy article discussing Firefox Add-ons, listing our favorite extensions for improving privacy while browsing. We have also talked about browser fingerprinting and history stealing, which will defeat most measures to enhance privacy, but as there is only a very limited amount that can be done to protect yourself against these pernicious tracking methods, we’ll ignore them for now.

Built into Firefox are a number of ‘under the hood’ settings, which can be changed to improve your privacy and anonymity when browsing.

To access Firefox’s advanced configuration settings, type about:config into the search bar, and hit enter.

warning
While it might be possible to do some damage, this warning seems a bit strong to us! Click ‘I’ll be careful, I promise!’ if you are feeling brave enough

You will now see the configuration screen, with Preference Name’s listed in alphabetical order (by default). We will now go through each Preference that has a privacy implication, explain what it does, and what we recommend you do with it.

config

To change a boolean entry (i.e. it has a true / false value), simply double-click anywhere on the entry line. To change an integer (i.e. numeric value), double-click the entry and enter a numeric value.

integer

To change a string value, double-click the entry and enter the required text.

 string

When you see an option in bold in the about:config pane, it has been changed from its default value.

Where an entry is marked with an asterisk*, we strongly suggest that you follow our advice.

Warning: Some websites rely on features we discuss disabling for security reasons below. Disabling these features will therefore ‘break’ some websites (causing problems when using them, or even causing them to refuse to load altogether). The good news is that simply re-enabling the relevant features will un-break the effected websites, so you may require some trial-and-error to find the right balance between maximum security and accessing the services you use.

browser.privatebrowsing.autostart

The Private Browsing mode was introduced to stop you leaving any embarrassing trails of what you have been up to for other users of your browser to find. Most importantly it stops (most) cookies and does not record any History of websites you have visited or forms you have filled in. The important thing to remember is that Private Browsing is great for protecting your privacy from others using the same computer, but does little to protect someone from the outside seeing what you get up to (e.g. your ISP).

Even if you are the sole user of a computer, it is still a good idea to always surf the internet in Private Browsing mode, thanks to its cookie blocking features in particular. By setting this Preference to true you will automatically start Firefox in Private Browsing mode, so you will never forget to turn it on. Click here for the Mozilla help entry.

browser.safebrowsing.enabled*

Firefox ships with the Google Safe Browsing extension built-in and enabled by default. Designed to prevent phishing, it compares the websites you visit to a Google-run blacklist. This means that Google is constantly able to track you. If you have installed our recommended Firefox extensions then you will gain no additional protection from Google Safe Browsing, while telling Google a great deal about your browsing history. We therefore strongly recommend that you turn it off by setting the value to false. Click here for the Mozilla help entry.

 browser.safebrowsing.malware.enabled*

Safe Browsing (now renamed Phishing Protection) is basically a version of Google Safe Browsing licenced to Mozilla (but which still reports to Google). We therefore recommend that you set it to false, for the same reasons as above. Click here for the Mozilla help entry.

browser.startup.homepage

By default, Firefox will start on the Mozilla Firefox Start Page, displaying a Google search box. Google (along with most major commercial search engines such as Bing! and Yahoo!) stores a great deal of information about you, including a record of the searches you make. To start on a different page, simply enter the website address of your preferred choice. We use the anonymous no logs search engine DuckDuckGo (https://duckduckgo.com/), but Start Page may be an even better choice (https://startpage.com/). Click here for the Mozilla help entry.

browser.startup.page

If you prefer to start Firefox on a blank page, change this setting to ‘0’. Click here for the Mozilla help entry.

datareporting.healthreport.uploadEnabled

You can see details about your Firefox browser’s performance and stability any time by reviewing the Firefox Health Report (Firefox tab -> Help -> Firefox Health Report). By default this report is periodically send to Mozilla (in anonymous aggregate form) to help it understand problems and plan future developments. For maximum security you should prevent this by setting this entry to false (you will still be able to see your report, it just won’t be sent to Mozilla). Click here for the Mozilla help entry.

