Mozilla Firefox is without the shadow of a doubt the browser that you can customize the most. This shows not only when it comes to (most) feature additions or changes, as there is usually a way to return to the old, but also when you dive into the depths of the about:config page.
The page lists a lot of preferences that you can all modify. Most are not accessible elsewhere in the browser, and you often find preferences listed here that Mozilla has implemented but not enabled yet for all users.
While you find all kinds of preferences here, for instance options to change the color of link anchors, you will also find many security and privacy related preferences here.
Making changes to those can improve security or privacy.
The following list attempts to list all privacy and security preferences of relevance. With that said, it is a work in progress considering that there are that many preferences available.
If you notice that a preference is missing, or discovered a new one, use the contact option here on this site to let us know about it and we will implement the change right away.
Tip: you may also want to check our extensive Ghacks user.js file which is the best privacy and security preferences collection for Firefox.
If you are new to Firefox's about:config page you may need some pointers on how to use the page. To open it do the following:
The search is your best friend. Just start typing a preference name and Firefox will automatically filter the list so that only matching results remain.
You can change preference values with a double-click, and create new preferences with a right-click and the selection of new from the context menu.
Note that there is no way to remove entries from the list from within Firefox.
Pro Tip: All bold preferences are modified preferences. The about:support page lists all of them.
Sends data to servers when leaving pages.
Determines how often Firefox checks if a newer than cached version is available.
The maximum space that Firefox uses for the disk cache.
Defines Firefox's use of the disk cache.
Defines whether contents of SSL (https) web pages get cached by Firefox on disk.
The maximum size of a single entry in the memory cache in Kilobyte.
Whether a memory cache is used by the browser.
The capacity of the offline cache. Needs browser.cache.offline.enable set to true.
Whether web applications and sites can use an offline cache on the local system.
This defines whether a warning message is displayed by Firefox when you click on an executable file in the download manager.
Defines when Firefox removes finished downloads from the Download Manager:
Whether Firefox will scan downloaded files with installed antivirus software.
Defines whether Firefox's "fixup" feature is used.
The prefix that Firefox adds to the word entered if Fixup is enabled.
The suffix that Firefox adds to single words entered if Fixup is enabled.
If passwords entered in the address should be included in the "Fixit" operation as well.
Defines whether Firefox will save text entered into web forms.
Defines if Firefox should remember visited pages.
Defines if Firefox is started in private browsing mode on start.
Determines whether Firefox should check urls that are opened in it against a web forgery database (uses Google by default)
Whether Firefox will use malware information to determine if downloads are malicious.
Defines the name of the (installed) search engine that is used for searches in Firefox (both address bar and search bar).
Defines whether search suggestions are displayed in Firefox.
Determines whether the Heartbeat feedback feature is enabled in Firefox.
Informs servers about links that get clicked on by the user.
The number of previous pages that Firefox keeps saved for every open site in the browser (back and forward functionality).
Defines the homepage of the browser.
This defines how Firefox will start up.
Whether Firefox will display auto-complete suggestions when you type in the address bar.
Defines whether scripts can close windows in the browser.
Gives web applications access to the battery status of mobile devices. May be used in fingerprinting techniques.
Defines whether Firefox's built-in popup blocker is enabled.
Several preferences that determine if and how scripts may manipulate browser windows.
Determines whether websites are allowed to access clipboard contents (check out: Block websites from reading or modifying Clipboard contents in Firefox for additional information).
Determines whether websites are allowed to block access to the right-click context menu.
This preference determines if plugins are run in a separate process
dom.ipc. plugins.enabled.timeoutSecs (deprecated)
The time in seconds before out-of-process plugins are terminated if they are not responsive.
dom.max_chrome_script_run_time and dom.max_script_run_time
Defines the time a script may run in the browser. Default values are 20 and 10.
The maximum number of popups that can be spawned in Firefox.
This parameter defines whether "client-side session and persistent storage" capabilities are enabled in Firefox (meaning if the feature can be used by websites and applications to store data on the client computer).
Firefox ships with a remote killswitch for extensions and plugins. It is highly recommended to keep this at its default value as it was used in the past to block malicious extensions.
This sends a daily ping to Mozilla about installed add-ons and recent start-up times.
Defines whether extension updates are enabled in Firefox.
Determines if location aware browsing is enabled.
Defines whether geolocation requests are logged by Firefox.
The data provider used to power Firefox's geolocation feature. (Check out how to switch to a Mozilla operated service)
This preference determines whether WebRTC is enabled in Firefox. WebRTC is used for telephony and video chat functionality but leaks local and remote IP addresses as well. May also be used in browser fingerprinting.
Provides web applications with information about video playback statistics such as the framerate.
Determines whether Firefox will accept so-called session cookies (removed when browser exits) automatically. Depends on network.cookie.lifetimePolicy set to 1.
Defines if cookies are allowed in Firefox.
Defines the number of days that cookies are stored by Firefox if network.cookie.cookieBehavior is set to 3.
This defines when cookies expire in Firefox.
Defines how many entries Firefox will keep in the browser's DNS cache.
The time cached DNS entries will be saved by Firefox.
Defines when to set the referrer (the page a visit originated from).
Whether the real or a fake referrer is used by Firefox.
Defines whether the referrer is trimmed or not.
Controls when to send the referer header and document.referrer is set.
Defines whether a Referer header is sent when you are navigating from one secure site to another.
Defines whether Firefox caches http requests.
Defines whether Firefox will accept link prefetching directives by websites.
A component of Firefox's Necko Predictive Network Actions feature that improves page load time by performing overhead for connections before the connections are actually needed.
Scans the Windows Registry key for plugin references. If found, adds them to Firefox.
The default state of the Flash plugin. See How to make sure Firefox plugins never activate again for more information.
The default state of the Java plugin.
Defines which sets of data get cleared when Firefox shuts down. A value of true means the data set is cleared on exit, false that it is kept.
Defines the items that are selected automatically when you bring up the Clear Browsing Data dialog (using Ctrl-Shift-Del for instance). True means the data set is selected, false it is not.
Sets the Do Not Track header which informs websites and services about the tracking preference.
Whether the browsing history is automatically cleared on shutdown.
Defines whether Firefox's Tracking Protection feature is enabled.
Defines if OCSP Stapling is enabled in Firefox which determines how certificate information are retrieved (check Firefox 25 gets OCSP Stapling which improves privacy for detailed information).
security.tls.version.min and security.tls.version.max
Defines the minimum and maximum allowed version of SSL or TSL when communicating with encrypted servers. Setting it to 0 is not recommended because of known vulnerabilities.