Despite its recent spate of
security vulnerabilities
, the Mozilla-based Firefox browser appears to be
as popular as ever. While the browser’s growth has
somewhat slowed
, Firefox continues to gain on Microsoft’s Internet

Firefox’s default installation is actually pretty secure. However,
the number of Firefox users continues to increase, and such popularity often
spells more attention from attackers. With so many people using Firefox, it’s a
good idea to add a standard layer of security to better protect your organization’s

Let’s walk through Firefox’s Options window (which you can
access by going to Tools | Options) and look at some tweaks you can make to
boost the security of the browser. Keep in mind that all of these suggested
settings assume that the user login is for a single user and not shared among
multiple users.

The Options window has five sections: General, Privacy, Web
Features, Downloads, and Advanced. Because the General section focuses more on
the browser’s look and feel, we’ll skip this one.


  • History: This setting is self-explanatory.
    All you need to do is set it to a reasonable number of days. The default
    is nine days.
  • Saved Form Information: This is a handy
    feature for all single-user profiles; it lets the browser remember what
    you’ve typed in the past and automatically make suggestions. It’s safe to enable
    the feature.
  • Saved Passwords: This setting is more
    of a gray area. You tell users to remember passwords—should you allow
    their browsers to remember passwords as well? I recommend allowing this
    feature and setting the master password for workstations that don’t leave
    your company area. If the system is a laptop, deselect the Remember
    Passwords option. That way, if someone steals the machine and accesses the
    account, the thief won’t have access to every saved password a user has stored.
  • Download Manager History: There’s
    no need to keep track of all of your downloads, so I suggest setting it to
    Remove Files From The Download Manager When Firefox Exits.
  • Cookies: This is a hotly debated
    subject. I recommend selecting Allow Sites To Set Cookies and choosing For
    The Originating Web Site Only. In addition, select the Until I Close
    Firefox option for how long the browser should store the cookies. With
    this last option, cookies only help you browse while you’re using the
    machine, but they don’t provide endless browsing habit information to
    cookie vendors.
  • Cache: For this setting, decide on
    a reasonable amount of disk space.

Web Features

  • Block Popup Windows: I suggest
    selecting this check box—it’s a feature every browser should have.
  • Allow Web Sites To Install Software:
    Go ahead and select this check box. When you allow a site to install
    software, Firefox will add it to the Allowed Sites list.
  • Load Images: Select both this check
    box and the For The Originating Web Site Only check box. You can always go
    back and specifically allow or block individual sites.
  • Enable Java: Select this check box.
  • Enable JavaScript: Select this
    check box; clicking the Advanced button opens the Advanced JavaScript
    Options window.


  • Download Folder: I suggest
    creating a Downloads folder for storing all of your downloads. This makes
    it easier to scan your downloads once you’re finished.
  • Download Manager: I recommend
    selecting both check boxes: Show Download Manager Window When A Download
    Begins and Close The Download Manager When All Downloads Are Complete.
  • File Types: I wouldn’t allow any
    Microsoft product to perform any action automatically—that’s likely one of
    the reasons you’re using the Firefox browser.


  • Accessibility, Browsing, and Tabbed Browsing:
    All three areas are functional and involve no security issues.
  • Software Update: Select the
    Firefox check box, which allows the browser to update itself. I recommend not selecting the My Extensions And
    Themes check box to allow for updates.
  • Security: To provide maximum cross-site
    functionality, I suggest selecting all three check boxes: Use SSL 2.0, Use
    SSL 3.0, and Use TLS 1.0.
  • Certificates: Under Client
    Certificate Selection, select the Ask Every Time check box, which focuses
    user attention to the start of a secure session.
  • Validation: Under OCSP (Online
    Certificate Status Protocol), select the Use OCSP To Validate Only Certificates
    That Specify An OCSP Service URL option.

Final thoughts

After running through all of these various Firefox settings,
you might be wondering how to deal with security zones, browser helper objects
(BHOs), and ActiveX. Don’t worry: These are Microsoft inventions that support Microsoft
products. As long as you use Firefox, they won’t bother you anymore.

Worried about security
issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter
, delivered each Friday,
and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security