Firefox Privacy Settings: A Practical Configuration Guide

Firefox ships with reasonable privacy defaults and a deep configuration surface for the cases where the defaults are not strict enough. The challenge is not finding things to change; it is knowing which changes actually help, which break the web in ways that aren’t worth it, and which sound good but accomplish nothing once you measure them. This guide is the configuration I would hand to a developer who wants meaningfully better privacy without making Firefox unusable.

Enhanced Tracking Protection: Start Here

Settings → Privacy & Security → Enhanced Tracking Protection.

Three modes, ordered by strictness:

  • Standard. Blocks known cross-site trackers, social media trackers in private windows, cryptominers, and fingerprinters identified by the Disconnect list. This is the default. It does not block first-party trackers, and it does not block trackers absent from the list.
  • Strict. Adds third-party cookie blocking in all windows, blocks tracking content (not just cookies), and enables stronger fingerprinting protections. Some sites will break — most commonly login flows that depend on third-party cookies, and embedded widgets like comment systems. Most break in survivable ways.
  • Custom. Lets you choose which categories to block. Useful only if you have a specific reason to deviate.

For most privacy-conscious users, Strict is the right setting. Add per-site exceptions when something you actually need breaks, rather than starting from Standard and trying to add protections piecemeal.

Total Cookie Protection is enabled in Strict mode by default. This is the feature that partitions cookies and storage per top-level site — site A’s tracker cannot read the cookie it set when you were on site B, even though it is the same tracker code. It is the single most impactful tracking defense Firefox ships, and it works without breaking most sites.

DNS over HTTPS

Settings → Privacy & Security → DNS over HTTPS.

The options are “Default Protection,” “Increased Protection,” “Max Protection,” and “Off.” The practical distinction:

  • Default Protection uses DoH when available, falls back to system DNS when there are problems. Reasonable.
  • Increased Protection always uses DoH, falls back only on hard failure.
  • Max Protection always uses DoH; failures mean no connection.

Choose your provider deliberately. Cloudflare and NextDNS are the common choices; Quad9 if you want a non-US-based option. The “Default Protection” provider list is region-dependent and worth checking.

The honest caveat: DoH protects the DNS query from your local network and ISP. It does not hide what site you are visiting from the site itself, from observers between you and the DoH provider’s exit, or from the SNI field of the TLS handshake (until Encrypted Client Hello is universally deployed). DoH is a meaningful improvement against the threat model “my ISP logs every domain I look up.” It is not a privacy panacea.

about:config — Settings Worth Changing

Type about:config in the address bar, accept the warning, and search for the following.

privacy.resistFingerprinting — default false. Set to true for Tor Browser-style fingerprint resistance. Consequences: timezone reports as UTC, user agent is spoofed, screen size is reported at a standard value, canvas readback prompts you. Many sites work fine; some date pickers and video players misbehave. Honest assessment: this is the single highest-impact privacy setting, but it has real cost. Try it for a week before deciding.

privacy.firstparty.isolate — default false. Set to true to isolate caches, cookies, and storage by the top-level domain in the address bar. Total Cookie Protection in Strict mode does most of what this used to do; enabling both is fine but the marginal benefit is small.

network.http.sendRefererHeader — default 2 (send Referer on all requests). Set to 1 to send only on clicks, or 0 to never send. The practical recommendation is to leave this at 2 and instead set network.http.referer.XOriginPolicy to 2 (only send Referer on same-origin requests). Many sites use Referer for legitimate purposes; turning it off entirely breaks more than it protects.

network.http.referer.XOriginTrimmingPolicy — set to 2 to trim cross-origin Referer to scheme, host, and port. Sites that need a referer get the origin; they do not get the full path.

media.peerconnection.enabled — default true. Set to false to disable WebRTC if you do not use video calls in this profile. WebRTC can leak local IP addresses through STUN even behind a VPN. If you use Jitsi, Google Meet, or any browser-based video calling, leave this on; if you don’t, turn it off.

browser.send_pings — default false in current Firefox. Confirm it is false. This controls whether <a ping> attributes generate beacon requests on click.

network.dns.disablePrefetch — set to true to stop Firefox from prefetching DNS for links on a page. Small privacy gain, small performance cost.

network.predictor.enabled — set to false to disable the network predictor, which preconnects to sites Firefox guesses you might visit. Small privacy gain, small performance cost.

