Skip to content
Log In

Guide to the Secure Configuration of Firefox

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Disable JavaScript's Moving Or Resizing Windows Capability

    JavaScript can configure and make changes to the web browser's appearance by specifically moving and resizing browser windows. This can be disabled by setting <code>dom.disable_window_move_resize</...
    Rule Medium Severity
    Show

  • Disable Firefox network prediction

    Firefox has a feature where it predicts and caches DNS requests. This can be disabled by setting NetworkPrediction to true in the policy file.
    Rule Medium Severity
    Show

  • The Default Firefox Home Page

    The default home page for Firefox users.
    Value
    Show

  • Firefox must be configured to disable the installation of extensions.

    Addon installation may be disabled in an administrative policy by setting the InstallAddonsPermission key under policies to false.
    Rule Medium Severity
    Show

  • Firefox autoplay must be disabled.

    Audio/Video autoplay may be disabled in an administrative policy by setting the Default key under Permissions, Autoplay to "block-audio-video".
    Rule Medium Severity
    Show

  • Ensure the Content Blocker uBlock Origin is Installed

    The uBlock Origin will be installed automatically by configuring Firefox policy, and updates will be enabled. It can also be installed through the Mozilla Add-Ons store at https://addons.mozilla.or...
    Rule Medium Severity
    Show

  • Enabled Firefox Cryptomining protection

    Cryptomining protection may be enabled by setting privacy.trackingprotection.cryptomining.enabled to true.
    Rule Medium Severity
    Show

  • Disable Firefox Development Tools

    Firefox provides development tools which identify detailed information about the browser and its configuration. These details are often also recorded into a log file, giving an attacker the abili...
    Rule Low Severity
    Show

  • Disable Firefox deprecated ciphers

    Pocket may be disabled by setting TLS_RSA_WITH_3DES_EDE_CBC_SHA to true under DisabledCiphers in the policies file.
    Rule Medium Severity
    Show

  • Firefox must be configured to disable form fill assistance.

    The update check may be disabled in an administrative policy by setting the DisableFormHistory key under policies to true.
    Rule Medium Severity
    Show

  • Disable Firefox Pocket

    Pocket may be disabled by setting DisablePocket to true in the policies file.
    Rule Medium Severity
    Show

  • Disable Firefox Studies

    Pocket may be disabled by setting DisableFirefoxStudies to true in the policies file.
    Rule Medium Severity
    Show

  • Firefox must be configured to not delete data upon shutdown.

    The default certificate to present may be configured by setting multiple options under SanitizeOnShutdown key.
    • Cache = false
    Rule Medium Severity
    Show

  • Firefox must be configured so that DNS over HTTPS is disabled.

    DNS over HTTPS feature may be disabled via administrative policy by setting Enabled under DNSOverHTTPS to false.
    Rule Medium Severity
    Show

  • Enabled Firefox Enhanced Tracking Protection

    Enhanced Tracking Protection may be enabled by setting browser.contentblocking.category to strict.
    Rule Medium Severity
    Show

  • Disabled Firefox Extension Recommendations

    Extension recommendations may be disabled by setting extensions.htmlaboutaddons.recommendations.enabled to false in the policy file.
    Rule Medium Severity
    Show

  • Firefox must be configured to not automatically update installed add-ons and plugins.

    Firefox has a feature to permit installed add-ons and plugins to automatically update. The check may be disabled in an administrative policy by setting the <code>ExtensionUpdate</code> key under <c...
    Rule Medium Severity
    Show

  • Firefox feedback reporting must be disabled.

    Feedback reporting feature may be disabled via administrative policy by setting DisableFeedbackCommands under policies to true.
    Rule Medium Severity
    Show

  • Enabled Firefox Fingerprinting Protection

    Fingerprinting protection may be enabled by setting Fingerprinting to true under EnableTrackingProtection in the policies file.
    Rule Medium Severity
    Show

  • Firefox must prevent the user from quickly deleting data.

