Browser Settings

Built-in configuration options to resist fingerprinting and improve privacy

How They Work

Many browsers offer built-in settings that improve privacy without needing extensions or additional software. These settings can resist fingerprinting, disable WebRTC, limit cookie access, and restrict JavaScript features. No installation needed — just change settings in about:config or browser preferences.

What They Can Protect

Timezone — forced to UTC with resistFingerprinting
Language — standardized to en-US
WebRTC — disabled to prevent IP leaks through VPNs
Cookies — third-party cookies blocked
JavaScript — can be disabled entirely
IPv6 leak — can be disabled at the browser level

Key Settings

Firefox `privacy.resistFingerprinting`

The most powerful single setting for fingerprint protection available in any browser. When enabled, Firefox automatically applies dozens of anti-fingerprinting measures at once:

Reports a generic user agent string (hides your real browser version and OS details)
Rounds screen resolution to common values (e.g. your 2560x1440 display reports as a rounded size)
Fixes timezone to UTC regardless of your actual location — whether you're in New York (EST) or Los Angeles (PST), websites see UTC+0
Standardizes installed fonts to a basic set, preventing font-based fingerprinting
Adds noise to canvas and WebGL readback, blocking two of the most effective fingerprinting techniques
Spoofs language to en-US for all users
Rounds window.devicePixelRatio to prevent display-based identification
Limits navigator.hardwareConcurrency (CPU cores) to 2

To enable: open about:config in Firefox, search for privacy.resistFingerprinting, and set it to true.

Note: This setting may cause minor usability issues — for example, websites that detect your timezone for scheduling (Google Calendar, airline booking sites) will show UTC instead of your local time. You can add per-site exceptions using privacy.resistFingerprinting.exemptedDomains in about:config.

Firefox `privacy.fingerprintingProtection`

A newer, more granular alternative to resistFingerprinting introduced in recent Firefox versions. Instead of applying all protections at once, it lets you choose which fingerprinting vectors to protect against individually.

This is useful if resistFingerprinting breaks too many websites for your use case — you can enable only the protections you need (e.g., canvas noise and font restrictions) without forcing your timezone to UTC.

To configure: set privacy.fingerprintingProtection to true in about:config, then use privacy.fingerprintingProtection.overrides to specify which protections to enable or disable.

Disable WebRTC

WebRTC (Web Real-Time Communication) is a browser technology used for video calls, voice chat, and peer-to-peer connections. The problem: it can bypass VPN tunnels and reveal your real IP address through STUN server requests — even when your VPN is working correctly.

This is one of the most common privacy leaks for VPN users in the US. Services like Google Meet, Zoom Web, Discord, and Facebook Messenger all use WebRTC.

Firefox: Set media.peerconnection.enabled to false in about:config. This completely disables WebRTC.
Chrome / Edge: Cannot fully disable WebRTC through settings alone — you need an extension like "WebRTC Leak Prevent" or "uBlock Origin" (which can block WebRTC in advanced settings).
Brave: Go to Settings > Privacy and Security > WebRTC IP Handling Policy and select "Disable non-proxied UDP". This prevents IP leaks while keeping some WebRTC functionality.
Safari: WebRTC is enabled but Apple restricts STUN requests in a way that reduces the leak risk. No manual configuration needed for most users.

Trade-off: Disabling WebRTC breaks video calls and real-time communication on websites that use it (Google Meet, Discord web, Zoom web client, etc.). If you need these services, use Brave's partial restriction instead of fully disabling it.

Third-party cookies are the primary mechanism for cross-site tracking. When you visit a website, cookies from advertising networks (Google, Meta, etc.) are loaded alongside the page, allowing those networks to follow you across millions of websites. Blocking third-party cookies is one of the most impactful privacy settings you can change.

Firefox: Settings > Privacy & Security > Enhanced Tracking Protection > select Strict. This blocks third-party cookies, tracking content, cryptominers, and fingerprinters. Firefox also offers "Total Cookie Protection" which isolates cookies per-site even when not blocked.
Chrome: Settings > Privacy and Security > Third-party cookies > select Block third-party cookies. Note that Chrome is transitioning to the "Privacy Sandbox" and "Topics API", which replaces cookies with Google's own tracking system — this is not the same as true privacy.
Brave: Blocks all third-party cookies by default. No configuration needed. Also blocks known tracking scripts and cookie consent banners.
Safari: Settings > Privacy > enable Prevent cross-site tracking (enabled by default). Safari's Intelligent Tracking Prevention (ITP) uses machine learning to identify and block tracking cookies. On iOS/iPadOS: Settings > Safari > toggle Prevent Cross-Site Tracking.
Microsoft Edge: Settings > Privacy, search, and services > Tracking prevention > select Strict. This blocks the majority of third-party trackers and cookies. The "Balanced" default mode blocks known harmful trackers but allows some advertising cookies.
Samsung Internet: Settings > Privacy and security > enable Smart Anti-Tracking. This blocks some cross-site tracking cookies. For stronger protection, also enable Block third-party cookies under Site settings > Cookies. Samsung Internet's protection is less comprehensive than Firefox or Brave.
Opera: Settings > Privacy & security > enable Block third-party cookies. Opera also offers a built-in "Tracker blocker" that can be enabled separately.

