Guide: Hardened Tor Browser, Advanced OPSEC for Maximum Anonymity : OpSec | Torhoo darknet markets
If you’re reading this, you already know that staying anonymous online isn’t about just following a checklist or relying on Tor’s defaults. Over the last few years, it’s become more important than ever to reduce your fingerprint in every way possible, especially now that true OS spoofing is gone from Tor Browser and every detail about your system, from fonts to hardware quirks, can become a unique tracking point. Law enforcement, researchers, and commercial fingerprinting companies are always advancing, and relying on the same out-of-the-box Tor profile as everyone else is no longer enough. The smallest configuration detail or browser feature left open can stick out and connect your activity, even across different identities and sessions. Hardening your browser isn’t just an extra step, it’s a requirement if you care about staying anonymous, whether you’re using Tor for markets, privacy, activism, or just basic safety. This guide is about taking back control and closing every fingerprinting hole that’s left open by default, so you look as close as possible to the “default” Tor user without leaking anything unique.
you probably already know the biggest OPSEC fails don’t happen because you “slip up” with PGP or forget to double-encrypt files. The real leaks happen in your browser, metadata, unique fingerprints, storage, and side-channels all get weaponized by LE and deanonymization researchers. Tor Browser is good out of the box, but if you really want to keep your activity, identity, and even hardware off the record (whether you’re a vendor, buyer, or privacy freak), you need to harden it yourself.
I was active as a large-scale street reseller and wholesale buyer from 2017 to 2021 using these exact settings, and the mindset to nuke traces. Here’s a comprehensive list of advanced Tor Browser about:config tweaks, with a short explanation for each so you understand why they’re set, not just what they do. None of these settings will break any DNM site, Dread, Pitch, or anything onion-related. As I said, I’ve used this configuration for a while now.
Before you start, you’ll need to access Tor Browser’s advanced settings. Open Tor Browser, type about:config in the address bar, and press Enter. You’ll see a warning, click “Accept the Risk and Continue.” Now you can use the search bar to find any setting in this guide. If a setting already exists, double-click to toggle true/false values, or click the pencil icon to enter numbers or text. If a feature doesn’t exist (mostly all these already exist), you can always create it: click the plus (+) button, then pick “Boolean” for true/false, “Number” for numbers, or “String” for words (rare). Every change takes effect immediately, and you don’t need to restart the browser unless otherwise noted. this will also work to harden Firefox, and Mullvad Browser. Also, remember to save these settings to a config file so you don’t have to repeat everything if you are using a disposable system.
How to Instantly Apply and Save All Tor Browser About:Config Settings on Tails
If you use Tails, Whonix, or any disposable Linux and want to apply your custom Tor Browser or Firefox settings in seconds (instead of clicking through about:config every time), do this:
1. Make Your user.js File
Open a plain text editor, and paste all your settings in this format (one per line):
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
user_pref("javascript.enabled", false);
user_pref("network.cookie.lifetimePolicy", 2);
For every setting you want, follow this structure:
For true/false: user_pref("setting.name", true);
For numbers: user_pref("setting.name", 2);
For words: user_pref("setting.name", "string");
Then Save the file as user.js (not .txt)
2.Save user.js in Persistent Storage
Start Tor Browser at least once so it makes its profile folder. Open your home folder, go to:
/home/amnesia/.tor-browser/profile.default/ (On some systems it’s /home/amnesia/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/)
If you don’t see the folder, click the three lines at the top of the file manager and enable “Show Hidden Files.”
Copy your user.js file from Persistent into this folder. Overwrite if it already exists.
4. Start Tor Browser
Start (or restart) Tor Browser, all your settings from user.js will be loaded automatically. You do not need to use about:config.
5. Any Time You Update Your Settings
Just edit your user.js in Persistent, save it, and copy it again after you reboot.
This works for Tails, Whonix, and any Linux running Firefox, Tor Browser, or Mullvad Browser. You can use the same method to keep all your tweaks, no matter how often your OS wipes itself.
For everyone else, I typed this up so you can just copy and paste it into a text editor and save it as user.js for yourself. Edit: Fixed the last line, thx /u/jake0126 <3
Thank you so much! If it was just the three entries it would almost be faster to just open about:config and do it manually, but with the list /u/BlazinTits put together its very much worth the time it takes to navigate to the correct folders (on my system it wouldn't show amnesia from the Home folder, had to go to Other Locations>Tails>Home>amnesia
You don’t put the user.js file in the Tor Browser program files, you put it in your profile folder, which is where your browser stores personal settings and data. On most Linux setups and on Tails, the profile folder is usually here: /home/amnesia/.tor-browser/profile.default/
Im using whonix.
