Overview of Firefox’s about:config security and privacy preferences

Mozilla Firefox is without the shadow of a doubt the browser that you can customize the most. This shows not only when it comes to (most) feature additions or changes, as there is usually a way to return to the old, but also when you dive into the depths of the about:config page.

The page lists a lot of preferences that you can all modify. Most are not accessible elsewhere in the browser, and you often find preferences listed here that Mozilla has implemented but not enabled yet for all users.

While you find all kinds of preferences here, for instance options to change the color of link anchors, you will also find many security and privacy related preferences here.

Making changes to those can improve security or privacy.

The following list attempts to list all privacy and security preferences of relevance. With that said, it is a work in progress considering that there are that many preferences available.

If you notice that a preference is missing, or discovered a new one, use the contact option here on this site to let us know about it and we will implement the change right away.

How to use about:config

firefox about:config

If you are new to Firefox's about:config page you may need some pointers on how to use the page. To open it do the following:

  1. Type about:config in Firefox's address bar and hit enter.
  2. Confirm you will be careful if the warning message is displayed.

The search is your best friend. Just start typing a preference name and Firefox will automatically filter the list so that only matching results remain.

You can change preference values with a double-click, and create new preferences with a right-click and the selection of new from the context menu.

Note that there is no way to remove entries from the list from within Firefox.

Pro Tip: All bold preferences are modified preferences. The about:support page lists all of them.

Firefox about:config preferences

beacon.enabled

Sends data to servers when leaving pages.

  • True: Feature is enabled and web apps can make use of it (default).
  • False: Disables the feature.

browser.cache.check_doc_frequency

Determines how often Firefox checks if a newer than cached version is available.

  • 0: check once per session
  • 1: check every time the page is opened
  • 2: always use cached version never check
  • 3: automatically determine (default)

browser.cache.disk.capacity

The maximum space that Firefox uses for the disk cache.

  • 0: Don't use the disk cache.
  • 256000: default value in Kilobyte.

browser.cache.disk.enable

Defines Firefox's use of the disk cache.

  • True: Firefox uses disk cache. The capacity of the cache is set in the browser.cache.disk.capacity preference. (default)
  • False: Disk cache is not used.

browser.cache.disk_cache_ssl

Defines whether contents of SSL (https) web pages get cached by Firefox on disk.

  • True: Firefox will cache contents of https websites. (default)
  • False: Firefox will not cache https website contents.

browser.cache.memory.max_entry_size

The maximum size of a single entry in the memory cache in Kilobyte.

  • -1: no limit
  • 5120: default size.

browser.cache.memory.enable

Whether a memory cache is used by the browser.

  • True: Firefox will make use of a memory cache.
  • False: The browser's memory cache is disabled and thus not used.

browser.cache.offline.capacity

The capacity of the offline cache. Needs browser.cache.offline.enable set to true.

  • 512000: the default cache size in Kilobyte.

browser.cache.offline.enable

Whether web applications and sites can use an offline cache on the local system.

  • True: Web applications may use an offline cache (default)
  • False: Offline cache functionality is disabled.

browser.download.manager.alertOnEXEOpen (deprecated)

This defines whether a warning message is displayed by Firefox when you click on an executable file in the download manager.

  • True: Displays the warning message. (default)
  • False: Does not display the warning.

browser.download.manager.retention (deprecated)

Defines when Firefox removes finished downloads from the Download Manager:

  • 0: Immediately after the successful download.
  • 1: On browser exit.
  • 2: Never (only manual). (Default)

browser.download.manager.scanWhenDone (deprecated)

Whether Firefox will scan downloaded files with installed antivirus software.

  • True: Firefox will scan files for viruses after the downloaded completes. Windows Security Policy checks apply in this case as well. (default)
  • False: Files are not scanned.

browser.fixup.alternate.enabled

Defines whether Firefox's "fixup" feature is used.

  • True: Will use fixup to automatically add prefix and suffix to single words you enter in the browser's address bar. (default)
  • False: Won't use it which means that Firefox will always redirect to search, even for single word entries.

browser.fixup.alternate.prefix

The prefix that Firefox adds to the word entered if Fixup is enabled.

  • www.: the default value

browser.fixup.alternate.suffix

The suffix that Firefox adds to single words entered if Fixup is enabled.

