Firefox Hardening Guide

This guide is to help you configure Firefox to be as hardened as possible for privacy and security.

If your focus is more on high security at the cost of some privacy, or are an at risk individual, it is recommended to use Ungoogled Chromium or tweaked normal Chromium. Firefox falls behind Chromium severely in many security aspects such as site isolation, win32k, GPU isolation, weaker seccomp filter, minimal ioctl filtering, no sandbox at all past the OS app sandbox, and much more. All of the above listed things are mitigated or fixed altogether in Chromium, and are left almost entirely ignored or unresolved in Firefox.
Check madaidan's guide to read more about the gap between Firefox and Chromium, found here.

User.js Templates

Choose one of the user.js templates below, they each have a different purpose. These do some initial hardening of the browser and give a better starting place, so pick the one which better fits what you're looking for.

https://github.com/arkenfox/user.js – focused on hardening firefox for privacy, security, and anti-fingerprinting;

https://github.com/pyllyukko/user.js – geared towards vulnerability mitigation, minimizing persistence, and usability.

Importing user.js

Creating a new profile

Run firefox -no-remote -ProfileManager
Create a new profile
Click 'Next'
Input a name for your profile
Click 'Finish'
Exit

Locating your new profile

Open the profile you just created, your profiles should be located at;

Windows; %APPDATA%\Mozilla\Firefox\Profiles\XXXXXXXX.yourprofilename

Linux; ~/.mozilla/firefox/XXXXXXXX.yourprofilename

OS X; ~/Library/Application Support/Firefox/Profiles/XXXXXXXX.yourprofilename

Adding the user.js to your configuration

To import the ArkenFox user.js, run the following command:

cd /path/to/your/profile && rm -rf * && wget https://raw.githubusercontent.com/arkenfox/user.js/master/user.js

To import the Pyllyukko user.js, run the following command:

cd /path/to/your/profile && rm -rf * && wget https://raw.githubusercontent.com/pyllyukko/user.js/master/user.js

If you're asked something similar to “Are you sure you want to delete the only file in /directory/of/profile?”, just accept and continue (this can usually be done by pressing 'Y' on your keyboard).

The user.js is now imported.

Hardening normal settings

Getting to the settings menu

Open the Firefox profile that you've just created

Click the three horizontal lines in the top right of Firefox

Click 'Preferences'

You're now in the settings menu.

General

'Play DRM-controlled content' ~> Off

'Recommend extensions as you browse' ~> Off (This has very little privacy impact, but can be annoying if left on)

'Recommend features as you browse' ~> Off (This has very little privacy impact, but can be annoying if left on)

Enabling DNS over HTTPS

Go to the 'General' settings tab
Scroll to the bottom of the page
Click Network
Scroll down
Turn on 'Enable ENS over HTTPS'
Select 'Custom' from the drop down menu
Input a trusted DNS provider's DoH address such as NextDNS set up with no logs.

Home

'Homepage and new windows' ~> Blank Page

'New tabs' ~> Blank Page

'Web Search' ~> Off

'Top Sites' ~> Off

'Highlights' ~> Off
├── Visited Pages ~> Off
├── Bookmarks ~> Off
├── Most Recent Download ~> Off
└── Pages Saved to Pocket ~> Off

'Snippets' ~> Off

'Search Bar' ~> Add search bar in toolbar (This will allow you to add other search engines without installing extra addons)

'Default Search Engine' ~> DuckDuckGo (or any other privacy respecting search engine of your choice.)

'Provide search suggestions' ~> Off

Remove all entries from 'One-Click Search Engines' that aren't your search engine(s).

Privacy & Security

Enhanced Tracking Protection ~> Custom
├── Cookies ~> 'All third-party cookies (may cause websites to break)'
├── Tracking content ~> 'In all windows'
├── Cryptominers ~> On
└── Fingerprinters ~> On

'Send websites a Do Not Track signal [...]' ~> Always

'Delete cookies and site data when Firefox is closed' ~> On

'Ask to save logins and passwords for websites' ~> Off

'Autofill logins and passwords' ~> Off

'Suggest and generate strong passwords' ~> Off

'Show alerts about passwords for breached websites' ~> Off

'Use a Primary Password' ~> Off

'Use custom settings for history' ~> 'Always use private browsing mode'

Address bar
├── Browsing History ~> Off
├── Bookmarks ~> Off
├── Open tabs ~> Off
└── Top sites ~> Off