Disable JavaScript

Nearly all browser fingerprinting relies on JavaScript APIs — canvas readback, WebGL rendering, font enumeration, screen size detection, and hardware queries all require JavaScript to execute. Disabling it eliminates the vast majority of fingerprinting techniques.

However, disabling JavaScript globally breaks almost every modern website. Online banking, social media, email clients, streaming services — nearly everything Americans use daily requires JavaScript to function.

Firefox: Set javascript.enabled to false in about:config (global disable)
Chrome / Edge: Settings > Privacy and Security > Site Settings > JavaScript > select "Don't allow sites to use JavaScript"
Safari: Preferences > Security > uncheck "Enable JavaScript"

Practical approach: Instead of disabling JavaScript globally, use uBlock Origin's per-site JavaScript blocking. Click the uBlock icon, then the </> button to disable scripts on the current site only. This lets you selectively block scripts on untrusted or suspicious sites while keeping your banking, email, and everyday sites functional.

Disable IPv6

If you use a VPN that only tunnels IPv4 traffic, your device may still connect to websites directly over IPv6 — exposing your real IPv6 address and bypassing the VPN entirely. This is a common leak, especially on US home networks where ISPs like Comcast, AT&T, and Verizon have widely deployed IPv6.

Firefox: Set network.dns.disableIPv6 to true in about:config
System-level (Windows): Open PowerShell as administrator and run Set-NetAdapterBinding -Name "*" -ComponentID ms_tcpip6 -Enabled $false
System-level (macOS): System Preferences > Network > select your connection > Advanced > TCP/IP > set "Configure IPv6" to "Link-local only"

Note: Most reputable VPN providers (Mullvad, ProtonVPN, IVPN) already handle IPv6 correctly — either tunneling it or blocking it. Check your VPN's IPv6 leak test before disabling it manually.

Change Timezone

Websites can read your timezone offset through JavaScript (new Date().getTimezoneOffset()). If you're using a VPN server in Los Angeles (PST, UTC-8) but your device reports Eastern Time (EST, UTC-5), websites can detect the mismatch and flag your connection as suspicious.

To fix this, change your OS timezone to match your VPN server location:

Windows: Settings > Time & language > Date & time > turn off "Set time zone automatically" > select the matching timezone
macOS: System Preferences > Date & Time > Time Zone > uncheck "Set time zone automatically" > select the matching timezone
Linux: timedatectl set-timezone America/Los_Angeles

Simpler alternative: Enable privacy.resistFingerprinting in Firefox, which forces the timezone to UTC for all sites, eliminating the mismatch problem entirely.

Change Browser Language

Your browser's language setting is sent to every website through the Accept-Language HTTP header and is accessible via navigator.language. For US users, en-US is the most common value and provides the best anonymity. If your browser is set to a less common language (e.g., cs-CZ, ko-KR, or vi-VN), you become significantly easier to identify — even with other protections in place.

Firefox: Settings > General > Language > Set Alternatives > move English (United States) [en-US] to the top
Chrome: Settings > Languages > move English (United States) to the top of the list
Edge: Settings > Languages > move English (United States) to the top
Safari: Uses the macOS system language — set it in System Preferences > Language & Region > Preferred Languages

HTTPS-Only Mode

HTTPS encrypts the connection between your browser and the website, preventing your ISP, network administrators, and attackers from reading or modifying the data in transit. Enabling HTTPS-Only mode forces your browser to always use encrypted connections and warns you when a site only supports unencrypted HTTP.

Firefox: Settings > Privacy & Security > scroll to "HTTPS-Only Mode" > select "Enable HTTPS-Only Mode in all windows"
Chrome: Settings > Privacy and Security > Security > enable "Always use secure connections"
Edge: Navigate to edge://flags and enable "Automatic HTTPS"
Brave: Automatically upgrades connections to HTTPS by default. No configuration needed.
Safari: Automatically upgrades to HTTPS when available starting in recent versions. No manual toggle needed.

Tip: Start with privacy.resistFingerprinting in Firefox — it's the single most effective setting and handles many fingerprint vectors at once. If it breaks too many sites, try the newer privacy.fingerprintingProtection for granular control. Add cookie blocking, HTTPS-only mode, and WebRTC restrictions based on your specific needs.

Browser Compatibility Matrix

Not every setting is available in every browser. This matrix shows native support, workaround-only options, and settings that are simply not available.

Firefox stands out with the most comprehensive native privacy settings. Chrome and Edge lack built-in fingerprint resistance entirely, while Brave includes strong defaults out of the box. Timezone changes require OS-level adjustment in all browsers, and Safari's language setting is controlled through macOS system preferences.

Privacy vs. Usability Trade-off

Every privacy setting comes with a trade-off. Some are invisible to your daily browsing, while others will break websites you rely on. This scale shows where each setting falls.

Settings on the left side of the scale are safe to enable for everyone — they improve privacy with zero impact on daily browsing. As you move right, the privacy gains increase, but so does the likelihood of breaking websites you depend on. Most users should enable everything up to "Cookie Policies" and stop there unless they have specific privacy needs.

Quick Start Guide

Follow these four steps in order, starting with the easiest changes that provide the most benefit. You can stop at any step — each one adds meaningful protection on its own.

Each step builds on the previous one. Steps 1 and 2 are recommended for all users on any browser. Steps 3 and 4 are for Firefox users who want stronger protection and are willing to deal with occasional website issues.