  • .com: the default value.

browser.fixup.hide_user_pass

If passwords entered in the address should be included in the "Fixit" operation as well.

  • True: Won't include passwords. The entry http://user:pass@example will be changed to http://user@www.example.com. (default)
  • False: Will include entered passwords in the address. The entry http://user:pass@example will be changed to http://user:pass@www.example.com-

browser.formfill.enable

Defines whether Firefox will save text entered into web forms.

  • True: Text that a user enters into forms and the browser's search bar will be saved. (default)
  • False: The data won't be saved.

places.history.enabled

Defines if Firefox should remember visited pages.

  • True: The browser will remember pages you have visited. (default)
  • False: History will not be recorded.

browser.privatebrowsing.autostart

Defines if Firefox is started in private browsing mode on start.

  • False: Firefox is started normally (default).
  • True: Private Browsing mode is used automatically.

browser.safebrowsing.enabled

Determines whether Firefox should check urls that are opened in it against a web forgery database (uses Google by default)

  • True: Firefox will check urls and block them if they are forgeries.
  • False: Firefox will not run those checks.

browser.safebrowsing.malware.enabled

Whether Firefox will use malware information to determine if downloads are malicious.

  • True: Will use a malware database to scan downloads. (default)
  • False: Won't download malware information or scan downloads.

browser.search.defaultenginename

Defines the name of the (installed) search engine that is used for searches in Firefox (both address bar and search bar).

  • Yahoo: The default value (may be different depending on your region).

browser.search.suggest.enabled

Defines whether search suggestions are displayed in Firefox.

  • True: Search suggestions are displayed (default).
  • False: Search suggestions are disabled.

browser.selfsupport.url

Determines whether the Heartbeat feedback feature is enabled in Firefox.

  • True: Feature is enabled and short feedback surveys may be displayed (default).
  • False: Feature is disabled.

browser.send_pings

Informs servers about links that get clicked on by the user.

  • True: Feature is enabled.
  • False: Pings are not enabled.

browser.sessionhistory.max_entries

The number of previous pages that Firefox keeps saved for every open site in the browser (back and forward functionality).

  • 50: The default value.

browser.startup.homepage

Defines the homepage of the browser.

  • about:home

browser.startup.page

This defines how Firefox will start up.

  • 0: load a blank page (about:blank)
  • 1: load the browser's homepage. (default)
  • 2: load the last visited page
  • 3: resume the previous browser session.

browser.urlbar.autocomplete.enabled

Whether Firefox will display auto-complete suggestions when you type in the address bar.

  • True: Firefox will use auto-complete. (default)
  • False: Auto-complete won't be used.

dom.allow_scripts_to_close_windows

Defines whether scripts can close windows in the browser.

  • True: Scripts may close any window.
  • False: Scripts may only close windows opened by scripts. (default)

dom.battery.enabled

Gives web applications access to the battery status of mobile devices. May be used in fingerprinting techniques.

  • True: Allows web applications to retrieve the battery status (default).
  • False: Disables the functionality.

dom.disable_image_src_set

Determines whether JavaScript is allowed to manipulate images displayed in the browser.

  • True: Scripts are allowed to change images.
  • False: Scripts are not allowed (default)

dom.disable_open_during_load

Defines whether Firefox's built-in popup blocker is enabled.

  • True: The popup blocker is enabled. (default)
  • False: It is deactivated.

dom.disable_window_*

Several preferences that determine if and how scripts may manipulate browser windows.

dom.event.clipboardevents.enabled

Determines whether websites are allowed to access clipboard contents (check out: Block websites from reading or modifying Clipboard contents in Firefox for additional information).

  • True: Websites may read or modify clipboard events. (default)
  • False: Blocks access.

dom.event.contextmenu.enabled

Determines whether websites are allowed to block access to the right-click context menu.

  • True: Websites may manipulate the context menu. (default)
  • False: Web pages won't be allowed to manipulate or block the context menu.

dom.ipc.plugins.enabled

This preference determines if plugins are run in a separate process

  • True: Plugins are run in their own process. The exception are plugins listed by dom.ipc.plugins.enabled.name preferences if set to false. (default)
  • False: Plugins are not run out-of-process with the exception of plugins listed by dom.ipc.plugins.enabled.name preferences if set to true.

dom.ipc. plugins.enabled.timeoutSecs (deprecated)

dom.ipc.plugins.timeoutSecs

The time in seconds before out-of-process plugins are terminated if they are not responsive.