Permissions
├── Location ~> 'Block new requests asking to access your location'
├── Camera ~> 'Block new requests asking to access your camera'
├── Microphone ~> 'Block new requests asking to access your microphone'
├── Notifications ~> 'Block new requests asking to allow notifications'
└── Virtual Reality ~> 'Block new requests asking to access your virtual reality devices'

'Allow Firefox to send technical and interaction data to Mozilla' ~> Off

'Allow Firefox to make personalized extension recommendations' ~> Off

'Allow Firefox to install and run studies' ~> Off

'Allow Firefox to send backloged crash reports on your behalf' ~> Off

'Block dangerous and deceptive content' ~> Off

'Block dangerous downloads' ~> Off

'Warn you about unwanted and uncommon software' ~> Off

Sync

Ensure Firefox Sync is disabled.
If you need cross-device browser sync, then use xBrowserSync. It will sync all bookmarks across devices fully end-to-end encryption so nobody but you can read the data.

The more plugins you add, the more unique your browser fingerprint gets. This is why you need to evaluate each plugin and find the right combonation for your use. These recommendations have been split up into two catagories, 'core' and 'additions'. 'Core' lists plugins that greatly increase your everyday privacy on websites if used correctly, and 'additions' describe plugins that don't necessarily enhance privacy but can add additional useful privacy-related functionality to the browser.

Core;
uBlock Origin
HTTPS Everywhere
Decentraleyes
ClearURLs

Additions;
xBrowserSync
Terms of Service; Didn't Read

WebRTC

This will break most in-browser VOIP apps like Discord, Jitsi, Hangouts, etc. If you can deal with the lessened functionality then it's best to disable this because it can leak your real IP even if you're using a VPN to the websites you're visiting.

How to disable it

Type 'about:config' into the address bar

Press enter

Click 'I'll be careful, I promise!'

Search for the following settings and set them to the value listed after them.

media.peerconnection.enabled = false
media.peerconnection.turn.disable = true
media.peerconnection.usedocumenticeservers = false
media.peerconnection.video.enabled = false
media.peerconnection.identity.timeout = 1

WebRTC is now fully disabled.

about:config

Firefox has a sort of hidden in-depth settings menu that can be found by typing 'about:config' in your address bar and pressing enter. Here you can harden the browser for privacy and security to a level not possible by just using the normal settings menu.

Search for the following settings and set them to the value listed after them.

privacy.firstparty.isolate = true
privacy.resistFingerprinting = true
privacy.trackingprotection.fingerprinting.enabled = true
privacy.trackingprotection.cryptomining.enabled = true
privacy.trackingprotection.enabled = true
browser.sendpings = false
browser.urlbar.speculativeConnect.enabled = false
dom.event.clipboardevents.enabled = false
media.eme.enabled = false
media.gmp-widevinecdm.enabled = false
media.navigator.enabled = false
network.cookie.cookieBehavior = 1
network.http.referer.XOriginPolicy = 2
network.http.referer.XOriginTrimmingPolicy = 2
webgl.disabled = true
browser.sessionstore.privacy
level = 2
beacon.enabled = false
browser.safebrowsing.downloads.remote.enabled = false
network.dns.disablePrefetch = true
network.dns.disablePrefetchFromHTTPS = true
network.predictor.enabled = false
network.predictor.enable-prefetch = false
network.prefetch-next = false
network.IDNshowpunycode = true

There are almost 3000 more about:config tweaks that can be done to increase privacy, but that would take forever for someone to do, so these are the about:config tweaks that when all put together I believe create the strongest balance between time and protection.

Cleaning up anti-privacy files

While doing all of these steps immensely increases the privacy of the browser, there are still some anti-privacy files left behind in Firefox. In this step we will delete these.

Navigate to the Firefox features directory at /path/to/firefox/browser/features (i.e. /usr/lib/firefox/browser/features/)
Delete the following files if present:

firefox@getpocket.com.xpi
followonsearch@mozilla.com.xpi
activity-stream@mozilla.org.xpi
screenshots@mozilla.org.xpi
onboarding@mozilla.org.xpi
formautofill@mozilla.org.xpi
webcompat@mozilla.org.xpi
webcompat-reporter@mozilla.org.xpi

And that's it!

You've now fully configured Firefox for privacy and security, good job!
This article is still being revised, so it's important to check back every once in a while to make sure nothing new was added.