geo.enabled — set to false if you never use geolocation APIs. The per-site permission prompt usually handles this, but disabling it entirely removes the surface.

dom.security.https_only_mode — set to true to force HTTPS on all connections, with a click-through warning for HTTP-only sites. There is a corresponding setting in Settings → Privacy & Security (“HTTPS-Only Mode in all windows”) that does the same thing through the UI.

about:config — Settings to Leave Alone

These appear on “harden Firefox” lists and are mostly counterproductive:

  • general.useragent.override. Setting a custom UA string makes you stand out. Either let Firefox send its default or let resistFingerprinting standardize it. Don’t roll your own.
  • javascript.enabled. Disabling JavaScript globally breaks most of the modern web. Use NoScript or per-site permissions if you have a specific need.
  • WebGL disabling. WebGL is a fingerprint surface, but disabling it entirely is itself a fingerprint (most users have it on) and breaks legitimate use. resistFingerprinting handles this better.
  • Aggressive cache disabling. “Disable all caching” lists exist; they make Firefox dramatically slower and the privacy gain is marginal compared to Total Cookie Protection.
  • Disabling Safe Browsing. Some hardening guides recommend this. The lookup is anonymized and the protection against actively malicious sites is real. Leave it on.

A useful rule: if a setting appears on a privacy list with no explanation of what it costs, do not change it.

Container Tabs

Firefox Multi-Account Containers is a first-party extension that gives each container its own cookie jar, local storage, and cache. Containers are the cleanest way to keep work, personal, banking, and social accounts genuinely separated within one browser profile.

Practical setup:

  • Personal. Default container, everyday browsing.
  • Work. Google Workspace, work email, work tools.
  • Banking. Financial sites only. Never used for anything else.
  • Social. Facebook, Instagram, LinkedIn, X — sites that aggressively track across the web.
  • Shopping. Amazon, retail sites — separates shopping behavior from everything else.

The Facebook Container extension (also first-party) automatically opens Facebook and Instagram in their own container and rewrites links to keep them isolated. Install it even if you do not use those sites — third-party Facebook tracking is on a large fraction of the web.

Container tabs do not hide your IP or your fingerprint. They isolate state. That is enough to break a lot of cross-site tracking, but it is a different tool from a VPN or Tor.

What This Configuration Does and Does Not Do

After applying Strict ETP, DoH, the safe about:config changes, and container tabs, your Firefox profile resists:

  • Third-party cookie tracking across the open web.
  • Known commercial fingerprinters from the Disconnect list.
  • DNS-level observation by your ISP and local network.
  • Cross-container state contamination.
  • Common Referer-based tracking.

It does not resist:

  • Determined first-party fingerprinting by a site you visit.
  • Network-layer fingerprinting (TLS, JA3/JA4).
  • Behavioral fingerprinting (typing, mouse movement).
  • IP-address-based tracking.
  • Targeted attackers with a specific interest in you.

For the fingerprinting limits in particular, our browser fingerprinting explainer goes into what is and is not achievable. If you are evaluating extensions to layer on top of this configuration, our Manifest V3 migration guide covers what the current extension platform actually lets privacy extensions do.

FAQ

Will Strict tracking protection break my banking? Sometimes the third-party authentication flow (a separate identity provider domain) fails. The fix is a per-site exception for the bank, not lowering the global setting.

Is privacy.resistFingerprinting worth the breakage? For developers and privacy-focused users, often yes. For users who need Firefox to “just work” everywhere, often no. There is no universal answer.

Should I use Firefox Sync with this configuration? Sync is end-to-end encrypted with a key derived from your password. Mozilla cannot read your synced data. If you trust Mozilla to operate the service competently, Sync is fine. If you do not, run a self-hosted Sync server or skip it.

Is LibreWolf or another Firefox fork better? LibreWolf ships with many of these settings pre-applied and disables telemetry. If you want a hardened-by-default Firefox and are comfortable with a smaller maintenance team, it is a reasonable choice. If you want the largest fingerprint-resistance cohort, stay on stock Firefox or move to Tor Browser for the cases that require it.

How often should I revisit these settings? Once a year is enough for most people. Firefox’s defaults have steadily improved, and several settings that used to require about:config are now in the UI or enabled automatically. Re-check after major Firefox releases.