    The update check may be disabled in an administrative policy by setting the DisableForgetButton key under policies to true.
    Rule Medium Severity
    Show

  • Disable JavaScript's Raise Or Lower Windows Capability

    JavaScript can configure and make changes to the web browser's appearance by specifically raising and lowering windows. This can be disabled by setting <code>dom.disable_window_flip</code> to <code...
    Rule Medium Severity
    Show

  • Firefox must be configured to not use a password store with or without a master password.

    The update check may be disabled in an administrative policy by setting the PasswordManager key under policies to false.
    Rule Medium Severity
    Show

  • Enable Firefox Pop-up Blocker

    The pop-up blocker can be enabled by setting <code>Default</code> key under <code>PopupBlocking</code> to <code>true</code> in <code>policies.json</code>. <code>Allowed</code> may be set to a list ...
    Rule Medium Severity
    Show

  • Firefox private browsing must be disabled.

    Private browsing may be disabled in an administrative policy by setting the DisablePrivateBrowsing key under policies to true.
    Rule Medium Severity
    Show

  • Firefox search suggestions must be disabled.

    Search Suggestions may be disabled in an administrative policy by setting the SearchSuggestEnabled key under policies to false.
    Rule Medium Severity
    Show

  • Disable Installed Search Plugins Update Checking

    Firefox automatically checks for updated versions of search plugins. To disable the automatic updates of plugins, set value of <code>browser.search.update</code> to <code>false</code> via policies....
    Rule Medium Severity
    Show

  • Firefox must be configured to allow only TLS 1.2 or above.

    Firefox may be configured via administrative policy to allow TLS 1.2 at minimum by setting SSLVersionMin to tls1.2.
    Rule Medium Severity
    Show

  • Firefox accounts must be disabled.

    Firefox accounts feature may be disabled via administrative policy by setting DisableFirefoxAccounts under policies to true.
    Rule Medium Severity
    Show

  • Disable Firefox Telemetry

    Telemetry can be disabled by setting toolkit.telemetry.enabled to false.
    Rule Medium Severity
    Show

  • Firefox must not recommend extensions as the user is using the browser.

    The extension recommendation messages may be disabled in an administrative policy by setting the ExtensionRecommendations key under UserMessaging to false.
    Rule Medium Severity
    Show

  • Enable Certificate Verification

    Firefox can be configured to prompt the user to choose a certificate to present to a website when asked. To enable certificate verification, set <code>security.default_personal_cert</code> to <code...
    Rule Medium Severity
    Show

  • Disable auto-download for proscribed MIME types.

    Firefox must be configured to not automatically execute or download MIME types that are not authorized for auto-download.
    Rule Medium Severity
    Show

  • Supported Version of Firefox Installed

    If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: <pre>$ sudo yum update</pre> If the system is not configur...
    Rule High Severity
    Show

  • The DoD Root Certificate Is Required

    The Shared System Certificates store contains certificates that applications can access for a single certificate repository. If enabled, Firefox can access that single system certificate repository...
    Group
    Show

  • The DoD Root Certificate Exists

    The DoD root certificate should be installed in the Shared System Certificates store for Firefox to be able to access the DoD certificate. To install the root certificated into the Shared System Ce...
    Rule Medium Severity
    Show

  • Enable Shared System Certificates

    The Shared System Certificates store makes NSS, GnuTLS, OpenSSL, and Java share a default source for retrieving system certificate anchors and blacklist information. Firefox has the capability of u...
    Rule Medium Severity
    Show

  • Firefox

    Firefox is an open-source web browser and developed by Mozilla. Web browsers such as Firefox are used for a number of reasons. This section provides settings for configuring Firefox policies to mee...
    Group
    Show

  • Firefox encrypted media extensions must be disabled.

    Firefox's Encrypted Media Extensions support playback of media content that is subject to Digital Right Management. These extensions may be disabled completely by setting <ul> <li> <code>Enabled</c...
    Rule Medium Severity
    Show

  • The Firefox New Tab page must not show Top Sites, Sponsored Top sites, Pocket Recommendations, Sponsored Pocket Stories, Searches, Highlights, or Snippets.

    Display of top sites may be disabled in an administrative policy by setting the following items under <code>FirefoxHome</code> to <code>false</code> and by setting the <code>locked</code> key to <c...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules