This document provides guidelines and recommendation for hardening the cyber security posture in the following areas:
Each section and recommendation is categorized by area and security level, to make it easier for readers to find those that are relevant to them. See the following 3 security level definitions:
The provided guidelines and actions are intended for private cyber security. No consideration have neccesarly been taken for enterprise environments.
All recommended software are free open-source projects.
- Internet, VPN and Email providers
- Accounts and Passwords
- Windows 10 / 11
- Web Browsing
- Email and Chat
- iOS
- Network and Router
- Firefox Browser
- Thunderbird Email
Consider the following when choosing a Internet, VPN or Email provider;
-
What policy do they have regarding protecting sensitive customer data? -
Have they handed out sensitive data to a government agency or a third party previously? -
What customer data do they store? Your VPN provider should never store customer authentication or connection logs! -
Do they have the neccesary resources to build a secure network infrastructure?
| Level | Title | Description | Note |
|---|---|---|---|
| Standard | Use MFA! | Use multi-factor authentication for your online accounts and avoid SMS. Your SIM/phone number can be taken over by a scammer. Use a mobile app for verification instead. | |
| Standard | Keep your accounts in your control. | Never log in with your online account on somebody elses device! | |
| Advanced | Use a secure password management solution! | I recommend: Keepass  Windows KeepassXC  MacOS AuthPass  iOS |
Note: Providers of online password managers that handle your master key might be breached and leak your credentials. |
| Level | Title | Description | Note |
|---|---|---|---|
| Standard | Set a secure password on your local computer user. | Set a long and complex password that's hard to guess. | |
| Standard | Configure in-app security and privacy settings. | Go trough each applications privacy and security settings first thing you do after installing it. | There's often a lot of of privacy settings. |
| Standard | Auto-lock on inactivity. | Set your computer to lock automatically after being inactive. | |
| Standard | Enable auto-update. | Enable auto-update for both the operating system and applications, to make sure you always have the latest security patches. | Hackers countinesly scan the internet for vulnerable devices and services. |
| Standard | Completely disable crash reporting. | Powershell: Run "Disable-WindowsErrorReporting". | This feature might leak information about your device. |
| Standard | Restart your PC! | Regularly restart your PC to clean up running background processes and free up the memory from sensitive data. | |
| Standard | Disable network during setup! | Disable your network interfaces while installing and configuring your operating system. | Make sure the operating system and all applications are securely configured before connectiong to the internet |
| Standard | Encrypt your drives. | I recommend Veracrypt  |
|
| Standard | Take backups! | Take regular file backups of the operating system drive and other important drives, a system image backup and store them in a safe location. | NOTE: Make sure every kind of backup containing sensitive data or system files is encrypted, no matter where you store it. |
| Standard | Uninstall applications you don't need. | Uninstall applications in both Control Panel/Programs and Features and the Settings app. | NOTE: Some apps are only visible in the Settings app. |
| Standard | Disable extra local accounts | Disable all local accounts not being used, especially the guest account. | |
| Standard | Fully activate UAC. | Enable User Account Control in Control Panel/User Accounts/Change User Account Control settings Drag the slider to the higest level and click OK. | UAC will prompt for verification before an application elevates itself to admin. |