I did this:
"Open your home folder, go to:
/home/amnesia/.tor-browser/profile.default/ (On some systems it’s /home/amnesia/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/)
If you don’t see the folder, click the three lines at the top of the file manager and enable “Show Hidden Files.”"
And nothing. But its fine changed all the settings manually already lol
Open the Files app (your file manager). In your home folder, press Ctrl+H on your keyboard or click the menu and choose “Show Hidden Files.” This will show folders that start with a dot, like .tor-browser. Now open the .tor-browser folder, then go into profile.default.
Just drag and drop your user.js file into that folder. If you already have a file with that name there, overwrite it.
Once you’ve done that, close everything and restart Tor Browser. Your custom settings will load automatically.
If you get stuck at any step, let me know exactly where and I’ll help you out!
Thanks a lot for that! But if we reboot tails we have to move the file again to the torbrowser profile default folder, because it is in amnesia, right?
i was just following the dnm bible and thought setting the security settings to safest was adequate. when i double checked in about:config it was a shock to see javascript.enabled was still set to true.
everything under the bullet points are a explanation for what that setting does. so turning Javascript.enabled = False will Disables all JavaScript, blocking most modern browser exploits and fingerprinting scripts.
so only Javascript.enabled set to false, that completely turns off javascript.
You can save your custom Tor Browser or Firefox settings by creating a file called user.js with all your tweaks inside, then placing it in your browser’s profile folder. This lets the browser automatically apply your preferred settings every time it starts, so you don’t have to redo them manually. On Tails or any live system, you’ll want to keep your user.js on persistent storage and copy it into the Tor Browser profile folder each time you boot up. This method works for Tor Browser, Firefox, and Mullvad Browser, and is the easiest way to keep your privacy setup consistent across reboots.
This is something I'd like to know as well. I don't understand it. I think I might could create a file, but I don't understand how to add this stuff into the file. Should I just copy/paste your post into a blank text file or something?
I'm making a guide just for that now, i'll post it when i'm done. I'm busy right now and need to get offline, so won't be until a few hours. I'll post it in the comments here when i'm done.
Guess I should have read the entire thread before replying =\. I'm definitely interested in this conf file as my persistant tor folder only has the things I've downloaded
If they doesn't exist, you make them, so if it calls true/false then pick boolean and set it to true/false. If its a number click number, then click the add/+ button on the far right as add it. once ypu add it you can then change it from true/false, or change the number if you picked number before you pressed add.
I said it in my post at the top in the last paragraph, right before "MOST IMPORTANT!!!"
Would there be any way to create a batch file (not sure what linux based uses) to set these all at once? Since I only log in for a few minutes every day or other day, it would definitely take a while to go through all of these each time I boot up on tails. /u/jake0126
Im just wondering, you spelled referrer two different ways. Does spelling matter? Also I also would like to learn more about creating a batch file to use witth tails
I double checked everything to make sure they are spelled right before i posted.
referer isn't the real way to spell it but that's how the setting spells it lol. and i'm posting a guide in the comments here about that tomorrow. ill tag everyone who asked about it
I haven't been online much today besides this post and a few reply's.
Looks like it is disabled in the stable branch. Works in the alpha branch. Hard to decide if I can use that or if I should just move to
Tails full-time.
Yeah, that’s right. This guide is similar to arkenfox.js, but it’s focused specifically on hardening Tor Browser for anonymity and darknet use. arkenfox is great for regular Firefox privacy, but Tor Browser has different defaults and needs, so these settings are tailored for Tor’s threat model. Both use the same user.js method for customizing browser privacy and security, so you can use all these configs for arkenfox.js if you want to harden Firefox the same way.
Really solid post. Stuff like this is rare and super underrated. More people in the scene need to take OPSEC this seriously, especially with how things are evolving lately.
im struggling to see why this would be shown as false should it not be true?
if you swap to false would your .onion sites possible be leaked to dns (domain name server:which is what google etc use to change .com etc to a ip so your computer can connect)
exposing what your doing as not runnig through tor defeating the purpose of the whole opsecs you just posted???
