The deployment of the Firefox Customization File(s) allows to extensively and holistically modify the behaviour of the Mozilla Firefox browser. The settings listed below are mainly centered on reinforcing privacy with a few touches on security, too. For a full list of available settings, please, for example, see a fairly comprehensive list of Firefox privacy and security settings managed by Martin Brinkmann.

This code is partially based on the advice "Browser Security Guidance: Mozilla Firefox" released by the UK government's National Technical Authority for Information Assurance (CESG), which is part of the Government Communications Headquarters (in UK).

To use this code with Mozilla Firefox, for instance:

1. Step 1: Recommended configuration

   Firefox is configured by using two configuration files (a system-wide installation):

   A system-wide installation

   Windows:

   OS	Original name	Path and file name
   Windows	prefs.js	%programfiles(x86)%\Mozilla Firefox\defaults\pref\prefs.js
   Windows	firefox.cfg	%programfiles(x86)%\Mozilla Firefox\firefox.cfg
   Windows	prefs.js	C:\Program Files (x86)\Mozilla Firefox\defaults\pref\prefs.js
   Windows	firefox.cfg	C:\Program Files (x86)\Mozilla Firefox\firefox.cfg

   Linux:

   OS	Original name	Path and file name
   Linux	prefs.js	Either this file is not required or is copied to ~/.mozilla/firefox/*.default/prefs.js
   Linux	firefox.cfg	/etc/firefox/firefox.js
   Linux (Debian)	firefox.cfg	/etc/firefox-esr/firefox-esr.js
   Linux (CentOS 6.3)	firefox.cfg	/usr/l/usr/lib64/firefox/defaults/preferencesib64/firefox/defaults/preferences/your_site.js

   OS X:

   OS	Original name	Path and file name
   OS X	prefs.js	/Applications/Firefox.app/Contents/Resources/defaults/pref/prefs.js
   OS X	firefox.cfg	/Applications/Firefox.app/Contents/Resources/firefox.cfg

   Build a lock file with computer wide settings (prefs.js) containing only two rows of actual data (in addition to the comments, listed below starting with "pref(") and a configuration file (firefox.cfg) containing all the many configuration settings in accordance with the settings listed further down below starting with "lockPref(". These files should contain the settings which the organisation wishes to configure and enforce. The files are then deployed to the EUDs in %programfiles(x86)%\Mozilla Firefox\firefox.cfg and %programfiles(x86)%\Mozilla Firefox\defaults\pref\prefs.js in Windows – for the file locations and file names in other platforms, please see the tables above. Please note, that a prefs.js file inside a Mozilla Firefox user profile directory (the path to a user profile directory is mentioned in the optional Step 2) shouldn't be altered, since that file with the same name (which resides inside a Mozilla Firefox user profile directory) is generated automatically by the program itself. The main difference between these files, which have a common name (prefs.js) is that the other resides inside the program installation folder (target) and the other is found under user profiles (not to be changed).

   prefs.js (lock file) content:

   pref('general.config.filename', 'firefox.cfg');
pref('general.config.obscure_value', 0);

2. Step 2: Optional configuration (concerning a single Firefox user profile)

   Alternatively, if a computer-wide installation is not preferred, Firefox can be configured with a single configuration file, where the installation will concern only a single Firefox user profile.

   N.B.	Please read A brief guide to Mozilla preferences
   N.B.	In this option before doing any modifications that concern an existing Firefox user profile (for instance in Windows %APPDATA%\Roaming\Mozilla\Firefox\Profiles\[a_profile_name]\), it is highly recommended to backup the whole existing Firefox user profile directory before anything is copied to or otherwise altered inside the Firefox user profile directory, since the settings listed below may alter the browser behaviour quite a bit.
   N.B.	In this option it is highly recommended to create a completely new user profile to use with the custom configuration settings.
   N.B.	Please note, that a prefs.js file inside a Mozilla Firefox user profile directory shouldn't be altered, since that file (which resides inside a Mozilla Firefox user profile directory) is generated automatically by the program itself.
   N.B.	In this option it is mandatory to follow option 3 below.