| Standard | Install a endpoint protection solution if neccesary. | You may want to install a EDR solution, depending on how securely the computer is configured and used, since Windows is full of security vulnerabilities. Choose a modern EDR solution that looks for unusual executions and behaviors | NOTE #1: Select a EDR provider you trust. But remember that the they could potentially read all files on your PC. NOTE #2: Avoid installing an EDR solution, for privacy concerns, if your Windows operating system is locked down with all the recommendations in this guide applied and you only run verified software and documents. |
| Standard | Disable logging in your torrent and VPN client! | Don't leave traces of downloads in case you're subject to a legal investigation. | |
| Standard | Disable Autoplay features. | Disable AutoPlay and in Windows Settings/Bluetooth & Devices/AutoPlay. | This will prevent plugged in devices from auto-starting its local media and binaries. |
| Standard | BIOS password | Set a BIOS password | |
| Standard | Secure boot | Enable UEFI secure boot | |
| Standard-Advanced | Disable RDP or restrict its connections! | Disable Remote Desktop on Windows unless you need it in "Windows Settings/System/Advanced Sytem Settings/Remote/" select "Don't allow remote connections to this computer" AND uncheck "Allow Remote Assistance connections to this computer". Advanced: If RDP is needed, create a firewall rule to only allow connections from your own devices (IP-adresses) | There has been a lot of vulnerabilities discovered in RPD throughout the years. But more importantly, you should disable all network protocols you don't need. |
| Advanced | Don't use sleep mode. | Don't put your computer to sleep. Use hibernation instead. | Your memory is not cleared in sleep mode, keeping your disk decrypted, making it much easier for a malicious actor to access your data if your laptop gets lost or stolen. |
| Advanced | Enable LSA protection | Registry: Set/Create DWORD key HKLM/SYSTEM/CurrentControlSet/Control/Lsa/RunAsPPL with value of "1". | |
| Advanced | Disable driver/software download from Windows Error reporting servers. | Group Policy: Enable "Prevent Windows from sending an error report when a device driver request additional software during installation" in Computer Configuration/Administratrive templates/System/Device installation. | This feature might leak information about your device. |
| Advanced | Disable automatic driver and related software installations. | Group policy: Enable "Prevent device metadata retrieval from the Internet" in Computer Configuration/Administratrive templates/System/Device installation. | This feature might leak information about your device and might lead to unexpected software being installed. |
| Advanced | Disable background error reports from being sent when installing a driver. | Group policy: Enable "Do not send a Windows error report when a generic driver is installed on a device" in Computer Configuration/Administrative templates/System/Device installation. | This feature might leak information about your device. |
| Advanced | Disable IP source routing, for both IPv4 and IPv6! | Registry: Set/Create DWORD key "HKLM/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters/IPEnableRouter" with value "0" AND "HKLM/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters/disableipsourcerouting" with value "2" | IP source routing allows the information in network packages to dictate the routing of its traffic. This is might result in traffic avoiding network gateways. |
| Advanced | Disable automatic elevation of software installations. | Group policy: Disable "Always install with elevated privileges" in Computer Configuration/Policies/Administrative Templates/Windows Components/Windows Installer. | This will prevent software installations from running with admin priviligies unless neccesary. |
| Advanced | Remove Windows Features you don't need. | Uninstall features in Control Panel/Programs and Features/Turn Windows features on or off. | |
| Advanced | Enable remote restrictions for UAC. | Registry: Set/Create DWORD key HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System/LocalAccountTokenFilterPolicy with value "0" | |
| Advanced | Disable unncesseary scheduled tasks. | Go trough your scheduled tasks, including all sub-libraries, and disable unneccesary tasks. | A lot of 3rd party applications creates infringing and unneccesary scheduled tasks. |
