Guide to the Secure Configuration of Firefox
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Disable JavaScript's Moving Or Resizing Windows Capability
JavaScript can configure and make changes to the web browser's appearance by specifically moving and resizing browser windows. This can be disabled...Rule Medium Severity -
Disable Firefox network prediction
Firefox has a feature where it predicts and caches DNS requests. This can be disabled by setting <code>NetworkPrediction</code> to <code>true</code...Rule Medium Severity -
Firefox
Firefox is an open-source web browser and developed by Mozilla. Web browsers such as Firefox are used for a number of reasons. This section provide...Group -
The Default Firefox Home Page
The default home page for Firefox users.Value -
The Default Required Firefox File Types
The default required file types that need to request usage confirmation in Firefox.Value -
Firefox must be configured to disable the installation of extensions.
Addon installation may be disabled in an administrative policy by setting the <code>InstallAddonsPermission</code> key under <code>policies</code> ...Rule Medium Severity -
Firefox autoplay must be disabled.
Audio/Video autoplay may be disabled in an administrative policy by setting the <code>Default</code> key under <code>Permissions</code>, <code>Auto...Rule Medium Severity -
Ensure the Content Blocker uBlock Origin is Installed
The uBlock Origin will be installed automatically by configuring Firefox policy, and updates will be enabled. It can also be installed through the ...Rule Medium Severity -
Enabled Firefox Cryptomining protection
Cryptomining protection may be enabled by settingprivacy.trackingprotection.cryptomining.enabledtotrue.Rule Medium Severity -
Disable Firefox Development Tools
Firefox provides development tools which identify detailed information about the browser and its configuration. These details are often also reco...Rule Low Severity -
Disable Firefox deprecated ciphers
Pocket may be disabled by setting <code>TLS_RSA_WITH_3DES_EDE_CBC_SHA</code> to <code>true</code> under <code>DisabledCiphers</code> in the policie...Rule Medium Severity -
Firefox must be configured to disable form fill assistance.
The update check may be disabled in an administrative policy by setting the <code>DisableFormHistory</code> key under <code>policies</code> to <cod...Rule Medium Severity -
Disable Firefox Pocket
Pocket may be disabled by settingDisablePockettotruein the policies file.Rule Medium Severity -
Disable Firefox Studies
Pocket may be disabled by settingDisableFirefoxStudiestotruein the policies file.Rule Medium Severity -
Firefox must be configured to not delete data upon shutdown.
The default certificate to present may be configured by setting multiple options under <code>SanitizeOnShutdown</code> key. <ul><li> <code>Cache</c...Rule Medium Severity -
Firefox must be configured so that DNS over HTTPS is disabled.
DNS over HTTPS feature may be disabled via administrative policy by setting <code>Enabled</code> under <code>DNSOverHTTPS</code> to <code>false</co...Rule Medium Severity -
Firefox encrypted media extensions must be disabled.
Firefox's Encrypted Media Extensions support playback of media content that is subject to Digital Right Management. These extensions may be disable...Rule Medium Severity -
Enabled Firefox Enhanced Tracking Protection
Enhanced Tracking Protection may be enabled by settingbrowser.contentblocking.categorytostrict.Rule Medium Severity -
Disabled Firefox Extension Recommendations
Extension recommendations may be disabled by setting <code>extensions.htmlaboutaddons.recommendations.enabled</code> to <code>false</code> in the p...Rule Medium Severity -
Firefox must be configured to not automatically update installed add-ons and plugins.
Firefox has a feature to permit installed add-ons and plugins to automatically update. The check may be disabled in an administrative policy by set...Rule Medium Severity -
Firefox feedback reporting must be disabled.
Feedback reporting feature may be disabled via administrative policy by setting <code>DisableFeedbackCommands</code> under <code>policies</code> to...Rule Medium Severity -
Enabled Firefox Fingerprinting Protection
Fingerprinting protection may be enabled by setting <code>Fingerprinting</code> to <code>true</code> under <code>EnableTrackingProtection</code> in...Rule Medium Severity -
Firefox must prevent the user from quickly deleting data.
The update check may be disabled in an administrative policy by setting the <code>DisableForgetButton</code> key under <code>policies</code> to <co...Rule Medium Severity -
Disable JavaScript's Raise Or Lower Windows Capability
JavaScript can configure and make changes to the web browser's appearance by specifically raising and lowering windows. This can be disabled by set...Rule Medium Severity -
The Firefox New Tab page must not show Top Sites, Sponsored Top sites, Pocket Recommendations, Sponsored Pocket Stories, Searches, Highlights, or Snippets.
Display of top sites may be disabled in an administrative policy by setting the following items under <code>FirefoxHome</code> to <code>false</code...Rule Medium Severity -
Firefox must be configured to not use a password store with or without a master password.
The update check may be disabled in an administrative policy by setting the <code>PasswordManager</code> key under <code>policies</code> to <code>f...Rule Medium Severity -
Enable Firefox Pop-up Blocker
The pop-up blocker can be enabled by setting <code>Default</code> key under <code>PopupBlocking</code> to <code>true</code> in <code>policies.json<...Rule Medium Severity -
Firefox private browsing must be disabled.
Private browsing may be disabled in an administrative policy by setting the <code>DisablePrivateBrowsing</code> key under <code>policies</code> to ...Rule Medium Severity -
Firefox search suggestions must be disabled.
Search Suggestions may be disabled in an administrative policy by setting the <code>SearchSuggestEnabled</code> key under <code>policies</code> to ...Rule Medium Severity -
Disable Installed Search Plugins Update Checking
Firefox automatically checks for updated versions of search plugins. To disable the automatic updates of plugins, set value of <code>browser.search...Rule Medium Severity -
Firefox must be configured to allow only TLS 1.2 or above.
Firefox may be configured via administrative policy to allow TLS 1.2 at minimum by settingSSLVersionMintotls1.2.Rule Medium Severity -
Firefox accounts must be disabled.
Firefox accounts feature may be disabled via administrative policy by setting <code>DisableFirefoxAccounts</code> under <code>policies</code> to <c...Rule Medium Severity -
Disable Firefox Telemetry
Telemetry can be disabled by settingtoolkit.telemetry.enabledtofalse.Rule Medium Severity -
Firefox must not recommend extensions as the user is using the browser.
The extension recommendation messages may be disabled in an administrative policy by setting the <code>ExtensionRecommendations</code> key under <c...Rule Medium Severity -
Enable Certificate Verification
Firefox can be configured to prompt the user to choose a certificate to present to a website when asked. To enable certificate verification, set <c...Rule Medium Severity -
Disable auto-download for proscribed MIME types.
Firefox must be configured to not automatically execute or download MIME types that are not authorized for auto-download.Rule Medium Severity -
Supported Version of Firefox Installed
If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: <pre>$ s...Rule High Severity -
The DoD Root Certificate Is Required
The Shared System Certificates store contains certificates that applications can access for a single certificate repository. If enabled, Firefox ca...Group -
The DoD Root Certificate Exists
The DoD root certificate should be installed in the Shared System Certificates store for Firefox to be able to access the DoD certificate. To insta...Rule Medium Severity -
Enable Shared System Certificates
The Shared System Certificates store makes NSS, GnuTLS, OpenSSL, and Java share a default source for retrieving system certificate anchors and blac...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.