FireFox Browser OpSec Setup

If you are doing open source intelligence research with your browser and would like to ensure you aren't sending packets where you don't expect to maintain operational security, here are a few tweaks to Firefox that I like to use to help accomplish that.

Go into about:config and change the following settings:

  • network.prefetch-next = false - This setting stops the browser from fetching search engine results before you click on them.
  • network.dns.disablePrefetch = true - This will prevent the browser from performing DNS lookups for links on the page you are visiting before you click on them.
  • *network.http.sendRefererHeader = 2 - This will stop your browser from sending the Referer header to the site you are visiting. This results in the site owner not knowing which page you came from beforehand, at least via HTTP headers. *This setting should probably NOT be left on by default. Some navigation schemes rely on this and will not work properly if left on.
  • plugins.click_to_play = true - You never know what types of malicious content you might run into with your browser, so it's always safer to have click-to-play turned on. On Firefox this should be on by default, but you should double check. In addition, there are multiple plugins/settings for all browsers that will do the same thing and I encourage everyone to use them whether you are trying to maintain OpSec or not.

Update July 6th, 2015

Additional Privacy Setttings I ran into a huge list of other potential tweaks that can be done to improve privacy in a Reddit post here as well as a reduced list on As a result of these lists, I would add the following to the "necessary" list.

  • geo.enabled = false //Disables geolocation API to prevent websites from getting the exact location of the computer
  • browser.safebrowsing.enabled = false //Disable Google Safe Browsing and phishing protection. Security risk, but privacy improvement.
  • browser.safebrowsing.malware.enabled = false //Disable Google Safe Browsing malware checks. Security risk, but privacy improvement.
  • dom.event.clipboardevents.enabled = false //Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
  • browser.send_pings = false //The attribute would be useful for letting websites track visitors’ clicks.