| Advanced | Use a software firewall. | Use one that can allow/block both incoming and outgoing traffic. | |
| Expert | Disable insecure protocols. | Disable SMB, SSL, PCT 1.0 and TLS 1.0/1.1 See guide https://docs.microsoft.com/en-us/windows-server/securty/tls/tls-registry-settings#tls-dtls-and-ssl-protocol-version-settings AND https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3 |
NOTE: Use SFTP instead! |
| Expert | Remove untrusted CA certificates | Run certmgr.msc as an administrator and look in "Trusted Root Certification Authorities/Certificates" and "Intermediate Certification Authorities/Certificates". | NOTE: Remove certificates from CAs run by governments and affiliates and organisations you don't trust. Firefox has its own certificate root store outside Windows store. |
| Expert | Disable automatic driver installation for plugged in devices. | Group policy: Enable "Prevent installation of devices not described by other policy settings" AND enable "Allow installation of devices that match any of these device instance IDs" and specify already installed device instances IDs. Both policies can be found in Computer Configuration/Administratrive templates/System/Device installation/Device installation restrictions. | |
| Standard | Adjust Windows privacy settings. | Set the features in Windows settings listed below ↓ |
Windows Settings:
System \ Clipboard
Clipboard history = Off
Time & Language \ Typing \ Typing insights
Typing insights = Off
Privacy & Security \ General
Let apps show me personalised ads by using my advertisting ID = Off
Let websites show me locally relevant content by accessing my language list = Off
Let Windows improve Start and search results by tracking app launches = Off
Show me suggested content in the Settings app = Off
Privacy & Security \ Speech
Online speech recognition = Off
Privacy & Security \ Inking & Typing personalisation
Personal Inking and typing dictionary = Off
Privacy & Security \ Diagnostics & feedback
Send optional diagnostic data = Off
Tailored expierences = Off
Privacy & Security \ Activity history
Store my activity history on this device = Off
Send my activity history to Microsoft = Off
Privacy & Security \ Safe permissions
SafeSearch = Off
Microsoft account = Off
Work or School account = Off
Search history on this device = Off
Show search highlights = Off
| Advanced | Disable unneccesary services. | Run services.msc as an administrator and disable the services listed below ↓ | NOTE: Some features and functions may stop working, and no garantue can be given against that. I've been testing it for about 1 year on my Windows installation, but that's limited to my scenario of Windows usage.
Functions you use could be depedent on some of these services (Not seen in the Dependencies tab or neccesarly intepretable by the service name or its documented purpose). Therefore you should be observant in case that some feature or function stops working. |
ActiveX Installer
AllJoyn Router Service
Auto Time Zone Updater
BranchCache
Cellular Time
Clipboard User Service
Connected Devices Platform Service
Connected Devices Platform User Service
Connected User Experiences and Telemetry
Function Discovery Resource Publication
(If you don't use Windows recording or streaming.) GameDVR and Broadcast User Service.
Geolocation Service
Retail Demo Service
User Experience Virtualization Service
Windows Error Reporting Service
(Unless a NPS/Radius server) Routing and Remote Access
(Unless in SharedPC mode) Shared PC Account Manager
| Advanced | Enable the Virtualization Based Security (VBS) features listed below ↓ |
Group Policy #1: Computer Configuration\Administrative templates\System\Device Guard
Enable "Turn On Virtualization Based Security"
Set options:
Secure Boot and DMA protection
Enable Virtualization Based Protection of Code Integrity(HVCI) with UEFI Lock.
Enable the option "Require UEFI memory attribute tables" to make sure HVCI is only enabled for compatible devices.
Enable secure Launch.
Group Policy #2: Computer Configuration\Administrative templates\System\Kernel DMA Protection
Enable "Enumeration policy for external devices incompatible with Kernel DMA Protection"
Set option "Block all".