That’s a good question, and I get why it looks confusing. In Tor Browser, network.dns.blockDotOnion = false does NOT mean your .onion addresses get sent to your regular DNS server. By default, Tor Browser is already set up to handle all .onion addresses through the Tor network only, never your normal DNS.
This setting just tells Firefox/Tor Browser whether to block .onion addresses entirely or allow them to work. Setting it to false allows .onion sites to resolve through Tor, which is what you want. If you set it to true, the browser will block all access to .onion domains completely.
This helps a ton and lots of upvotes one of the annoying things when downloading the browser.
Would be you be interested n helping rewrite the vendor guide i really like your knowledge only thing ill say is maybe too much text but i plan to have a contents section and drop downs for extra information, still in the early stages figuring out what but would be great.
Is it normal for my Tor browser to say "Your custom browser preferences have resulted in unusual security setting, We recommend you choose one of the default security levels" After i have made the user.js file and pasted in the profile.default?
Yes, that’s completely normal. Tor Browser shows that message whenever it detects you’ve changed its default security settings with a user.js file or by making manual tweaks in about:config. All it means is that your browser is now using “Custom” settings instead of one of the built-in security levels like Standard, Safer, or Safest.
Your changes are working, and you can safely ignore that warning as long as you know which settings you changed and why. If you want to use your own hardening tweaks, just leave it on Custom, there’s no problem.
If you change it back to Safest, Tor Browser will remove all the custom configs you added from this post. If you had Safest turned on before you added your own tweaks, those Safest settings will stay active. Only the settings you changed yourself will be affected by switching between Safest and Custom.
i kinda have some questions here maybe someone can help me or you jake that would be perfect.
i created that file user.js put it in persistent and now when i boot tails i have every time to put it from persistent into profile default right? is there a way i dont have to put it manually into profile default or not?
and one more question : after i put it into default profile and then i start tor browser it says like i run custom settings and i should change it to more private one.
when i put this file into default profile am i on the safest site? if yes could you tell me why?
of course i read the lines and it makes sense to me, but why isnt it safe to only run the browser on "safest" mode?
Admins are Retarded/Compromised: Ignore The Glowing Guide.
One common setting is `privacy.trackingprotection.enabled`, which sets your DNT header to true. Tor browser's default is false. Since few people check `about:config` and change this, it really makes you unique.
That's probably just scratching the surface. There are tons of other settings that make your browser unique, some hiding in standard fingerprint tests.Here's an example:
privacy.trackingprotection.fingerprinting.enabled = true
This activates anti-fingerprinting filter lists and blocks known fingerprinting sites.But first, you gotta download the filter lists somewhere, probably from a mozilla source. And yeah, if a site tries to redirect you to a domain that gets blocked by the list, it might look like you're getting fingerprinted, which is a good vector for detection.
The surface level stuff is easy to spot if you just test your fingerprinting before and after changing these settings. But likely, there are many other sneaky settings affecting things. Shit like "pref('media.gmp-gmpopenh264.enabled', false);" - how the fuck do you know it's not secretly activating a backdoor planted by NSA? You don't!
Seriously, it's not hard to notice. Just do a fingerprint test before and after adding these settings. Zero people in the comments noticed. Remember, 55 people liked it, and an admin pinned it to the main page? Bullshit.
Conclusion: admins are either dumb or compromised. Users are either dumb or get banned for calling out this.
I strongly recommend ignoring all that glowing shit and just set `javascript.enabled` to false. Only that. Critiques are welcome below.
Thanks for sharing your perspective. You’re right that changing Tor Browser’s default settings can potentially make you more unique if you go overboard or don’t know exactly what each setting does.
It’s true that settings like privacy.trackingprotection.enabled and others can change your fingerprint, and The goal is to avoid creating a “rare” browser fingerprint while still closing real privacy holes. That’s why the best approach is to stick close to default Tor Browser behavior, only disabling things that really leak info or open you up to known attacks, and not to apply every Firefox privacy setting blindly.
No browser can guarantee zero fingerprint, and yes, there’s always risk when trusting big projects. But not hardening at all, or only disabling JavaScript, leaves you open to a ton of other fingerprinting vectors and exploits. The key is understanding your threat model and using OPSEC that matches it, not just following any guide or default.
