Firefox

Introduction

Why Firefox?

• Free and open-source (Gecko engine): auditable, transparent code
• Non-profit organization: Mozilla Foundation, mission of general interest
• Built-in native protections: Enhanced Tracking Protection (ETP), Total Cookie Protection (TCP), State Partitioning, HTTPS-only mode, DNS over HTTPS (DoH)
• Advanced customization: unlike Chrome, Firefox lets you modify its behavior in depth

Important principles before you start

• No universal recipe: the more you modify, the more you risk standing out (fingerprinting). The aim is to be better protected without standing out from the crowd.
• Step-by-step progress: Change a setting, test your usual sites, then continue. There's no need to change everything at once.
• Personal balance: Find YOUR compromise between privacy and ease of use.

Quick installation

• Windows: download the .exe installer, double-click and follow the installation wizard
• macOS: download the .dmg file, open it and drag Firefox into the Applications folder
• Linux: several options available - package .deb/.rpm, Flatpak (Flathub), Snap, or via package manager (apt, dnf, pacman). Prefer official Mozilla sources.

Protections already activated by default (reassuring)

• Site isolation (Fission): in progressive deployment. This feature runs each site in a separate process to prevent one malicious tab from accessing another's data. Check its status via about:support (search for "Fission"). If not enabled, you can manually activate it in about:config with fission.autostart = true.
• Total Cookie Protection (TCP): active by default. Cookies and other storage are confined to the first-party site (one "jar" per site), which neutralizes cross-site tracking. Temporary exceptions are made via the Storage Access API when necessary (integrated login buttons).
• Bounce/Redirect Tracking Protection: Firefox automatically detects and cleans up cookies left behind by bounce sites (links that redirect you via a tracker before the destination), reducing this tracking channel without any action on your part.

Level 1 - Essential (≤ 10 minutes)

• Switch ETP to Strict. You block more trackers (cross-site cookies, fingerprinting, cryptomining, social widgets...).
• If a site breaks (video, login button...), deactivate protection only for that site via the 🛡️ shield, then refresh the tab.

• Standard (balanced, maximum compatibility)
  • Blocks: social trackers, cross-site cookies (all windows), tracking content in private browsing, cryptocurrency miners, fingerprint detectors.
  • Includes Total Cookie Protection (TCP): one jar per site.
• Strict (recommended for confidentiality)
  • Also blocks tracking content in all windows + known and suspected fingerprinting.
  • May break some sites; use the 🛡️ shield for a local exception.
• Custom (advanced)
  • Fine tuning: cookies, tracking content, minors, fingerprinting (known/suspected).

• Enable "Delete cookies and site data on close " to restart cleanly each time you restart.
• Add Exceptions for 2-3 essential sites if you wish (e-mail, bank).

• Deactivate auto-fill (IDs, addresses, cards). Use a password manager instead.
• Search: deactivate "Show search suggestions".
• Address bar: cut "Sponsored suggestions" and "Contextual suggestions".
• Home: disable Pocket and sponsored content.

• Activate "HTTPS mode only in all windows ".

• In "Data collection by Firefox", uncheck all.
• Deactivate "Privacy-friendly advertising measures " (PPA).
• Safe Browsing: keep it enabled (recommended). Firefox checks sites against threat lists via hashed queries and local checks, protecting against phishing and malware with minimal privacy impact.

• Activate the GPC to signal your refusal to sell/share data.

• Switch to DuckDuckGo, Startpage, Qwant or Brave Search (Settings → Search).

• Private windows (Ctrl/Cmd+Shift+P) for one-off sessions (gifts, secondary accounts...). Avoid "always private" mode: extensions may be inactive and cookie exceptions less useful.

• uBlock Origin: blocks ads and current tracking, lightweight.
• Privacy Badger: learns to block what follows you; sends Do Not Track / GPC.
• ClearURLs (optional): Firefox (ETP Strict) and uBO already clean up a lot; keep it if you still see "dirty" URLs (utm, fbclid).
• Firefox Multi-Account Containers: isolates cookies/sessions and storage per container; parallel multi-accounts; less cross-site tracking. Official extension: https://addons.mozilla.org/fr/firefox/addon/multi-account-containers/.