| Level | Title | Description | Note |
|---|---|---|---|
| Standard | Use a VPN! | Use a VPN when you want to keep your internet connection private, and when you connect to a public Wifi. | NOTE: Use the VPN providers DNS server to make sure the traffic and logs are contained at one provider. OpenVPN: Add the parameter "block-outside-dns" to your config file to block lookups to the ISPs DNS server and thus preventing information about your real ISP from leaking. |
| Standard-Advanced | Use one of these browsers: Standard Brave  Advanced Firefox  |
Brave is easy to setup and provides good built-in security and tracking protection. Firefox is generally the most secured and private browser if you spend some time configuring it properly, including extensions. |
NOTE: See the Firefox sections further below for a guide on how to configure them for best security and privacy. |
| Advanced | Encrypt your DNS lookups | Encrypt your DNS lookups when not connected to a VPN tunnel. I recommend using the DnscryptV2 protocol and dnscrypt-proxy  client for Windows, MacOS and routers(Linux based) and DNSCloak  for iOS. |
NOTE: Use a DNS server that don't log client lookups and have DNSSEC support enabled. |
| Advanced | Use a privacy focused search engine. | I recommend DuckDuckGo  |
NOTE: Don't trust all sites in your search results, don't click on random links. |
| Level | Title | Description | Note |
|---|---|---|---|
| Standard | Encrypt your mail storage! | Make sure your email application stores its data on a encrypted drive. | |
| Standard | Don't open random files! | Don't open any attached files you don't expect to receive! | |
| Standard | Beware of spoofed senders! | Don't trust that email comes from the sender/domain you see displayed, it can be spoofed easily. Expert: Look in the SMTP headers and see if the SPF,DKIM,DMARC checks passed. Not all use DKIM/DMARC yet. But if the SPF check fails, then the sender is spoofed or they have really bad email security. |
|
| Standard | Don't click unsubscribe. Block instead. | Avoid clicking on unsubscribe links in subsription email. It will give away more information about you. Also, the email could potentially be spoofed and contain a malicious unsubscribe link. | |
| Standard | Talk on encrypted chats! | I recommend Signal  for encrypted chat. Emails are be often read/scanned by the hosting provider, unless you and the recipient encrypt them and manage your own private keys. |
|
| Advanced | Use a private and secure provider for sensitive Email. | You should use a secure and private provider for sensitive communication that has to be emailed. | |
| Advanced | Block remote content! | Set email app default behavior to block remote content | Disable remote content and only enable it selectively for emails you trust. |
| Level | Title | Description | Note |
|---|---|---|---|
| Standard | Set a passcode! | Set a passcode, 6 digit PIN minimum, that's hard to guess. | Note: It should be hard to guess even if the maliciour actor knows information about you, such as social security number. |
| Standard | Don't jailbreak! | Don't jailbreak your device, to reduce the risk of malicious device takeover. Also, you won't receive automatic iOS updates. | |
| Standard | Uninstall apps you don't need! | Uninstall all apps you don't need, including native ones. | |
| Standard | Enable automatic updates. | Enable automatic updates for iOS and apps. | |
| Standard | Enable On-Device Mode for the Translate app. | Enable On-Device Mode in Translate system settings. | |
| Standard | Disable iCloud sync per app/feature. | Disable syncronization of data to iCloud in system settings, for each app and feature (data) you don't need synced to iCloud. | |
| Standard | Avoid side-loading apps! | Only side-load apps from sources you really trust. | |
| Standard | Disable Siri scanning for apps. | Disable "Learn from this app" in the app system settings and Siri section for all installed apps. | |
| Standard | Don't auto-join hotposts | Disable Auto-Join Hotspot in Wifi system settings. | |
| Standard | Set a SIM PIN. | Make sure a PIN code is set on your SIM card. | |
| Standard | Disable notification previews when locked. | Set Show Previews to "When Unlocked". | You don't want others to see your notification content if your phone gets stolen. |