   File (user.js) location

   OS	Original name	Path and file name
   Windows	firefox.cfg	%APPDATA%\Roaming\Mozilla\Firefox\Profiles\[a_profile_name]\user.js
   Linux	firefox.cfg	~/.mozilla/firefox/[a_profile_name]/user.js
   OS X	firefox.cfg	~/Library/Application Support/Firefox/Profiles/[a_profile_name]/user.js
   Android	firefox.cfg	/data/data/org.mozilla.firefox/files/mozilla/[a_profile_name]/user.js
   Sailfish OS + Alien Dalvik	firefox.cfg	/opt/alien/data/data/org.mozilla.firefox/files/mozilla/[a_profile_name]/user.js
   Windows (portable)	firefox.cfg	[firefox_directory]\Data\[a_profile_name]\user.js

   Build a configuration file called user.js containing all the many configuration settings in accordance with the settings listed further down below starting with "lockPref(". The file should contain the settings which the organisation wishes to configure and enforce. Please notice that since lockPref() may be called only in the configuration file (firefox.cfg), and user.js can only contain pref(), user_pref() and sticky_pref() calls, it is mandatory to follow the Step 3 below before deployment. The file is then deployed to the EUDs in %APPDATA%\Roaming\Mozilla\Firefox\Profiles\[a_profile_name]\user.js in Windows – for the file locations and file names in other platforms, please see the table above. Please note, that a prefs.js file inside a Mozilla Firefox user profile directory shouldn't be altered, since that file which resides inside a Mozilla Firefox user profile directory is generated automatically by the program itself.

3. Step 3: Tweaking the settings: Setting the settings settable rather than in a locked state

   In the firefox.cfg file, if the settings are preferred to be controllable (not locked) on the about:config -page, please change every

   
   lockPref("
   
   to
   
   pref("
   
   
   Please notice that lockPref() may be called only in the configuration file (firefox.cfg), and user.js can only contain pref(), user_pref() and sticky_pref() calls.

4. Step 4: Additional notes

   For disabling the Pocket integration, please start by removing the "pocket" icon from the toolbar.

Disable telemetry and health reporting

Firefox Health Report
Telemetry (usage statistics)
Preferences

lockPref("breakpad.reportURL", "");
lockPref("browser.tabs.crashReporting.sendReport", false);
lockPref("datareporting.healthreport.documentServerURI", "");
lockPref("datareporting.healthreport.service.enabled", false);
lockPref("datareporting.healthreport.uploadEnabled", false);
lockPref("datareporting.policy.dataSubmissionEnabled", false);
lockPref("datareporting.policy.dataSubmissionEnabled.v2", false);
lockPref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);
lockPref("dom.ipc.plugins.reportCrashURL", false);
lockPref("toolkit.telemetry.archive.enabled", false);
lockPref("toolkit.telemetry.cachedClientID", "");
lockPref("toolkit.telemetry.enabled", false);
lockPref("toolkit.telemetry.prompted", 2);
lockPref("toolkit.telemetry.rejected", true);
lockPref("toolkit.telemetry.server", "");
lockPref("toolkit.telemetry.unified", false);
lockPref("toolkit.telemetry.unifiedIsOptIn", true);
lockPref("toolkit.telemetry.optoutSample", false);

Disable sync

lockPref("identity.fxaccounts.auth.uri", "");
lockPref("identity.fxaccounts.remote.force_auth.uri", "");
lockPref("identity.fxaccounts.remote.signin.uri", "");
lockPref("identity.fxaccounts.remote.signup.uri", "");
lockPref("identity.fxaccounts.settings.uri", "");
lockPref("services.sync.autoconnect", false);
lockPref("services.sync.engine.addons", false);
lockPref("services.sync.engine.bookmarks", false);
lockPref("services.sync.engine.history", false);
lockPref("services.sync.engine.passwords", false);
lockPref("services.sync.engine.prefs", false);
lockPref("services.sync.engine.tabs", false);
lockPref("services.sync.serverURL", "");

Turn on Do not Track

lockPref("privacy.donottrackheader.enabled", true);
lockPref("privacy.donottrackheader.value", 1);

Disable features that have an impact on privacy

Location-Aware Browsing

lockPref("accessibility.typeaheadfind", false);
lockPref("geo.enabled", false);
lockPref("geo.wifi.logging.enabled", false);
lockPref("geo.wifi.uri", "");
lockPref("layout.spellcheckDefault", 0);

Disable certificate warning bypass

lockPref("browser.xul.error_pages.enabled", false);

Enable support for Content Security Policy

lockPref("security.csp.enable", true);

Disable Safe Browsing anti-malware

Safe Browsing communicates with a third party and leaks the browsing history and also sends metadata about the downloads made.
How does built-in Phishing and Malware Protection work?

lockPref("browser.safebrowsing.enabled", false);
lockPref("browser.safebrowsing.downloads.enabled", false);
lockPref("browser.safebrowsing.malware.enabled", false);

Turn on XSS Filter

lockPref("browser.urlbar.filter.javascript", true);

Restrict third party cookies

lockPref("network.cookie.cookieBehavior", 1);

Enable Flash as it's in a sandbox

lockPref("plugin.state.flash", 2);

Disable Java unless required

lockPref("plugin.state.java", 0);
lockPref("plugin.state.npdeployjava1", 0);