dom.event.clipboardevents.enabled*

If you cut, copy or paste something from a website, then the website owners can get notified of exactly which part of a webpage you have cut, copied or pasted. If they wish, they can then record or modify the text, or prevent you from copying (etc.). They can also prevent you from pasting text into online forms. By setting this entry to false you prevent websites knowing where you pasted their text, and as a side-benefit will be able to bypass restrictions on cutting and pasting). Click here for the Mozilla help entry.

dom.storage.enabled*

We discuss the dangers of DOM storage (also known as web storage) in our article ‘More things that go bump in the night: HTTP ETags, Web Storage, and ‘history stealing’. Basically, this way of storing information within web browsers is one of the most pernicious methods used by commercial internet companies to track you across the web, and is growing in popularity as netizens become more aware of the danger of ‘regular’ cookies. Fortunately DOM storage is easy to turn off by setting this entry to false. Click here for the Mozilla help entry. Update: Thanks to feedback from readers, it is clear that setting dom.storage.enabled to false can “break” some website. Changing this setting should therefore be done with caution.

geo.enabled*

When you visit a ‘location aware’ website you will be asked if you want to share your location. If you answer yes then Firefox will send information about nearby wireless access points and your computer’s IP address to Google Location Service, and then pass that information on to the website (a random client identifier is also assigned by Google, which expires every 2 weeks). Although you should be asked every time this happens, and need to give your explicit consent, you can prevent giving consent accidentally or through carelessness by turning this feature off (set the value to false). Click here for the Mozilla help entry.

geo.wifi.uri

If you set geo.enabled (above) to false, then this setting, which determines the geolocation service used (Google Location Service by default) shouldn’t matter. If it makes you feel better however, then you can change this to 127.0.0.1 (also known as localhost or the ‘loopback address’). In theory this setting could point to an alternative service, but none such really exist at the moment. Click here for the Mozilla help entry.

network.cookie.cookieBehavior

If you use a good cookie manager such as Cookie Monster (recommended), then you will not need to touch this preference. If not then it is probably a good idea to set it to ‘1’ (only cookies from the originating server are allowed). Click here for the Mozilla help entry.

network.cookie.lifetimePolicy

Again, using the Cookie Monster add-on is probably the best policy, but if you prefer not to then you can control when cookies expire by setting this setting to ‘2’ (the cookie expires at the end of the session (when the browser closes)). Click here for the Mozilla help entry.

network.dns.disablePrefetch

Firefox improves page load times by resolving domain names ‘proactively and in parallel’ (i.e. it pre-fetches the information).  In their paper ‘DNS Prefetching and Its Privacy Implications: When Good Things Go Bad’, Srinivas Krishnan and Fabian Monrose argue that this practice can lead to ‘privacy threats that are ripe for abuse. More specifically… where it is possible to infer the likely search terms issued by clients using a given DNS resolver.’ DNS prefetching can be turned off by setting this value to true. If you can’t find this setting then you will have to add it manually by right-clicking on the about:config screen, selecting ‘New’ -> ‘Boolean’ and entering ‘network.dns.disablePrefetch’ into the dialog box. Click here for the Mozilla help entry.

network.http.sendRefererHeader

When you click on a hyperlink, the page you go to can request information about the page you clicked the link from. This information is contained in the ‘referer header’, and can be used to track you across a website. Furthermore, Javacript scripts can ‘see’ and reference the refereer header if this setting is turned on. Although Mozilla cautions that disabling refereer headings may cause problems with some websites, we advise changing the setting to ‘0’ (never send the referer header or set ‘document.referrer). Click here for the Mozilla help entry.

network.http.sendSecureXSiteReferrer*

More or less the same as the entry above, except that it allows you to be tracked across websites. You can disable this setting by changing the value to false. Click here for the Mozilla help entry.

