Hardening Zen - Mandy's Home

Privacy by Default?

I really like the Zen Browser. It’s the first Firefox fork in a long time that actually feels modern without being bloated or meh like LibreWolf. The tiling... the vertical tabs... the shortcuts.. And the performance is so snappy. And where Zen can shine is if you search for some specific settings in about:config, you might notice some of them have a little lock icon next to them. This means the Zen developers have locked these settings to false. They've essentially welded the door shut so telemetry can't be turned back on. However, being based on Firefox means it still inherits some of Mozilla’s questionable defaults. Here is how I clean it up.

The Easy Settings

Before diving into everything else, go to the standard settings page. Under Privacy & Security, set Enhanced Tracking Protection to 'Strict'. This is the most basic thing you can do.

And then, scroll down and do the rest of the obvious things, such as DNS over HTTPS and others. Zen is better than vanilla Firefox about this, but it’s good to make sure the doors are locked.

Deep Dive Into about:config

Type about:config in your URL bar. You’ll get a warning. Click 'Accept the Risk and Continue'.

Search for these specifically. Some might be set already, but double-checking is free.

privacy.resistFingerprinting -> true
This is the core of Firefox hardening. It forces your browser to report a generic version, generic time zone, and generic hardware specs. Note: This will force your browser into Light Mode on some sites to prevent them from knowing your OS theme.
privacy.resistFingerprinting.letterboxing -> true
If you don't see this in the list, you'll need to add it. Select Boolean, click the + button, and set it to true. Have you used the Tor Browser before? This is what adds the gray bars (letterboxing) around your window. It prevents websites from knowing your exact monitor resolution or window size. It looks weird for five minutes, then you stop noticing.
privacy.resistFingerprinting.block_mozAddonManager -> true
Prevents websites from seeing what extensions you have installed. There's no reason for a random site to know you're running uBlock.
privacy.firstparty.isolate -> true
This keeps cookies and data "siloed" to the site you're actually visiting. It stops a site like Facebook from seeing you're also looking at cat pictures on another tab.
network.http.referer.XOriginPolicy -> 2
Only send the "Referer" header when the hostname matches. This stops your browser from telling site-b.com exactly which page on site-a.com you just came from.
webgl.disabled -> true
WebGL is a massive fingerprinting vector. Unless you're playing 3D games in your browser (why?), just kill it.
dom.event.clipboardevents.enabled -> false
Stops websites from knowing when you copy, cut, or paste something from their pages. Useful for those annoying sites that try to block you from pasting passwords or copying text. But be aware it may break complex clipboard tasks like pasting screenshots in web apps like Google Docs (which I hope you aren't using), Discord, or photo editors like Photopea.
media.navigator.enabled -> false
Stops websites from querying the names of your microphone and webcam hardware.
browser.cache.disk.enable -> false
Forces the browser to only use RAM for caching. This ensures that when you close the browser, no trace of your session remains on the physical drive.
privacy.partition.service_workers -> true
If this isn't in your list, add it as a Boolean. Click the + button, and set it to true. Service workers are background scripts used for push notifications and offline features. This partitions them so a script from site-a.com can't be used to identify you when you visit site-b.com.
browser.search.serpEventTelemetryCategorization.enabled -> false
Stops the browser from analyzing how you interact with search results. Your search habits should stay between you and the search engine (or better yet, just you).
nimbus.telemetry.targetingContextEnabled -> false
Stops the browser from snooping on how you click through search engine results.
browser.urlbar.suggest.searches -> false
services.sync.prefs.sync.browser.urlbar.suggest.searches -> false
Stops the browser from blabbing every keystroke to your search engine before you even hit enter. If I wanted to share my typos and half-baked thoughts with a server, I’d post them on social media.
network.captive-portal-service.enabled -> false
Stops the browser from constantly pinging Mozilla just to see if you're trapped behind a hotel or airport login page.
beacon.enabled -> false
This stops websites from sending pings to their servers the second you close a tab or leave a page. It’s the digital equivalent of a stalker watching you walk away from a conversation just to see where you go next.
browser.safebrowsing.malware.enabled -> false
services.sync.prefs.sync.browser.safebrowsing.malware.enabled -> false
This stops the browser from constantly pinging Google's servers to check "malicious" URLs. If you aren't clicking on free-ram-download.exe, you don't need this.
network.prefetch-next -> false
Stops the browser from pre-loading links it thinks you might click. This prevents your IP from hitting servers you never actually intended to visit.
network.dns.disablePrefetch -> true
Same as above, but for DNS lookups.
media.eme.enabled -> false
services.sync.prefs.sync.media.eme.enabled -> false
This disables Digital Rights Management (DRM). Turning this off means Netflix or Spotify Web won't work, but it keeps proprietary blobs out of your browser. Why would you care about using services like those anyways?
network.IDN_show_punycode -> true
This prevents "homograph" attacks where a malicious site uses look-alike characters (like a Cyrillic 'а' instead of a Latin 'a') to trick you into thinking you're on a real site. It makes the URL look ugly, but I'd rather see the truth than a pretty lie.

Preventing IP Leaks

WebRTC is great for video calls, but it's notorious for leaking your real IP address even if you're using a VPN. If you don't use your browser for Discord calls or something, disable this:

media.peerconnection.enabled -> false

If you absolutely need WebRTC but want to stay safe, toggle media.peerconnection.ice.default_address_only to true instead.

Extension Minimalism

One of the biggest mistakes people make when "hardening" a browser is installing twenty different privacy extensions. This actually makes you more unique because your specific combination of extensions creates a unique fingerprint. If you've actually been learning along with this guide, you'll know we enabled privacy.resistFingerprinting.block_mozAddonManager, which blocks the most direct way a website can "poll" your browser to see exactly what is installed. However, there is a concept called Extension Fingerprinting via Behavior. Even if a site can't see the list of your extensions, it can see what they do to the page.

uBlock Origin: This is non-negotiable. It's not just for ads, the rest of what this extension can do is so overlooked. It treats trackers, malware-distributing domains, and "pop-under" scripts with the same hostility. You can also disable JavaScript (Satan) globally or for individual sites, and unlike other blockers, it's highly optimized. It can also automatically clean up those ugly tracking strings at the end of URLs. AND, it's open source. Get it, and go over to the settings dashboard and enable "I am an advanced user" and start configuring it. Because you definitely are an advanced user.

Note about `user.js` templates

I hope some Arkenfox chud has not thought to themselves that this is stupid and people should just use Arkenfox. Arkenfox is bound to break websites beyond usability and can actually interfere with Zen's unique interface and features. And because of that, using Arkenfox may actually make you more unique, not less. Zen already integrates Betterfox into the engine.

After all of this, some sites will break. Bank portals and "modern" corporate sites hate when they can't fingerprint you. When that happens, don't lower your security. Find a better way to access the service, or don't use it at all.