Disable webcam and microphone unless necessary

lockPref("media.navigator.enabled", false);
lockPref("media.navigator.video.enabled", false);

Disable Firefox Hello

Firefox connects to third-party (Telefonica) servers without asking for permission.
Firefox Hello - video and voice conversations online

lockPref("loop.enabled", false);

Clear personal and temporary data on shutdown

lockPref("privacy.clearOnShutdown.cache", true);
lockPref("privacy.clearOnShutdown.cookies", true);
lockPref("privacy.clearOnShutdown.downloads", true);
lockPref("privacy.clearOnShutdown.formData", true);
lockPref("privacy.clearOnShutdown.history", true);
lockPref("privacy.clearOnShutdown.offlineApps", true);
lockPref("privacy.clearOnShutdown.openWindows", false);
lockPref("privacy.clearOnShutdown.passwords", true);
lockPref("privacy.clearOnShutdown.sessions", true);
lockPref("privacy.clearOnShutdown.siteprefs", true);
lockPref("privacy.clearOnShutdown.siteSettings", true);
lockPref("privacy.cpd.cache", true);
lockPref("privacy.cpd.cookies", true);
lockPref("privacy.cpd.downloads", true);
lockPref("privacy.cpd.formdata", true);
lockPref("privacy.cpd.history", true);
lockPref("privacy.cpd.offlineApps", true);
lockPref("privacy.cpd.openWindows", false);
lockPref("privacy.cpd.passwords", true);
lockPref("privacy.cpd.sessions", true);
lockPref("privacy.cpd.siteprefs", true);
lockPref("privacy.cpd.siteSettings", true);
lockPref("privacy.sanitize.sanitizeOnShutdown", true);

Prevent the use of SPDY, Websockets and WebRTC if not supported by the web proxy

Media/WebRTC

lockPref("media.http.spdy.enabled", false);
lockPref("media.peerconnection.enabled", false);
lockPref("media.websocket.enabled", false);
lockPref("network.websocket.enabled", false);

Disable automatic form filling

lockPref("signon.autofillForms", false);
lockPref("signon.prefillForms", false);
lockPref("signon.rememberSignons", false);

Disable Pocket integration

A third-party service (proprietary) for managing a reading list of articles.
For disabling the Pocket integration, please start by removing the "pocket" icon from the toolbar.
Save web pages for later with Pocket for Firefox
Pocket-Erweiterung in Firefox 57 deaktivieren

lockPref("browser.pocket.enabled", false);
lockPref("extensions.pocket.enabled", false);

Disable Firefox's new Screenshot tool (requires at least Firefox 55)

How to enable or disable Firefox's new Screenshot tool

lockPref("extensions.screenshots.disabled", true);

Expire master password

lockPref("signon.expireMasterPassword", true);

Disable the version updated page

lockPref("browser.startup.homepage_override.mstone", "ignore");

Disable default browser check

lockPref("browser.shell.checkDefaultBrowser", false);

Set disk cache to 1MB

lockPref("browser.cache.disk.capacity", 1024);
lockPref("browser.cache.disk.smart_size.enabled", false);
lockPref("browser.cache.disk.smart_size.first_run", false);
lockPref("browser.cache.disk.smart_size.use_old_max", false);

Disable updates and notifications

lockPref("app.update.auto", false);
lockPref("app.update.autoUpdateEnabled", false);
lockPref("app.update.enabled", false);
lockPref("app.update.mode", 1);
lockPref("app.update.service.enabled", false);
lockPref("app.update.silent", true);
lockPref("update_notifications.enabled", false);

Disable unnecessary protocols

This disables older protocols that are known to be weak or entirely broken (3DES, RC4 and MD5).

lockPref("security.ssl3.rsa_rc4_128_sha", false);
lockPref("security.ssl3.rsa_rc4_128_md5", false);
lockPref("security.ssl3.rsa_des_ede3_sha", false);
lockPref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
lockPref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
lockPref("app.update.auto", false);

Disable device sensors

lockPref("device.sensors.enabled", false);
lockPref("camera.control.face_detection.enabled", false);
lockPref("camera.control.autofocus_moving_callback.enabled", false);

Disable JavaScript fingerprinting and/or data collection

lockPref("dom.event.clipboardevents.enabled", false);
lockPref("dom.battery.enabled", false);
lockPref("browser.send_pings", false);
lockPref("webgl.disabled", false);

Disable search suggestions

By default everything that is typed in the search box is sent to the search engine.
If disabled, suggestions based on local history will still work.

lockPref("browser.search.suggest.enabled", false);

Turn on tracking protection

This makes Firefox block known tracking domains by default.

lockPref("privacy.trackingprotection.enabled", true);

For more ideas, please see A comprehensive list of Firefox privacy and security settings