network.prefetch-next*

Firefox speeds up the browsing process by scanning links on a webpage, and pre-downloading linked-to webpages when idle. Although disabling this preference will slow down browsing somewhat, from a privacy perspective you really should set it to false. Click here for the Mozilla help entry.

privacy.donottrackheader.enabled*

Most modern browsers now support a ‘Do not track’ feature, which asks websites not to track you, and Firefox is no exception. While this should most certainly be turned on (set to true), you should be aware that compliance from websites is entirely voluntary, so the protection it affords can be considered fairly minimal. Click here for the Mozilla help entry.

privacy.donottrackheader.value*

While the privacy.donottrackheader.enabled (above) setting determines whether a ‘Do not track’ instruction is sent to a website, this setting determines what that instruction actually says. You should therefore set it to 1 to request a websites do not track you (a header stating consent to being tracked is sent to all websites if privacy.donottrackheader.enabled is set True). Click here for the Mozilla help entry.

privacy.trackingprotection.enabled

This enables a blocklist based on Disconnect’s blocklist, to help prevent cross-site tracking. Once Tracking Protection is activated, you will see a shield in your address bar whenever Firefox is blocking either tracking domains or mixed content. As a side-benefit, this setting also causes pages to load 44 percent quicker on average, data usage drops by 29 percent when connecting to the top 200 Alexa websites, and the number of HTTP cookies stored by the browser falls by 67.5%. Click here for the Mozilla help entry.

toolkit.telemetry.enabled

Telemetry covers all sorts of statistical data related to your browser’s performance, usage and responsiveness. Firefox can send anonymous reports with this data to Mozilla, which is of great assistance to developers, and for this reason you may consider turning it on, but for maximum security you should check that it is false (it is usually false by default). Click here for the Mozilla help entry.

Conclusion

Changing these advanced settings in Firefox is a good and fairly easy way to improve your internet security and stop third parties from tracking your movements across the internet. To further improve your browser security we suggest you check out these articles:

Update 30 January 2015: we also strongly recommend that readers change the following value, as discussed in this article.

Search for ‘media.peerconnection.enabled’
Double-click on the entry to change the Value to ‘false’.

Update 17 November 2015: A Firefox Add-on called Privacy Settings now allows you easy ‘one-click’ control of many of these settings using a simple GUI interface.


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage


33 responses to “How to make Firefox more secure using about:config

    1. Hi Mr. Jacks,

      Thanks for the link. I will update this article in the not-too-distant future!

  1. Hello Douglas. Brilliant article.

    Can I just say that you are right in that there is now a Firefox browser extension called “Privacy Settings” that will do all of the above settings automatically without having to go into the about:config tab.

    Hope this helps.

    Keep up the brilliant articles!

    1. Hi Bryan,

      Thanks! I have, in fact, reviewed the Privacy Settings add-on here, and have now also added an update to this article to this effect.

    1. Hi ommon,

      Yes, that does look interesting (ConfigFox is an open source utility that allows users to easily manage Firefox’s advanced privacy settings.) It looks somewhat similar to the Privacy Settings addon. I will put it on my to-do list.

  2. Hello Douglas,

    Excellent article.

    I am having few queries and hoping that you can guide me to solve those.
    Listing the queries here :

    1. dom.event.clipboardevents.enabled
    If you cut, copy or paste something from a website, then the website owners can get
    notified of exactly which part of a webpage you have cut, copied or pasted.
    a) I would like to know, what information goes out in the network packets to the
    website, when an user performs copy-paste operation on the webpage displayed
    in the web browser to the user.
    b) How can I test this?
    c) By making javascript.enabled=false, can still such information goes out from the
    client firefox to the website?