| Standard | Disable Siri. | Settings: Disable Siri from the Siri system settings. | Siri might leak sensitive data, since not all data is processed on-device. |
| Standard | Disable Airdrop. | Disable Airdrop in system settings when not in use. | |
| Standard | Disable CarPlay while locked. | Disable "Allow CarPlay While Locked" in CarPlay system settings. | |
| Standard | Require "eye contact" to use FaceID. | Enable "Require Attention for Face ID" in Accessibility system settings. | |
| Standard | Disallow access to features when locked. | Disable everything in "Allow Access when locked" in Face ID & Passcode system settings. | |
| Standard | Configure your in-app settings security and privacy settings. | Go trough each applications privacy and security settings first thing you do after installing it. | There's often a lot of of privacy settings. |
| Standard | Erase data on multiple failed passcode attempts. | Enable "Erase data" in Face ID & Passcode system settings. | NOTE: Your iPhone will be reset and all data will be erased after 10 failed passcode attempts. |
| Standard | Disable Location Services or only allow it while using the app. | Disable Location Service for apps, OR only allow it while using the app. This is can be set per app in Privacy/Location Service system settings. | |
| Standard | Disable telemetry | Disable "Share iPhone & Watch Analytics" in Privacy/Analytics & Improvements system settings. | |
| Standard | Disable personalised Ads | Disable "Personalised Ads" in Privacy/Apple Advertising system settings. | |
| Standard | Disable Personalised Recommendations in App Store. | Disable "Personalised Recommendations" in App Store account settings. | |
| Standard-Advanced | Standard: Use Firefox Advanced: Use Firefox Focus  |
Firefox has very good security and privacy features on iOS. Firefox Focus offers even better security and privacy and clears cookies between each session. Use Firefox Focus as a first option and standard Firefox for sites not working in it. |
Note: Firefox: Enable "Block Pop-up Windows", "Close Private Tabs", "Enhanced Tracking Protection" + "Strict (Mode)" AND disable "Show Link Previews", "Offer to Open Copied Links", "Send Usage data" and "Studies". Firefox Focus: Enable "Block web fonts", "Enhanced Tracking Protection" + All block options AND disable "Send usage data", "Studies", "URL Autocomplete" and "Get Search Suggestions" |
| Advanced | Don't use Find My Iphone unless you really need it! | Disable Find My Iphone in iCloud system settings. | Minimize the amount of tracking in your phone including location tracking. |
| Level | Title | Description | Note |
|---|---|---|---|
| Standard | Secure password for your Wifi! | Set a long and complex password for connecting to the Wifi. | |
| Standard | WPA2/WPA3 support! | Enable WPA3 security on your router, or as minimum WPA2, if not supported. | NOTE: WPA3 should be a requirement for new routers you buy! |
| Standard | Secure password for router managentment. | Set a long and complex password on the account used to access your router management interfaces. | |
| Standard | Enable the router firewall! | Enable the firewall on your router so to only allow incoming traffic that you need. | |
| Standard | Update your routers and APs! | Enable auto-update or regulary update the firmware on your routers and access points. | These devices are exposed by nature and need to stay updated from new vulnerabilities. NOTE: Don't use any unsupported routers or access points that don't receive security patches from the vendor! |
| Standard | Use a VPN! | Use a VPN when you want to keep your internet connection private, and when you connect to a public Wifi. | NOTE: Use the VPN providers DNS server to make sure the traffic and logs are contained at one provider. OpenVPN: Add the parameter "block-outside-dns" to your config file to block lookups to the ISPs DNS server and thus preventing information about your real ISP from leaking. |
| Standard | Disable WPS PIN! | Disable WPS PIN on your routers. | WPS is a protocol for easy Wifi setup, and WPS PIN is one of its method that has a serious security vulnerability where the PIN can be extracted by a malicious actor. |
