The Arkenfox user.js project (formerly known as ghacks-user.js) is a community-maintained set of Firefox configuration overrides designed to harden the browser against tracking, fingerprinting, and various other privacy attacks. The project has been maintained for years, has a clear philosophy, and produces a Firefox install that is meaningfully more private than the default.
The friction with Arkenfox is that the configuration is documented in dense detail aimed at users who already understand what each Firefox preference does. The README runs to several thousand lines. The wiki adds more. For a user who wants better privacy without becoming a Firefox internals expert, the project is intimidating.
This guide walks through a practical Arkenfox setup that gets most of the privacy benefit without requiring you to read the full documentation. By the end you will have a Firefox install that resists fingerprinting, blocks trackers, clears state aggressively, and remains usable for daily browsing.
What Arkenfox is and is not
Arkenfox is a user.js file. user.js is Firefox’s mechanism for overriding default preferences at startup. When Firefox launches, it reads user.js and applies the preferences listed there. The Arkenfox project maintains a curated user.js with hundreds of preference overrides, each chosen and explained for a privacy purpose.
Arkenfox is not a Firefox fork. You install Firefox from Mozilla like usual, then drop the user.js file into your profile directory. You can revert to defaults by deleting the file.
Arkenfox is not a privacy magic wand. It hardens Firefox’s behavior in specific, documented ways. It does not make you invisible to ISPs (use a VPN for that), to your DNS provider (use encrypted DNS), or to anyone running active surveillance against you. It does make passive web tracking significantly harder.
Arkenfox is opinionated. The defaults assume you want privacy first and are willing to accept some breakage as a result. Some sites will behave oddly. Some convenience features will be disabled. The project explicitly tells you which preferences will cause which issues, so you can selectively re-enable them.
What you need before starting
Firefox installed on any platform. The current ESR or release version both work; Arkenfox tracks both.
About 30 minutes for the initial setup, plus time over the following days to tune individual preferences as you discover specific things that broke.
A willingness to read short explanations of preferences. The Arkenfox project’s commenting style is clear and concise; you do not need to understand every preference, but you should understand the categories.
Step 1, locate your Firefox profile directory
Open Firefox. Type about:profiles in the URL bar. Find the profile that is currently in use (it has a “default” or “default-release” label). Note the Root Directory path.
The path is roughly:
- Windows: C:\Users\YourName\AppData\Roaming\Mozilla\Firefox\Profiles\xxxxxxxx.default-release
- macOS: /Users/YourName/Library/Application Support/Firefox/Profiles/xxxxxxxx.default-release
- Linux: /home/yourname/.mozilla/firefox/xxxxxxxx.default-release
Open this directory in your file manager.
Step 2, download the Arkenfox user.js
Visit GitHub - arkenfox/user.js: Firefox privacy, security and anti-tracking: a comprehensive user.js template for configuration and hardening · GitHub. Click on user.js in the file list, then click the “Raw” button to view the raw file. Save it to your profile directory (right-click, Save As, name it user.js exactly).
The current file is roughly 2400 lines, mostly comments explaining each preference. The actual preference declarations are spread throughout.
While you are on the GitHub page, also download:
- updater.sh (Linux/macOS) or updater.bat (Windows) for future updates
- prefsCleaner.sh / prefsCleaner.bat for removing obsolete preferences
Put these in your profile directory too.
Step 3, the override file
Arkenfox is designed to be modified through a separate file called user-overrides.js, which contains your personal customizations. This file is preserved when you update user.js to a newer version.
Create user-overrides.js in your profile directory. Add the customizations from the next step into this file.
Step 4, the practical override list
The default Arkenfox configuration is too aggressive for most users in a few specific ways. The following overrides re-enable convenience features that most people will want, while keeping the bulk of the privacy benefits.
Add these to user-overrides.js:
// Allow autofill (default Arkenfox disables form autofill)
user_pref("signon.autofillForms", true);
// Allow saved logins (default Arkenfox disables this)
user_pref("signon.rememberSignons", true);
// Allow Firefox Sync (you may want this if you sync between devices)
// Comment out if you do not use Firefox Sync
user_pref("identity.fxaccounts.enabled", true);
// Allow some level of session restore (default disables)
user_pref("browser.sessionstore.privacy_level", 1);
// Allow third-party cookies for sites you specifically allow
// (Default Arkenfox uses strict cookie partitioning; this is fine, leave it)
// Allow cache (default Arkenfox disables disk cache for some scenarios)
// Caching makes a noticeable speed difference; trade-off is disk-resident data
user_pref("browser.cache.disk.enable", true);
// Allow automatic search engine updates
user_pref("browser.search.update", true);
// Allow Picture-in-Picture mode (default disables)
user_pref("media.videocontrols.picture-in-picture.video-toggle.enabled", true);
// Allow geolocation prompts on a per-site basis
// Default disables entirely; per-site is more usable
user_pref("permissions.default.geo", 0);
// Allow notifications prompts on a per-site basis
user_pref("permissions.default.desktop-notification", 0);
// Allow camera/mic prompts on a per-site basis
user_pref("permissions.default.camera", 0);
user_pref("permissions.default.microphone", 0);
// Enable letterboxing only when needed (manual)
// Letterboxing prevents window-size fingerprinting but adds black bars
// If you find the bars annoying, set to false; you give up some fingerprint protection
user_pref("privacy.resistFingerprinting.letterboxing", true);
These overrides bring Firefox back to a usable daily-driver state while keeping the Arkenfox tracker-blocking, JavaScript-restriction, and fingerprinting-resistance defaults active.
