A secure version of user.js to harden Firefox installations

December 21, 2014 – 11:36 AM

Warning: Backup your existing user.js file (if it exists) and use with caution.  Some website functionality may break.

Some of the settings in this user.js file might seem redundant, as some of them are already set to the same values by default. However, the user.js file has this nice property, that even if you go change any of these settings through about:config, they’re reset to the user.js defined values after you restart Firefox. So user.js makes sure they’re back at the secure default values always when you start your browser. That way, it also makes experimenting with different settings easier.

Some of the custom settings:

  • Permanently enables the Private Browsing Mode
  • Disables features such as domain guessing, search suggestions, geolocation, telemetry, crash reporting, prefetching, etc.
  • Forces DNT (Do Not Track) headers
  • Disables the referer header
  • Prevents revealing of internal IP addresses
  • Hardens the cipher suites and protocols
  • Forces OCSP

It comes with a shell script to modify your CA list but this will not work in Windows obviously.  Windows users should be able to use the user.js without the CA modifications, or you can modify them manually.

To use, just copy the user.js file to the root of your Firefox profile (e.g. ~/.mozilla/firefox/XXXXXXXX.your_profile_name in Linux) and restart Firefox.


You must be logged in to post a comment.