  • 45: the time in seconds.

dom.max_chrome_script_run_time and dom.max_script_run_time

Defines the time a script may run in the browser. Default values are 20 and 10.

  • 0: means the scripts are allowed to run forever.

dom.popup_allowed_events

Defines the JavaScript events that are allowed to create popup windows.

  • change click dblclick mouseup reset submit touchend

dom.popup_maximum

The maximum number of popups that can be spawned in Firefox.

  • 20: the default value.

dom.storage.enabled

This parameter defines whether "client-side session and persistent storage" capabilities are enabled in Firefox (meaning if the feature can be used by websites and applications to store data on the client computer).

  • True: Client side storage is enabled.
  • False: The feature is disabled.

extensions.blocklist.enabled

Firefox ships with a remote killswitch for extensions and plugins. It is highly recommended to keep this at its default value as it was used in the past to block malicious extensions.

  • True: The blocklist feature is enabled (default).
  • False: Mozilla cannot turn off extensions or plugins remotely.

extensions.getAddons.cache.enabled

This sends a daily ping to Mozilla about installed add-ons and recent start-up times.

  • True: Sends the ping to Mozilla (default).
  • False: Blocks it. This turns off add-on recommendations and won't update add-on metadata (the description) anymore).

extensions.update.enabled

Defines whether extension updates are enabled in Firefox.

  • True: Firefox checks for updates regularly (once per day by default as determined by extensions.update.interval.
  • False: Firefox won't check for extension updates.

geo.enabled

Determines if location aware browsing is enabled.

  • True: Location Aware browsing is enabled. (default)
  • False: The feature is disabled which means that you won't get prompts on websites using it.

geo.wifi.logging.enabled (deprecated)

Defines whether geolocation requests are logged by Firefox.

  • True: Firefox will log requests. (default)
  • False: Requests won't be logged.

geo.wifi.uri

The data provider used to power Firefox's geolocation feature. (Check out how to switch to a Mozilla operated service)

  • https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_API_KEY%

media.peerconnection.enabled

This preference determines whether WebRTC is enabled in Firefox. WebRTC is used for telephony and video chat functionality but leaks local and remote IP addresses as well. May also be used in browser fingerprinting.

  • True: WebRTC is enabled (default).
  • False: WebRTC is disabled. Note: you need to set loop.enabled to False as well.

media.video_stats.enabled

Provides web applications with information about video playback statistics such as the framerate.

  • True: Web applications can access statistics (default).
  • False: Statistics cannot be accessed.

network.cookie.alwaysAcceptSessionCookies

Determines whether Firefox will accept so-called session cookies (removed when browser exits) automatically. Depends on network.cookie.lifetimePolicy set to 1.

  • True: Firefox will accept session cookies.
  • False: Firefox won't accept them. (default)

network.cookie.cookieBehavior

Defines if cookies are allowed in Firefox.

  • 0: All cookies are allowed.
  • 1: Only cookies from the first-party server are allowed.
  • 2: Block all cookies.
  • 3: Third-party cookies are only allowed if cookies from the site are already stored by Firefox. (default)

network.cookie.lifetime.days

Defines the number of days that cookies are stored by Firefox if network.cookie.cookieBehavior is set to 3.

  • 90: days by default.

network.cookie.lifetimePolicy

This defines when cookies expire in Firefox.

  • 0: The originated server sets the cookie lifetime. (default)
  • 1: Firefox prompts the user (unless network.cookie.alwaysAcceptSessionCookies is set to true).
  • 2: Cookie expires at the end of the session.
  • 3: The cookie lasts for the days specified in network.cookie.lifetime.days.

network.dnsCacheEntries

Defines how many entries Firefox will keep in the browser's DNS cache.

  • 400: the default number of cached DNS entries.

network.dnsCacheExpiration

The time cached DNS entries will be saved by Firefox.

  • 60: value in seconds.

network.http.referer.XOriginPolicy

Defines when to set the referrer (the page a visit originated from).

  • 0: Never send it.
  • 1: only send if the base domain matches.
  • 2: only send if hosts match.

network.http.referer.spoofSource

Whether the real or a fake referrer is used by Firefox.

  • False: The real referrer is used. (default)
  • True: Spoof the referrer.

network.http.referer.trimmingPolicy

Defines whether the referrer is trimmed or not.