• Use a dedicated password manager (Bitwarden, KeePassXC). Avoid storing passwords in the browser. Enable 2FA wherever possible.

Level 2 - Reinforced (Compartmentalization & Network)

• Default status: Automatically activated in some regions (USA, Canada, Russia, Ukraine). Elsewhere, manual activation required.
• Configuration: Settings → General → Network settings → Enable DoH → Cloudflare or Quad9 → Maximum protection.
• Maximum protection = TRR-only (no fallback to system DNS). If a corporate/hotel network blocks, switch back to Standard or disable DoH.
• Redundancy: If you're already using a trusted VPN with its own secure DNS, DoH can be redundant.
• Verification test: https://www.dnsleaktest.com/ should display only the chosen DoH provider.

• Multi-Account Containers: create spaces (Personal, Work, Finance, Social Networks, Shopping, Disposable). Configure "Always open in this container" for your recurring sites. Official extension: https://addons.mozilla.org/fr/firefox/addon/multi-account-containers/.
• Why use them?
• Strong isolation of cookies/sessions/storage by space.
• Less cross-site tracking: confine the giants (Facebook, Google).
• Simultaneous multi-accounts on the same service.
• Less risk of CSRF/XSS between segmented identities.
  • Tip: at the very least, dedicated containers for Social Networks/Google, Work, Finance.
• Facebook Container (optional): a simplified version dedicated to FB/Instagram.
• Separate profiles: via about:profiles (main profile, minimal "ultra-secure" profile, test profile). Total data and extension compartmentalization.

• Cookie AutoDelete: deletes a site's cookies as soon as the tab is closed (useful if Firefox is open for a long time).
• LocalCDN: serves current libraries locally (reduces calls to Google/Microsoft). Partial compatibility.

• Firefox Android + uBlock Origin: similar protection on the move.

Level 3 - Expert (about:config & Arkenfox)

Approach A: Manual modifications via about:config

• Resistance to fingerprinting (inherited from Tor Browser)

privacy.resistFingerprinting = true

• Disable WebRTC (avoids IP leaks; breaks Web visio)

media.peerconnection.enabled = false

• Referer plus compatible (default)

network.http.referer.XOriginPolicy = 1
network.http.referer.trimOnCrossOrigin = true

network.http.referer.XOriginPolicy = 2

• Limiting chattering APIs and speculation

dom.battery.enabled = false
device.sensors.enabled = false
beacon.enabled = false
geo.enabled = false
media.navigator.enabled = false
network.prefetch-next = false
browser.urlbar.speculativeConnect.enabled = false
network.http.speculative-parallel-limit = 0

Approach B: Arkenfox user.js (Fully automated configuration)

• What's the point? Start from a consistent hardened base without "clicking everywhere"; reduce oversights; save time.
• What it changes (examples): telemetry cut, cookies/cache/referrer/HTTPS strengthened, RFP + letterboxing, WebRTC disabled, DoH/TLS adjustments, chatty APIs limited.
• When to use it: if you want Firefox hardened in 10 minutes and accept a few exceptions (DRM/streaming, Web visio, SSO/payments).
• Advantages: fast, consistent, updated (ESR-aligned), very well documented (wiki + comments), customizable via overrides.
• Limitations: compatibility (some web apps), comfort (UTC, window sizes), and a reminder: it's not Tor (no network anonymity).

1. Save profile/favorites and list your sites with cookie exceptions.
2. Download user.js from https://github.com/arkenfox/user.js (ESR/stable version).
3. Find your profile folder via about:profiles:
   • Windows: %APPDATA%/Mozilla/Firefox/Profiles/...
   • Linux: ~/.mozilla/firefox/...
   • macOS: ~/Library/Application Support/Firefox/Profiles/...
4. Close Firefox and move user.js to the root of the profile folder.
5. Relaunch; customize via about:config or an overrides file.