Anyone who’s serious about privacy should test their own setup, stay current, and know exactly what each config tweak does. Blanket statements like “admins are dumb or compromised” don’t really move the conversation forward. Constructive critiques and actual fingerprint test results help everyone, though. If you have more info or see a setting that causes real issues, it’s good to share your findings and let others test and discuss.
The guide I posted isn’t about blindly flipping every switch, but about making informed decisions to reduce real-world leaks and attacks that have actually been seen in the wild. Every setting is there for a reason, with an explanation of what it does and how it impacts both privacy and usability. I always recommend testing your own fingerprint before and after any changes and adjusting based on your own threat model. No OPSEC setup is one-size-fits-all, but simply sticking to defaults or disabling JavaScript only gives a false sense of security for most users. A smart balance of hardening and blending in with other Tor users is the best approach, and that’s exactly what this guide is meant to help people achieve.
Nice write up, very thorough. I assume it's for computers only and not mobile bc as far as I know on mobile version the best you can do is put it on "Safest"lol
I assume it's all crunched in that section of Security in Settings. But I don't care much bc all I do is buy a zip of pot these days and at least 1/12 jurors will nullify that if it even makes it to prosecution bc I'll politely but sternly tell any D.A. if they want to embarrass themselves, catch an L and waste everyone's time and money then go for it.
6th Amendment is Right To A Fair And Speedy Trial so you can bound over anything to a jury, even stealing some gum from the store. Fuk em is why I've used mobile for 5 years exclusively bc I'm not a fish they want to fry and they know resources will be wasted to lose a hook or have to throw it back in the water.
But I know laptops and Tails is ESSENTIAL for bigger fish than I and all Vendors.
I wonder if you hook your mobile up to a laptop via USB, if you can somehow go into the folders themselves of TOR. Maybe then you could. I haven't used anything but mobile for over 5 years for anything but I used to get down on a computers. I'd clone games, hack Psps and have the potential for so much with computers but they cut my school funding long ago so never decided to learn too much after that. Life is too interactive to focus on that shit rn, WW3 coming to a city near you soon so fuck studying lol no lol
If you use Tails, Whonix, or any disposable Linux and want to apply your custom Tor Browser or Firefox settings in seconds (instead of clicking through about:config every time), do this:
1. Make Your user.js File
Open a plain text editor, and paste all your settings in this format (one per line):
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
user_pref("javascript.enabled", false);
user_pref("network.cookie.lifetimePolicy", 2);
For every setting you want, follow this structure:
For true/false: user_pref("setting.name", true);
For numbers: user_pref("setting.name", 2);
For words: user_pref("setting.name", "string");
Then Save the file as user.js (not .txt)
2.Save user.js in Persistent Storage
Start Tor Browser at least once so it makes its profile folder. Open your home folder, go to:
/home/amnesia/.tor-browser/profile.default/ (On some systems it’s /home/amnesia/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/)
If you don’t see the folder, click the three lines at the top of the file manager and enable “Show Hidden Files.”
Copy your user.js file from Persistent into this folder. Overwrite if it already exists.
4. Start Tor Browser
Start (or restart) Tor Browser, all your settings from user.js will be loaded automatically. You do not need to use about:config.
5. Any Time You Update Your Settings
Just edit your user.js in Persistent, save it, and copy it again after you reboot.
This works for Tails, Whonix, and any Linux running Firefox, Tor Browser, or Mullvad Browser. You can use the same method to keep all your tweaks, no matter how often your OS wipes itself.