Step 5, restart Firefox
Close Firefox completely. Reopen.
Firefox reads user.js and user-overrides.js at startup, applies the preferences. If you make changes later, you need to restart for them to take effect.
Step 6, install supporting add-ons
Arkenfox does most of its work through preference overrides, but a few add-ons complement it well.
uBlock Origin (essential). The best content blocker for Firefox. Install from Mozilla Addons. Default settings are fine; some users prefer to add additional blocklists in the dashboard.
Multi-Account Containers (optional but useful). Compartmentalizes cookies and session state per container. Useful for keeping work and personal accounts separated, or for isolating tracker-heavy sites.
LocalCDN or Decentraleyes (optional). Serves common JavaScript libraries (jQuery, Bootstrap, etc.) from local files instead of CDN URLs, blocking a tracking vector. Decentraleyes has been less actively maintained recently; LocalCDN is a fork that is more current.
Skip the long-tail privacy add-ons. Stacking many add-ons creates fingerprinting risks of its own (you become uniquely identifiable by your add-on combination). The four above are enough.
Step 7, deal with the inevitable broken sites
Some sites will not work correctly with Arkenfox defaults. The most common breakages:
Sites that require third-party cookies for SSO (single sign-on). The fix: allow third-party cookies for the specific site, in Firefox’s per-site settings.
Sites that fingerprint heavily for fraud detection (banks, some payment processors, ticketing sites). The fix: temporarily disable resistFingerprinting for the site by toggling privacy.resistFingerprinting in about:config, or use a separate browser profile that has Arkenfox disabled.
Sites that depend on WebRTC for legitimate purposes (Google Meet, Zoom web client, some collaborative apps). The fix: allow WebRTC for those sites in your privacy settings, or use the desktop apps for those services instead.
Sites that depend on fonts being measurable for layout (rare, but happens). The fix: set browser.display.use_document_fonts to 1.
Most breakages have a documented fix in the Arkenfox wiki. Search the wiki for the specific issue when you encounter it.
Step 8, ongoing maintenance
Arkenfox releases updates periodically as Firefox changes and as the project’s recommendations evolve. Run the updater script (updater.sh or updater.bat) every few months to pull the latest user.js. Your user-overrides.js is preserved.
After major Firefox updates, occasionally a previously-relevant preference becomes obsolete. Run prefsCleaner.sh / prefsCleaner.bat to remove preferences that no longer apply.
Re-test your customizations every few months. Arkenfox occasionally changes the defaults for individual preferences as the project’s thinking evolves. You may want to drop overrides that are no longer needed, or add new ones as new defaults conflict with your usage.
What this setup achieves
Tracker blocking via the combination of Firefox’s built-in Enhanced Tracking Protection (set to Strict by Arkenfox), uBlock Origin, and aggressive cookie partitioning.
Fingerprinting resistance via the resistFingerprinting suite of preferences. This makes your Firefox install harder to uniquely identify across sites.
Reduced telemetry. Arkenfox disables most of Mozilla’s telemetry collection. The amount of data Firefox sends back to Mozilla is significantly reduced.
Aggressive state clearing. Many caches and storage mechanisms are cleared at session end by default.
Disabled risky features. WebRTC IP leakage, geolocation by default, various legacy features that have privacy implications are disabled.
What this setup does not achieve
It does not hide your IP address. Use a VPN for that.
It does not encrypt your DNS queries. Configure encrypted DNS separately (the browser DoH option is sufficient).
It does not protect against logged-in account tracking. If you are signed into Google in Firefox, Google still knows it is you.
It does not protect against active malware or phishing. Use sensible browsing habits.
It does not make you anonymous. The closest free option for anonymity is the Tor Browser, not Arkenfox-Firefox.
When this is too much work
If maintaining a custom Firefox configuration sounds like more work than you want to do: install Mullvad Browser instead. It does most of what Arkenfox does, out of the box, with no maintenance burden. We have written about it separately.
For users who specifically want Firefox (because of extension ecosystem, profile portability, organizational requirements), Arkenfox is the right answer. For users who just want a hardened browser, Mullvad Browser is the easier path.
Arkenfox user.js GitHub | Arkenfox wiki
Related: Mullvad Browser long-term review, I recommended Brave for years, I’m not anymore