Firefox remains the best mainstream browser for privacy customization in 2026. Unlike Chromium-based browsers, Firefox is not controlled by an advertising company and offers deep configuration options through about:config, user.js files, and a rich extension ecosystem. This guide covers every meaningful step to harden Firefox against tracking, fingerprinting, data leaks, and surveillance.
Start with a Clean Profile
Create a fresh Firefox profile dedicated to private browsing:
firefox -P --no-remoteClick Create Profile, name it “hardened”, and use it exclusively. This prevents contamination from old settings and extensions.
The arkenfox user.js Project
The fastest way to apply hundreds of hardening settings is to use arkenfox/user.js — a community-maintained configuration file for Firefox privacy:
git clone https://github.com/arkenfox/user.js.git ~/firefox-hardening
cd ~/firefox-hardening
# Find your Firefox profile directory
firefox --ProfileManager
# Usually: ~/.mozilla/firefox/XXXXXXXX.hardened/
cp user.js ~/.mozilla/firefox/XXXXXXXX.hardened/The arkenfox user.js applies over 400 privacy settings automatically. After copying, restart Firefox and most hardening is already in place.
Critical about:config Settings
Open about:config and set the following manually or to override arkenfox defaults:
Disable Telemetry
toolkit.telemetry.enabled = false
toolkit.telemetry.unified = false
datareporting.healthreport.uploadEnabled = false
datareporting.policy.dataSubmissionEnabled = false
browser.ping-centre.telemetry = falseDisable WebRTC (Prevents IP Leaks)
media.peerconnection.enabled = falseIf you need WebRTC for video calls, use this more targeted approach instead:
media.peerconnection.ice.default_address_only = true
media.peerconnection.ice.no_host = trueFingerprinting Resistance
privacy.resistFingerprinting = true
privacy.fingerprintingProtection = trueThese settings normalize your browser’s reported screen resolution, timezone, language, and other fingerprinting vectors.
DNS Over HTTPS (DoH)
network.trr.mode = 3
network.trr.uri = https://dns.quad9.net/dns-queryMode 3 forces DoH exclusively — DNS queries fail if DoH is unavailable rather than falling back to plaintext DNS.
Disable Prefetching
network.prefetch-next = false
network.dns.disablePrefetch = true
network.predictor.enabled = false
link.prefetch.enabled = falsePrefetching loads pages before you click them, leaking your browsing intent to third parties.
First-Party Isolation
privacy.firstparty.isolate = trueThis isolates cookies, cache, and localStorage per domain, preventing cross-site tracking.
HTTPS Only Mode
Enable in Settings > Privacy & Security > HTTPS-Only Mode — select “Enable HTTPS-Only Mode in all windows.”
Essential Privacy Extensions
Install only what you need — each extension is an additional attack surface.
| Extension | Purpose |
|---|---|
| uBlock Origin | Best ad and tracker blocker |
| LocalCDN | Serves CDN resources locally, blocks CDN tracking |
| Skip Redirect | Strips tracking redirects from URLs |
| Canvas Blocker | Blocks canvas fingerprinting |
Do not install: Privacy Badger (redundant with uBlock), Ghostery (has monetization conflicts), multiple redundant blockers.
uBlock Origin Configuration
After installing uBlock Origin, enable additional filter lists:
- Open uBlock Origin dashboard
- Go to Filter Lists
- Enable: uBlock filters – Privacy, AdGuard URL Tracking Protection, EasyPrivacy, Peter Lowe’s Ad and tracking server list
Add the uBlock Origin Lite companion if using Manifest V3, but prefer the full version while it remains supported.
Container Tabs
Install Firefox Multi-Account Containers (official Mozilla extension):
- Assign Facebook to its own container
- Assign Google services to a separate container
- Use a “Shopping” container for e-commerce sites
Containers isolate cookies and storage between groups of sites, so Facebook cannot track you on non-Facebook sites even if you’re logged in.
Search Engine
Replace Google with a private alternative:
- SearXNG — self-hosted or public instances at searx.space
- Kagi — paid, no tracking
- DuckDuckGo — good default, US-based
- Brave Search — independent index, no Google dependency
Set in Settings > Search > Default Search Engine.
User Agent Spoofing
With privacy.resistFingerprinting = true, Firefox already reports a generic user agent. Do not additionally install user agent switchers — inconsistent spoofing makes your fingerprint more unique, not less.
Font Fingerprinting
browser.display.use_document_fonts = 0This disables web fonts, which are commonly used for fingerprinting. Some sites will look different, but your font fingerprint becomes generic.
Disabling JavaScript Per-Site
For maximum security, install uMatrix or use Firefox’s built-in permission manager to block JavaScript on untrusted sites. In about:config:
javascript.enabled = falseThis breaks most of the modern web, so use per-site exceptions via uBlock Origin’s element picker or the permissions manager instead.
Testing Your Hardened Browser
Verify your configuration with these tools:
- coveryourtracks.eff.org — EFF fingerprinting test
- browserleaks.com — Comprehensive leak tests (WebRTC, IP, DNS, canvas)
- dnsleaktest.com — DNS leak verification
- whatismybrowser.com — User agent analysis
Maintenance
- Keep Firefox updated — security patches are released frequently
- Update uBlock Origin filter lists weekly (it auto-updates by default)
- Review arkenfox/user.js releases when Firefox major versions ship
- Run
updater.shfrom the arkenfox repo to pull latest settings:
cd ~/firefox-hardening && ./updater.shFinal Thoughts
A hardened Firefox with arkenfox user.js, uBlock Origin, and containers provides privacy that rivals the Tor Browser for everyday use cases, without sacrificing usability. The key is layering multiple defenses — fingerprinting resistance, tracker blocking, DNS encryption, and container isolation — so that no single failure exposes you. Update regularly and test with the tools above to confirm your protections remain effective.