    2. privacy.trackingprotection.enabled
    As a side-benefit, this setting also causes pages to load 44 percent quicker on
    average, data usage drops by 29 percent when connecting to the top 200 Alexa
    websites, and the number of HTTP cookies stored by the browser falls by 67.5%.
    a) I would like to know, how to test the performance of firefox browser after doing
    some changes in the about:config
    b) I would also like to know, how to use Alexa websites (top 10 / 100 / 500 / any
    other), to verify browsing performance (breakage if any)?

    Your guidance is vital to me.

    Thanks & Regards

    Harshad

    1. Hi Harshad,

      1. This is not a JavaScript setting, but a “feature” built into Firefox. Turning off JavaScript will have no effect on oncopy, oncut and onpaste events (but setting the value to false will disable them.) As far as I know the only way to test this would be to create a web site that uses oncopy, oncut and onpaste events, then visit the site using a browser with dom.event.clipboardevents.enabled set to false.

      2. To find out how Georgios Kontaxis and Monica Chew arrived at these figures, please read their research paper on the subject.

      1. Hello Douglas,

        Sincere thanks for taking time out and replying.

        As per your suggestion, I will try to develop a website and test clipboard event.

        Regarding the research paper, for last few days, I reading and trying to understand the same paper.

        Thank You,

        Harshad

  3. Some issues I had:

    a) If network.http.sendRefererHeader has a value of 0, you get 403 error when trying to login into your WordPress site.

    b) dom.storage.enabled* has a value of false, I couldn’t access my hosts web interface.

    1. Hi Martin,

      Thanks for the feedback. It is true that changing some of the settings discussed in this article can ‘break’ some websites. I have added a warning in the article to this effect.

  4. Thanks for the privacy tweaks, although it would be much appreciated if you could describe any possible breakage in functionality for each config change.

    1. Hi Chip,

      That is a good idea, although it will require a great deal more research. Watch this space!

        1. Hi Chip,

          Thanks. That is good to know, but highlights the problem of how hard it will be to comprehensively list what each tweak might break. I, for example, use neither Spotify nor YouNow. I will look into the issue though, to see how feasible such a list might be.

          1. Hi Shane,

            Thanks. I have added a note to the dom.storage.enabled entry to the effect that setting it to false can “break” some website. Changing this setting should therefore be done with caution.

    1. Hi WiWiWi,

      Hmm… interesting. By default Firefox tries to resolve DNS resolution for links in page, taking advantage of idle periods so that when the links are clicked the webpage will load faster. This does not seem to be major security threat, although this article notes that,

      From a security point of view, the negative aspect of DNS prefetching is the large number of DNS queries it induces, which may give helpful information to an attacker for the development of potential attacks.
      For instance, it is possible to imagine a malicious website that tracks users through links to specific domains within HTML pages, and by observing the DNS resolution requests made by the browser for these domains.

      However, it is possible to get the same kind of information, more simply, by using specially crafted image tags or by embedding iframes into web pages.

      For users having high security needs, it is possible to disable the DNS prefetching feature.

      I think I will therefore leave it readers to decide whether DNS prefetching should be disabled, but thanks for the heads-up.

  5. Just a note on common English:

    “Were an entry is marked with a asterix*, we strongly advice that you follow our advice” should be “Where an entry is marked with an asterisk, we strongly advise that you follow our advice.”

    Four errors in one relatively short sentence is a bit much, guys.

    1. Hi DonS,

      This was a hurried sentence added at the end of a long day, and which obviously slipped past our crack team of editors. Thanks for pointing out the errors:).

    1. Hi Mike,

      Thanks for pointing out the minor blip – privacy.donottrackheader.value has an integer value that should be set for 1 to send a do not track request, not ‘True’. I have corrected the entry in the article.

  6. Excellent article. Thank you. One thing you might want to look at though is the instruction for network.dns.disablePrefetch. In order to disable this function, I think you’d want to set it as true, not false. Kind of like on IOS settings where you have to select enable to limit or otherwise disable a privacy-violating feature. Thank you again, very useful piece.

Leave a Reply

Your email address will not be published. Required fields are marked *