| Standard | Don't expose any devices! | Don't put any computers or other devices in front of the router/firewall. Unless it's intended for the public. | Hackers countinesly scan the internet for exposed services and target them. |
| Standard | Don't expose router management interfaces! | Keep the router management interfaces, no matter what network protocol, accessible from the internal LAN only. | |
| Standard | Disable unnecessary features on routers/APs! | Disable all your router and access point features you don't need, since they just increase the attack vector. | Extra important on a router since it's exposed on the internet and many typical routers come with bloatware. NOTE #1: Also check security features, many leak data to providers, such as web protections that upload browsing data to a 3rd party. |
| Standard | Disable logging of sensitive data on router! | Some routers log sensitive data, such as web/http traffic and DNS lookups. Disable all these. | |
| Advanced | Disable CTF/NAT acceleration. | Disable Cut-Through Forwarding/NAT acceleration on your routers. | These features allows for traffic to bypass internal firewall scanning and other potential security features. |
| Advanced | Disable UPNP. | Disable UPNP on your routers. | UPNP could allow a potentially infected device on your network to open up network ports allowing malicious traffic from the internet. |
| Advanced | Encrypt your DNS lookups | Encrypt your DNS lookups when not connected to a VPN tunnel. I recommend using the DnscryptV2 protocol and dnscrypt-proxy client for Windows, MacOS and routers(Linux based) and DNSCloak for iOS. |
NOTE: Use a DNS server that don't log client lookups and have DNSSEC support enabled. |
| Advanced | Block ping on router. | There's no reason to allow clients on the internet to ping and discover your router. | NOTE: Not all routers have the option to block ping (ICMP Echo). |
| Advanced | Create a guest wifi zone. | Set up a separate guest wifi SSID (With password) for devices you dont own and less secure devices such as mobile phones. The guest wifi zone must be isloated from the internal wifi. | |
| Advanced | Don't broadcast your SSID. | It makes it somewhat harder for evil neighbours to hack your network. | |
| Expert | Install a secure and customizable open source firmware! | For secure and customizable firmware I recommend: Open-WRT  orDD-WRT  |
Some security measures require you to install an extension while other require changes in the settings or config editor. The config editor can be accessed by entering about:config into the URL/search bar.
| Level | Title | Description | Note |
|---|---|---|---|
| Advanced | Disable 3rd party cookies. | Config editor: network.cookie.cookieBehavior = "1" | To prevent sites on different domains from reading share each others cookies. |
| Standard | Send "Do not track". | Settings: Enable "Do not track". | Not all sites follows this request/header. But it should still be enabled. |
| Standard | Disable experimental feature. | Config editor: messaging-system.rsexperimentloader.enabled = "false" | You should avoid experimental/beta features since they're not neccesarily secure enough until they become generally available. |
| Standard | Prevent fingerprinting | Extension: CanvasBlocker AND Config editor: privacy.resistFingerprinting = "true", privacy.trackingprotection.fingerprinting.enabled = "true" | |
| Standard | Block trackers | Extension: uBlock Origin AND Config editor: privacy.trackingprotection.enabled = "true" | |
| Standard | Block embeeded cryptominers. | Extension: uBlock Origin AND Config editor: privacy.trackingprotection.cryptomining.enabled = "true" | |
| Standard | Prevent tracking from URL properties. | Extension: ClearURLs AND Config editor: network.http.referer.XOriginPolicy = "2", network.http.referer.XOriginTrimmingPolicy = "2", network.http.sendRefererHeader = "0", network.http.sendSecureXSiteReferrer = "false" | This prevents tracking from things like cross-domain referall links, by cleaning up URLs and HTTP headers from these properties. |
| Advanced | Enforce HTTPS. | Settings: Enable HTTPS-only mode | This is to prevent you from browsing web sites on a unencrypted network connection. |
| Advanced | Only run content you need and trust! | Extension: NoScript | Selectively permitt neccesary content types, for example scripts and CSS, only on domains you trust. |
