Firefox is widely considered to be a very secure browser, however their default settings focus primarily on security with some basic privacy protection.

As you have probably noticed there is often a tradeoff between privacy and usability where if one improves the other suffers to some extend, so it's a matter of making the right choices. I think overall they strike a nice balance between protecting the user while keeping it's user experience friendly by default.

Luckily for the more privacy conscious user Firefox also comes equipped with a lot of further reaching privacy protection which when configured correctly can pack quite a punch.

"I think overall they strike a nice balance between protecting the user while keeping it's user experience friendly by default."

Tracking protection

One thing I would recommend you do is to set some of the tracking protection to a more strict level. Personally I use the following settings:

This "might" break some websites but in my experience this is strictly limited to some iFramed content which is already inheritely a potential security and privacy issue to begin with, so it might as well be considered as "fixing" a broken site.

These settings can also be easily disabled on a per-website basis by clicking the shield icon in the top-left of your URL bar as shown below.

Do not Track

Set the Do Not Track preference to Always. This one is a bit of a paper-tiger since you are declaring the preference to websites to not track you. Unlike the settings we set above this won't enforce anything from the browser's side and instead relies on the websites in question to either respect or ignore this. Enabling this is always a good thing to do as it won't hurt.

Cookies and Site Data

This is another classic tradeoff in user friendliness and privacy. The most privacy concious setting would be to have all your cookies and site data removed upon closing the browser.

Personally I think this also depends on how you plan to use this browser instance. If you intend to use this browser as your main daily driver I would leave this option unchecked since it will otherwise impact your experience quite a bit.

However if this would be your secondary 'super secure' browser by all means check this as it greatly improves your privacy.

Logins and Passwords

I mostly disable this for the reason I already have a peer-reviewed and platform independant password manager to handle my secrets. Personally I see little use to limit my password store to a browser but by all means if currently you relied on a single password for everything or even worse.. a notebook with all your passwords written down, enable this feature. When it comes to managing passwords having some strategy is better than no strategy.

As far as Autofill is concerned I woud definitely leave this off

History

This section is again a bit dependant on wether or not this will be your main go-to browser for everyday use or a 'burner' secondary browser as it impacts your user-experience quite significantly. Personally I have checked the features below as an acceptable tradeoff between hardening and ease of use.

Usage data / Telemetry

This is a bit of tough one for me because I won't actively advise you to disable this since it brings a ton of value to the developers and community at Mozilla. It is being annoymized but of course this all boils down to personal preference. Personally I have it disabled but am aware of the value it might bring and encourage you to at least be considerate of this when choosing.

Deceptive content protection

This is another interesting one that has two sides to the coin. From a security standpoint this is an amazing feature but we're hardening for privacy right now so we should have a look at what this does.

Mozilla explains this in great detail in their own documentation on the feature but the quick rundown is that when enabled this feature pulls a list of reported phishing, unwanted software and malware sites every 30 minutes. It then compares the requested URL to the ones listed in this list and can handle the incident accordinlgy by either blocking the download of malicious files or sending some of it's metadata to the Google Safe Browsing Service for further inspection.

"This feature relies to some extend on external services and sends certain metadata to third-parties."

You probably spotted the issue already, this feature relies to some extend on external services and sends certain (useful) metadata to third-parties. This could be a deliberate tradeoff to ensure a more safe browsing experience but for privacy reasons we'll leave this off for now.

Default search-engines

For me this is an easy one, I just love DuckDuckGo for it's no-nonsense and privacy aware search experience. To go into great detail about DuckDuckGo would warrant a seperate article which I might just do in the near future. I can highly recommend giving this Duck a chance.

Disabling WebRTC

One of the relatively new and awesome features modern browsers now ship with is called WebRTC. This is essentially a set of API's that allows browsers and apps to communicate in real-time through a Peer to Peer (P2P) protocol.

"your actual IP address can be leaked to other peers in the connection."

By no means is this a bad feature but it does come with a nasty drawback where even if you use a VPN your actual IP address can be leaked to other peers in the connection. So if you value this part of your personal details (you probably do since otherwise you wouldn't be using a VPN) you should disable this feature.

To disable WebRTC navigate to about:config and look for the key media.peerconnection.enabled and set it to false by double-clicking the row.

Thrid-party protection Add-ons

Below is a list of strong recommendations for you to further harden your browser against both security and privacy violations.

The wrap-up

If you've followed this guide and went along with most of the recommendations you should be well on your way to be more secure and private on the web. When combined with a VPN and other basic digital hygiene you are now less likely to fall victim to phishing or other exploits.

Remember you should always continue to keep an eye out for scams as we (the human) are still the weakes link in most of these scenarios.

Bonus tips:

When making that tradeoff between user friendliness and privacy you aren't neccesarily bound to the configuration of one browser for every task.

A common pattern withing the security community is to practice 'Compartmentalization' where you use one browser or entire environment for certain (more sensitive) tasks and another for your regular casual browsing. This can stretch to as many browsers or environments as you need to keep a nice separation.

The nice thing about doing this is that you can have your very very stricly configured browser for all sensitive browsing but have a looser approach towards your primary casual browser and making it a bit less hard to work with.

Two browser I would suggest for compartmentalization are Tor Browser and Brave. These have different threat-models by design but tie in nicely into the natural separtion of privacy levels.