• Follow the Arkenfox releases (ESR aligned), replace the user.js, relaunch Firefox; read the release notes.

// DRM/streaming
user_pref("media.eme.enabled", true);

// Safe Browsing (si vous préférez le garder)
user_pref("browser.safebrowsing.phishing.enabled", true);
user_pref("browser.safebrowsing.malware.enabled", true);

// Historique moins restrictif
user_pref("places.history.expiration.max_pages", 200000);

// Synchronisation Firefox
user_pref("identity.fxaccounts.enabled", true);

// WebRTC (si visio nécessaire)
user_pref("media.peerconnection.enabled", true);

// Referer plus compatible
user_pref("network.http.referer.XOriginPolicy", 1);
user_pref("network.http.referer.trimOnCrossOrigin", true);

• Use a separate "Arkenfox" profile and keep a "normal" profile for comfort.
• Minimize extensions (uBlock Origin OK) to limit attack surface and uniqueness.
• Add site-by-site exceptions (shield 🛡️, uBO, NoScript if used) when necessary.
• Test after every change: WebRTC/DNS leaks, Cover Your Tracks, CreepJS.

Best practices

• Updates: Firefox and extensions up to date.
• Extensions: reasonable and reliable; watch out for "dubious" redemptions.
• Downloads: caution; test sensitive files on VirusTotal.
• Passwords: dedicated manager (Bitwarden, KeePassXC); 2FA enabled; avoid storing in browser.
• Hygiene: confine Google/Facebook to containers; close/open regularly to "reset" context.

Limits & Alternatives

• A hardened browser ≠ network anonymity: without VPN, your IP remains visible; even with it, correlation remains possible.
• Modifying too much can make you unique. RFP standardizes; randomization tools (e.g. Chameleon) can... set you apart. Test, compare, adjust.
• Alternatives/complements:
• Tor Browser: network anonymity via Tor; slower. See our complete installation and configuration guide:

Tor BrowserHow to use the Tor Browser?

• Mullvad Browser: "Tor without Tor", to be combined with VPN; standardized footprint. Find out how to install it in our dedicated tutorial:

Mullvad BrowserHow to use the Mullvad Browser for privacy

• Recommended combinations: Firefox (Level 2) + VPN for everyday use; Tor/Mullvad for sensitive activities; separate profiles for compartmentalization.

Conclusion

Resources

Plan ₿ Academy

• SCU 202 - Improving your personal digital security: To learn more about the digital security concepts covered in this tutorial

Improve Your Personal Digital Security

Intermediate

4.8(69)

Set up a secure, stable and efficient personal digital environment.

4.8(69)

ProfessorLoïc Morel

Duration10 hours

See the course

Improve Your Personal Digital Security

Set up a secure, stable and efficient personal digital environment.

Loïc Morel

Intermediate

10 hours

4.8(69)

Mozilla documentation

• Enhanced Tracking Protection: Official guide to enhanced tracking protection
• State Partitioning: Technical documentation on state partitioning
• MDN Web Security: Complete reference on web security

Arkenfox

• Wiki and installation guide: Complete Arkenfox project documentation
• Deposit and releases: Download user.js file and track updates

Guides & communities

• PrivacyGuides - Desktop browsers: Browser recommendations and comparisons
• Reddit: r/firefox, r/privacy for feedback and support
• PrivacyGuides forum: in-depth technical discussions

Test tools

• Cover Your Tracks (EFF): Digital fingerprinting and anti-tracking effectiveness
• DNS Leak Test: DNS leak test and DoH efficiency
• BrowserLeaks: Complete test suite (WebRTC, Canvas, Fonts, etc.)
• BadSSL: SSL/TLS certificate validation tests
• CreepJS: Advanced analysis of 50+ fingerprinting vectors
• Cloudflare DNS Test: Checking that Cloudflare DoH is working properly