- about:config
- dom.event.clipboardevents.enabled => false
- clipboard.plainTextOnly => true
- referer spoofSource => true
- media.peerconnection
- enabled => false
- identity => false
- video => false
- use document iceservers => false
- eme (DRM)
- disable media.eme, browser.eme
- disable chromium-api
- media.navigator.enabled => false (RTC)
- screensharing
- allowed domains => ""
- enabled => false
- camera.control.face detection.enabled => false
- dom.event.contextmenu.enabled => false
- dom.disable_window features
- all true (disable them)
- dom.gamepad.enabled => false
- dom.battery.enabled => false
- dom.enable user timing => false
- dom.enable resource timing => false
- disable dom.vr, dom.vibrator
- beacon.enabled => false (notifies a website when you navigate away)
- disable newtabpage (*)
- reader
- parse on load => false
- send pings require same host => true
- browser.urlbar.trimURLs => false
- ssl/tls
- tls.version.min => 2
- disable all sha1 (search for "sha")
- disable false start
- disable all rc4, md5 (if any)
- sha1 enforcement to 1 (Mozilla)
- treat unsafe negotiation as broken
- require safe negotiation
- security.cert pinning.enforcement level => 2
- geo
- enabled => false
- wifi.uri => "http://localhost"
- browser.search.geoip.url => ""
- javascript.options.strict => true
- slowStartup (*)
- maxSamples => 0
- notificationDisabled => true
- network.allow experiments => false
- extensions.pocket
- enabled => false
- api, site => ""
- Addons
- uBlock Origin
- HTTPS Everywhere
- Privacy Badger
- Settings
- open with blank page
- DuckDuckGo search
- Always Ask to open media
Note that settings denoted * are my preference and don't necessarily relate to security or privacy.