  • 0: send the full URI (default).
  • 1: Send schema+host+port+path
  • 2: Send schema+host+port

network.http.sendRefererHeader

Controls when to send the referer header and document.referrer is set.

  • 0: Never send the Referer header or set document.referrer.
  • 1: Send it after clicking on links.
  • 2. Send if after clicking on links or loading an image (default).

network.http.sendSecureXSiteReferrer

Defines whether a Referer header is sent when you are navigating from one secure site to another.

  • True: The Referer header is added to connections (default).
  • False: The Referer header is not added.

network.http.use-cache

Defines whether Firefox caches http requests.

  • True: Enables caching in Firefox. (default)
  • False: Disables the caching of http requests.

network.prefetch-next

Defines whether Firefox will accept link prefetching directives by websites.

  • True: Link Prefetching is enabled. (default)
  • False: The feature is disabled.

network.seer.enabled (deprecated)

A component of Firefox's Necko Predictive Network Actions feature that improves page load time by performing overhead for connections before the connections are actually needed.

  • True: The feature is enabled.
  • False: Seer is disabled. (default)

plugin.scan.plid.all

Scans the Windows Registry key for plugin references. If found, adds them to Firefox.

  • True: Will scan the Registry.
  • False: Will not scan.

plugin.state.flash

The default state of the Flash plugin. See How to make sure Firefox plugins never activate again for more information.

  • 0: turns off the Flash plugin in Firefox.
  • 1: sets the Flash plugin to ask to activate.
  • 2: enables the Flash plugin.

plugin.state.java

The default state of the Java plugin.

  • 0: turns off the Java plugin in Firefox.
  • 1: sets the Java plugin to ask to activate.
  • 2: enables the Java plugin.

privacy.clearOnShutdown.*

Defines which sets of data get cleared when Firefox shuts down. A value of true means the data set is cleared on exit, false that it is kept.

  • privacy.clearOnShutdown.cache
  • privacy.clearOnShutdown.cookies
  • privacy.clearOnShutdown.downloads
  • privacy.clearOnShutdown.formdata
  • privacy.clearOnShutdown.history
  • privacy.clearOnShutdown.offlineApps
  • privacy.clearOnShutdown.openWindows
  • privacy.clearOnShutdown.passwords
  • privacy.clearOnShutdown.sessions
  • privacy.clearOnShutdown.siteSettings

privacy.cpd.*

Defines the items that are selected automatically when you bring up the Clear Browsing Data dialog (using Ctrl-Shift-Del for instance). True means the data set is selected, false it is not.

  • privacy.cpd.cache
  • privacy.cpd.cookies
  • privacy.cpd.downloads
  • privacy.cpd.formdata
  • privacy.cpd.history
  • privacy.cpd.offlineApps
  • privacy.cpd.openWindows
  • privacy.cpd.passwords
  • privacy.cpd.sessions
  • privacy.cpd.siteSettings

privacy.donottrackheader.enabled

Sets the Do Not Track header which informs websites and services about the tracking preference.

  • False: Do Not Track Header is not added to connections. (default)
  • True: Do Not Track Header is used.

privacy.sanitize.sanitizeOnShutdown

Whether the browsing history is automatically cleared on shutdown.

  • False: It is not cleared (default).
  • True:  It is cleared.

privacy.trackingprotection.enabled

Defines whether Firefox's Tracking Protection feature is enabled.

  • False:  Tracking Protection is disabled.
  • True: The feature is enabled.

security.OCSP.enable

Defines if OCSP Stapling is enabled in Firefox which determines how certificate information are retrieved (check Firefox 25 gets OCSP Stapling which improves privacy for detailed information).

  • 0: Disable OSCP Stapling
  • 1: Firefox will use OCSP Stapling. (default)

security.tls.version.min and security.tls.version.max

Defines the minimum and maximum allowed version of SSL or TSL when communicating with encrypted servers. Setting it to 0 is not recommended because of known vulnerabilities.

  • 0: SSL 3.0 (minimum)
  • 1: TSL 1.0 (default)
  • 2: TSL 1.1
  • 3: TSL 1.2 (default maximum)
Summary
Article Name
Overview of Firefox about:config security and privacy preferences
Description
A detailed list of all relevant privacy and security preferences of Firefox.
Author