/u/IThinkImMe /u/BlazinTits /u/Devilish_Sins /u/postmates
For everyone else, I typed this up so you can just copy and paste it into a text editor and save it as user.js for yourself. Edit: Fixed the last line, thx /u/jake0126 <3
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
user_pref("javascript.enabled", false);
user_pref("network.cookie.lifetimePolicy", 2);
user_pref("dom.storage_access.enabled", false);
user_pref("dom.event.clipboardevents.enabled", false);
user_pref("geo.enabled", false);
user_pref("privacy.firstparty.isolate.block_post_message", true);
user_pref("privacy.resistFingerprinting.letterboxing", true);
user_pref("webgl.disabled", true);
user_pref("webgl.enable-webgl2", false);
user_pref("media.peerconnection.enabled", false);
user_pref("dom.enable_performance", false);
user_pref("gfx.webrender.all", false);
user_pref("privacy.resistFingerprinting.block_mozAddonManager", true);
user_pref("network.cookie.lifetimePolicy", 2);
user_pref("network.cookie.thirdparty.sessionOnly", true);
user_pref("browser.sessionstore.privacy_level", 2);
user_pref("network.http.referer.spoofSource", true);
user_pref("network.http.sendSecureXSiteReferrer", false);
user_pref("network.dns.disablePrefetch", true);
user_pref("network.predictor.enabled", false);
user_pref("network.http.referer.hideOnionSource", true);
user_pref("gfx.font_rendering.graphite.enabled", false);
user_pref("layout.css.font-visibility.level", 3);
user_pref("network.http.referer.trimmingPolicy", 2);
user_pref("network.http.referer.XOriginPolicy", 2);
user_pref("network.http.referer.XOriginTrimmingPolicy", 2);
user_pref("privacy.resistFingerprinting.reduceTimerPrecision", true);
user_pref("privacy.resistFingerprinting.reduceTimerPrecision.microseconds", 10000);
user_pref("fission.autostart", true);
user_pref("privacy.firstparty.isolate", true);
user_pref("privacy.trackingprotection.fingerprinting.enabled", true);
user_pref("privacy.trackingprotection.cryptomining.enabled", true);
user_pref("dom.webaudio.enabled", false);
user_pref("media.eme.enabled", false);
user_pref("media.video_stats.enabled", false);
user_pref("browser.startup.blankWindow", true);
user_pref("browser.download.start_downloads_in_tmp_dir", true);
user_pref("browser.helperApps.deleteTempFileOnExit", true);
user_pref("network.dns.blockDotOnion", false);
user_pref("network.proxy.socks_remote_dns", true);
user_pref("network.http.http3.enabled", false);
user_pref("dom.push.enabled", false);
user_pref("privacy.trackingprotection.enabled", true);
user_pref("privacy.trackingprotection.socialtracking.enabled", true);
user_pref("privacy.annotate_channels.strict_list.enabled", true);
user_pref("browser.send_pings", false);
user_pref("browser.display.use_document_fonts", 0);
user_pref("pdfjs.enabled", true);
user_pref("extensions.pocket.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.phishing.enabled", false);
user_pref("webgl.enable-debug-renderer-info", false);
user_pref("media.navigator.enabled", false);
user_pref("dom.battery.enabled", false);
user_pref("device.sensors.enabled", false);
user_pref("accessibility.force_disabled", 1);
user_pref("browser.cache.offline.enable", false);
user_pref("beacon.enabled", false);
user_pref("clipboard.plainTextOnly", true);
user_pref("extensions.torbutton.use_nontor_proxy", false);
user_pref("extensions.torbutton.block_disk", true);
user_pref("dom.security.https_only_mode", true);
user_pref("dom.security.https_only_mode.upgrade_local", true);
user_pref("security.mixed_content.block_active_content", true);
user_pref("webspeech.recognition.enable", false);
user_pref("webspeech.synth.enabled", false);
user_pref("media.hardwaremediakeys.enabled", false);
user_pref("device.sensors.motion.enabled", false);
user_pref("device.sensors.orientation.enabled", false);
user_pref("dom.gamepad.enabled", false);
user_pref("browser.urlbar.suggest.searches", false);
user_pref("media.gmp-gmpopenh264.enabled", false);
user_pref("media.gmp-widevinecdm.enabled", false);
user_pref("browser.helperApps.neverAsk.saveToDisk", "application/pdf,application/octet-stream,application/zip");
The browser only recognizes the file if it’s named user.js and put in your profile folder. If you use any other name, it won’t work.
In the program files for tor?
I did this:
"Open your home folder, go to:
/home/amnesia/.tor-browser/profile.default/ (On some systems it’s /home/amnesia/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/)
If you don’t see the folder, click the three lines at the top of the file manager and enable “Show Hidden Files.”"
And nothing. But its fine changed all the settings manually already lol
unless you changed them all and it saves on shutdown, then you're good.
I've saved the user.js file im just having trouble with what i do with it from here lol
Just drag and drop your user.js file into that folder. If you already have a file with that name there, overwrite it.
Once you’ve done that, close everything and restart Tor Browser. Your custom settings will load automatically.
If you get stuck at any step, let me know exactly where and I’ll help you out!
You can make it easier by writing a simple script that automatically copies your user.js file to the Tor Browser profile folder when you start up.
Let me know if you want me to make the script and I’ll send it over.