Initial Privacy Settings for Qutebrowser

28 Mar 2021

With some of the recent decisions from Mozilla regarding the supression of free speech, the signing of the petition for Richard Stallman to be exiled from the Free Software Foundation, and the support of mass censorship by "big tech", I've decided to start moving away from Mozilla and look for an alternative browser. This has led me down a path of trying numerous minimal browsers and from those, the most promising one I have come across so far is Qutebrowser. Unfortunately it requires a lot of dependencies since it uses the qt framework, but I can live with that for the low memory footprint, the perceived snappiness I'm not used to with bloated web browsers, and the vim like key bindings. There doesn't seem to be much out there in terms of tutorials or privacy recommendations, so I've decided to list some of my own settings here.

This short guide is just my recommendations for an initial setup of Qutebrowser. If I've missed anything that you may feel is important, please feel free to contact me and let me know.

The settings for Qutebrowser can be modified by typing the commands below, or they can accessed all at once just by typing :set then hitting enter.

Disable Media Autoplay

:set content.autoplay false

This will disable the pesky autoplay feature that most browsers seem to enable by default for some reason. Who actually wants video ads to autoplay?

Disable Location Tracking

:set content.geolocation false

This will obviously disable the ability for the browser to reveal your location to websites. Keep in mind that your location can still be roughly determined by your IP address unless you use a VPN.

Disable Third Party Cookies

:set content.cookies.accept no-3rdparty

Why are third party cookies still enabled by default? I have no idea, but this will disable them. Third party cookies are one of the primary ways websites can track your browsing habits across multiple sites.

Custom User-Agent

:set content.headers.user_agent (custom string)

Many people might disagree with this one since having the most generic user-agent possible (Chrome Browser on Windows 10) is likely the best option for blending in with the masses, however I'm super picky when it comes to the statistics I provide. I'll take the hit on privacy to not artifically boost the popularity of proprietary software and instead promote the true operating system and browser that I'm using. The default user-agent advertised that I was using "Chrome" on "linux", neither of which are true. This has been corrected on my copy.

Disable Javascript

:set content.javascript.enabled false

Most likely the worst offender for the collection of personal data is javascript. On most true content based websites you can still view the content with javascript disabled. In the event it's required for specific sites, it can be temporaily enabled via the command tsh or permanently enabled for the site with tSh. Not only does disabling javascript help for privacy, but it can also greatly boost the performance of websites by removing most of the unnecessary bloat.

Enable Darkmode

:set colors.webpage.prefers_color_scheme_dark true

This one personal preference however it's often done incorrectly. I've seen others complain the dark mode is broken on Qutebrowser, however that's because they've used colors.webpage.darkmode.enabled instead, which seems to use a custom set of CSS for all websites which can look pretty bad. The setting above just tells the website that if they have a dark theme available that you'd prefer to use that one instead.

Private Browsing

:set content.private_browsing true

This is the equivalent of incognito tabs in other browsers and does not save browsing history or cookies. There are drawbacks for general browsing such as not being able to save and restore tabs the next time you open qutebrowser, so this is optional depending on your use case.

Browser History

:set completion.open_categories ["searchengines", "quickmarks", "bookmarks"]

By default, this list also includes browsing history and your local file system. I don't like either of them being displayed on my screen, so I've removed those two.

Disable Canvas Fingerprinting

:set content.canvas_reading false

Browser canvasing provides a very detailed fingerprint that can be used to identify you across the web.

Well, that's all I have for now. If you have any suggestions that could improve this list, please let me know.