Firefox about:config privacy and security settings

November 4, 2014

Below are some configuration settings you may consider enabling in Mozilla Firefox in about:config for privacy and security reasons. This list is not meant to be exhaustive and generally does not list entries that can easily be set via the options or preferences menu. Some of these settings have a negative performance impact or remove functionality. Also keep in mind that the further you take your Firefox configuration away from the norm, the rarer your Firefox setup might become and therefore ironically enough, the more identifiable your system may be (see for details) and so we recommend reviewing the list below and setting those that make sense for your scenario. This list was created using Firefox v33.

Begin by typing about:config in the Firefox location bar, then search for the following:


Set it to false to disable. Link prefetching can be used by web sites to give web browsers hints about which pages are likely to be visited so that the browser can download them ahead of time, with the goal of improving performance. There is no same-origin restriction for link prefetching. According to this FAQ, "prefetching will generally cause the cookies of the prefetched site to be accessed".


Set it to true to disable. Similar to above, this feature allows Firefox to perform DNS resolution proactively.


Set it to 0 to prevent Firefox from ever sending the HTTP referer, however this is known to break certain web sites that check for the referer. Therefore an alternative to specifying this setting would be to install the Refcontrol add-on which allows you control the referer and specify per-site exceptions. You may also wish to review the setting network.http.sendSecureXSiteReferrer.


Set it to false to disable. According to MozillaZine: "If you are concerned about privacy and have already turned off referrer sending and JavaScript, you may want to set this preference to false". If you decide to keep browser.send_pings enabled, then you may wish to review browser.send_pings.require_same_host as well.


Set it to false to disable. As per the W3C Editor's Draft, part of the reason for the Beacon specification is for "analytics".


Set it to false to disable. This feature enables location-aware browsing. Although when this feature is enabled Firefox prompts you on whether you wish to share your location, setting geo.enabled to false permanently turns off this prompt.


Set it to any string you wish in order to override the default Firefox HTTP user agent string. You may need to create this entry first by right-clicking in the list of preferences and selecting New | String. Note that depending on which user agent string you specify, this will greatly change your browsing experience for certain web sites, and also keep in mind that certain fields in the HTTP headers can betray the actual underlying user agent that is being used.


Set it to true to disable. If you do not need this functionality, you should disable it in order to reduce your attack surface. See this SANS ISC entry for details.


Set it to true to disable. This will disable the built-in PDF reader thus reducing your attack surface, assuming of course you are not going to load the PDFs in a more vulnerable PDF reader.


Set it to false if you did not install the Adobe Flash plugin for Firefox, which is becoming more feasible with the shift towards HTML5. This will stop causing Firefox to prompting you to install Adobe Flash when detecting Flash content.


Can be set any value from 0 to 3 to control certificate pinning behavior (0 disables it, which we do not necessarily recommend). Review this page to confirm the best setting for you. Note that setting it to 2 may interfere with certain security solutions.


Set it to 1 to disable SSLv3 entirely, and higher to make TLSv1.1 or 1.2 the minimum version to use. But this will no longer be necessary with Mozilla planning on disabling SSLv3 in the upcoming Firefox 34 in order to mitigate against the POODLE attack.


Set to true to have Firefox display internationalized domain names in Punycode instead of in a language-specific script. Only set this if properly rendering IDNs is a feature you do not desire.