| Advanced | Disable WebGL. | Config editor: webgl.disabled = "true", webgl.disable-wgl = "true", webgl.enable-webgl2 = "false" | There are vulnerabilities in the API thare are unpatchable. |
| Advanced | Use containers for sensitive sites/domains | Extension: Multi Account Containers | This will help prevent cookies from one domain, eg. sign-in cookies, from leaking to another, even if Firefox has built-in protection for that (Cookie isolation). |
| Advanced | Automatically delete cookies. | Extension: Cookie AutoDelete | You will must probably browse many sites in a mixed un-contained browsing session. That's why it's good to keep those browsing cookies temporarly only. |
| Advanced | Prevent Etag tracking | Extension: Chameleon | |
| Advanced | Spoof your user agent. | Extension: Chameleon | Sites can track you from the user agent information. NOTE: Chameleon lets you continuously randomize a new user agent. |
| Advanced | Prevent CSS based exfiltration. | Extension: CSS exfil protection | |
| Advanced | Disable WebRTC. | Config editor: disable/media.peerconnection.enabled = "false" | WebRTC might leak your IP-adress/ISP when connected to VPN. |
| Advanced | Prevent tracking through CDNs | Extension: Decentraleyes | Prevent tracking through requests done to centralized content delviery networks(CDN) such as Google or Cloudflare. Decentraleyes will serve local files to keep sites working. |
| Advanced | Prevent URL/search bar tracking. | Config editor: browser.urlbar.speculativeConnect.enabled = "false" | The setting will disable pre-emptive DNS lookups for domains you enter in the URL/search bar. |
| Advanced | Disable snippets on the home/start page. | Config editor: browser.aboutHomeSnippets.updateUrl = BLANK | These snippets will generate HTTP traffic from your browser when you open the home/start page. |
| Advanced | Disable network captive portal redirect | Config editor: network.captive-portal-service.enabled = "false" | This should be disabled since you can't be sure what site the public Wifi redirects you to upon connecting. |
| Advanced | Disable network state probing. | Config editor: network.connectivity-service.enabled = "false" | This feature will generate HTTP traffic to test network connectivity from your browser when the network state changes. |
| Advanced | Disable speculative pre-connection. | Config editor: network.http.speculative-parallel-limit = "0", network.prefetch-next = "false", network.dns.disablePrefetch = "true", network.dns.disablePrefetchFromHTTPS = "true", network.predictor.enabled = "false", network.predictor.enable-prefetch = "false" | This feature will fetch links preemptively on link previews/mouse hover. |
| Advanced | Disable built-in regional detection feature. | Config editor: browser.region.update.enabled = false, browser.region.local-geocoding = false, browser.region.network.url = BLANK | This feature might leak information about you/your device. |
| Advanced | Disable IP-based geolocation. | Config editor: browser.search.geoip.url = BLANK | |
| Advanced | Disable Activity Stream. | Config editor: browser.newtabpage.activity-stream.feeds.asrouterfeed = "false" | Activity Stream might leak information about your page visists. |
| Advanced | Block DRM content. | Settings: Disable playback of DRM content AND Config editor: media.eme.enabled = "false", media.gmp-widevinecdm.enabled = "false", media.gmp-widevinecdm.visible = "false" | Playing DRM content also means your running code on in your browser you can't review (Closed source). |
| Advanced | Prevent hardware device enumeration. | Config editor: media.navigator.enabled = "false" | This function can leak information about your device. |
| Advanced | Prevent sensitive information in Firefox Session Restore feature. | Config editor: browser.sessionstore.privacy_level = "2" | This function stores information such as cookies, form values and HTTP POST data. |
| Advanced | Prevent IDN exploits. | Config editor: network.IDN_show_punycode = "true" | This prevent IDN exploits by displaying raw punnycode. See more information about the vulnerability and workaround here https://www.mozilla.org/en-US/security/advisories/mfsa2005-29/ |
| Advanced | Disable cached browsing. | Config editor: browser.cache.memory.enable = "false", browser.cache.disk.enable = "false" | This feature might lead to information about your browsing being saved without your knowledge, even if temporarly. |
| Expert | Remove untrusted CA certificate. | Settings: Uncheck certificates in Privacy & Security/View Certificates. | NOTE: Remove certificates from CAs run by governments and affiliates and organisations you don't trust. Firefox has its own certificate root store outside Windows store. |
| Standard | Prevent native data collection. | Set config editor properties listed below ↓ | Disable Firefox built-in data collection and potential data leaking features, such as telemetry. |
app.normandy.optoutstudies.enabled = "false"
app.shield.optoutstudies.enabled = "false"
extensions.getAddons.cache.enabled = "false"
browser.send_pings = "false"
dom.event.clipboardevents.enabled = "false"
beacon.enabled = "false"
app.normandy.enabled = "false"
browser.ping-centre.telemetry = "false"
toolkit.telemetry.bhrPing.enabled = "false"
toolkit.telemetry.firstShutdownPing.enabled = "false"
toolkit.telemetry.healthping.enabled = "false"
toolkit.telemetry.newProfilePing.enabled = "false"
toolkit.telemetry.shutdownPingSender.enabled = "false"
toolkit.telemetry.updatePing.enabled = "false"
toolkit.telemetry.archive.enabled = "false"
toolkit.telemetry.enabled = "false"
toolkit.telemetry.rejected = "true"
toolkit.telemetry.unified = "false"
toolkit.telemetry.unifiedIsOptIn = "false"
toolkit.telemetry.prompted = "2"
toolkit.telemetry.rejected = "true"
datareporting.healthreport.uploadEnabled = "false"
browser.crashReports.unsubmittedCheck.autoSubmit2 = "false"
browser.crashReports.unsubmittedCheck.autoSubmit = "false"
browser.crashReports.unsubmittedCheck.enabled = "false"
browser.tabs.crashReporting.includeURL = "false"
browser.tabs.crashReporting.sendReport = "false"
dom.ipc.plugins.flash.subprocess.crashreporter.enabled = "false"
dom.ipc.tabs.createKillHardCrashReports = "false"
Some security measures require you to install an extension while other require changes in the settings or config editor. The config editor can be accessed by entering about:config into the URL/search bar.
| Level | Title | Description | Note |
|---|---|---|---|
| Advanced | Disable remote content. | Settings: Disable remote content. | NOTE: This will prevent Thunderbird from loading any content not directly attached to the email, thus preventing leaks when you read an email. |
| Advanced | Disable speculative pre-connection. | Config editor: network.http.speculative-parallel-limit = "0", network.prefetch-next = "false", network.dns.disablePrefetch = "true", network.dns.disablePrefetchFromHTTPS = "true", network.predictor.enabled = "false", network.predictor.enable-prefetch = "false" | This feature will fetch links preemptively on link previews/mouse hover. |
| Standard | Prevent native data collection. | Set config editor properties listed below ↓ | Disable Thunderbirds built-in data collection and potential data leaking features, such as telemetry. |
app.normandy.optoutstudies.enabled = "false"
app.shield.optoutstudies.enabled = "false"
extensions.getAddons.cache.enabled = "false"
browser.send_pings = "false"
dom.event.clipboardevents.enabled = "false"
beacon.enabled = "false"
app.normandy.enabled = "false"
browser.ping-centre.telemetry = "false"
toolkit.telemetry.bhrPing.enabled = "false"
toolkit.telemetry.firstShutdownPing.enabled = "false"
toolkit.telemetry.healthping.enabled = "false"
toolkit.telemetry.newProfilePing.enabled = "false"
toolkit.telemetry.shutdownPingSender.enabled = "false"
toolkit.telemetry.updatePing.enabled = "false"
toolkit.telemetry.archive.enabled = "false"
toolkit.telemetry.enabled = "false"
toolkit.telemetry.rejected = "true"
toolkit.telemetry.unified = "false"
toolkit.telemetry.unifiedIsOptIn = "false"
toolkit.telemetry.prompted = "2"
toolkit.telemetry.rejected = "true"
datareporting.healthreport.uploadEnabled = "false"
browser.crashReports.unsubmittedCheck.autoSubmit2 = "false"
browser.crashReports.unsubmittedCheck.autoSubmit = "false"
browser.crashReports.unsubmittedCheck.enabled = "false"
browser.tabs.crashReporting.includeURL = "false"
browser.tabs.crashReporting.sendReport = "false"
dom.ipc.plugins.flash.subprocess.crashreporter.enabled = "false"
dom.ipc.tabs.createKillHardCrashReports = "false"