CHEF-KOCH's Microblog ✨

Brave Browser Hardening by CHEF-KOCH

Logo Banner - Credit: ledger.com

Important - Please read this first

The new website is here (code-cktn.org), please do not link my outdated Bear Blog in public since I moved to my own websites and services.

I like to thank Bear Blog and the community for hosting my content over the years, bear blog is a fine website and service but I simply decided to host my own websites, projects and services instead as it gives me more control over my own content.

Project updates

I'll try to keep this hardening guidance updated as much as I can. The below listed flags configuration/changes and tips are only tested against Windows/Linux & Android, I do not plan to test them against Mac OS/iOS!

See statement above.

Introduction

Hardening does not start at choosing the right tools or networks, hardening begins with gathering information to inform yourself and others in order to stay up-to-date so that you can deal with current and upcoming threats. Tools, extensions and Co. are just a workaround until someone build the right system, that starts by voting and supporting the right politicians and organizations. – Statement CHEF-KOCH, 1997

The main purpose of this guidance is to inform people about possibilities to enhance Brave Browser without depending on other tools or the Brave Team or to rely on usually quickly outdated guides on the Internet.

In case you have some questions, you can ask them directly on my official Matrix Server or use the issue ticket feature to open relevant tickets so that we can address new stuff.

Important notice: READ this before you start changing some random Browser flags!

Just because there are some flag who promise X does not necessarily mean you should enable/change them, there are possible drawbacks!

  • Browser flags are in general beta and can decrease performance/privacy or even corrupt your entire browser profile, however all mentioned flags here are carefully tested and reviewed before they are mentioned.
  • In case you report some bugs in the official Brave Browser GitHub repository make sure that you use a fresh Browser profile, not any "optimized" one.
  • Some flags (changes) depends on server-side related configuration and platform updates, which means that especially some security based flags only fully work when the server/domain actually supports them.
  • Some flags are OS and platform specific, on older Android or Linux, Windows Builds or Versions they are probably listed under Unavailable, in this case you can, of course not use that flag on your platform.
  • QUIC is disabled due to privacy and fingerprinting concerns - This concern is fixed with Brave, based on Chromium 91.1.27.8 (nightly) and the original proposal got approved as RFC 9000. See here for a security overview. Remaining trackability is covered by Brave Shields. HTTP/3 and QUIC is generally faster than TCP and TLS. If you want a in-depth explainer for every byte, read this.
  • Use KeePass (or a fork) instead of the internal password manager. I personally prefer not to work with Browser based password manager/integration. For more information, read here.
  • Voice (Android) search input is disabled due to multiple privacy concerns.
  • Browser based PDF is not changed because I prefer Sumatra PDF (aka offline reading) due to multiple privacy/malware concerns.
  • Omnibox functionality is limited due to multiple privacy concerns. See here for more info.
  • Google's Safe Browsing and other security checks and connections are NOT wanted. The OS has its its own protection mechanism (OS security model + hardening).
  • FLoC is disabled by default in Brave. Chrome users can use uBlock or change it manually via flags.
  • How we compare the network behavior of popular browsers on first-run.
  • All credential checks are disabled since we do not store passwords within the Brave Browser, instead we use sophisticated tools like KeePass or in general other password managers of your choice.
  • Animations might be slower or entirely fail to load properly due to isolation flags which means the Reward System might be affected and causes you to do several attempts in order to complete the Reward challenge so that you can claim your BATs.

Unresolved Issues with the biggest privacy/security impact

You find an overview of all opened privacy related and reported issues directly on the issue tracker (github.com).

β˜‘ indicates that mentioned issue was fully resolved and β˜’ that this is something that will not be fixed because it is by designed.

Additional Info:

Please keep in mind that just because there are open issues tickets that this is not necessarily actively abused in the real-world. In lots of cases it is hard to find evidence that theoretically problems are used to directly compromise your security or privacy. Also some of the mentioned issues might be very hard to fix because trying to workaround them can results in unwanted side effects, such as Browser crashes, website breakages etc.


Project History

10.05.2022 - Release: Brave Browser 1.38.115 for Desktop (github.com) - Release: Brave Browser 1.38.113 for Android (github.com)


Hardening is not a selling argument

The mass media and some privacy communities wrongfully echo chamber that hardening and applying best practices represent security and privacy, this is an unproven claim. The reason why this is unproven is the fact that the vast majority does not use hardened profiles on a daily bases, there are cases showing that even hardening setups can be compromised, it is a matter of effort. In other words there is no proof that this is enough, what it does is that it potentially reduced the attack surface but this is all. It does not mean you are untouchable or cannot be exploited. Even if you manage to harden everything you still need to take the human factor in consideration, social engineering works really well and can bypass every firewall, every OS or Browser hardening in a matter of time. The Browser acts like a gateway not meant to be a firewall to monitor every data package that goes trough.

I am entirely against selling privacy and security as product and the project goal here is not to fool people that hardening is something that is either one or zero. The factors for privacy and security are not products you install or scripts or tools you use. It is a relationship between developer and the community to deal with existent as well as new threats. Giving up control by depending on another unknown third-party who promises you xyz is not what I like to represent here because the overall goal is that mentioned issues getting shown to warn users that there are potential risks involved that you can address on a theoretical level, this means it should be shown in order to fix such problems, not to make profit out of it.

Claiming hardening makes you more secure because 0,1% of all users doing or using it is working with statistics. Statistics that are often flawed because depending on the data, point of view and experience, those can variate a lot. Assuming everything one day gets fixed, hackers still trying to bypass everything, break it or invent new techniques. This is a cat and mouse game without a winner because the web evolves as well as the Browser itself and hardening will always be a part of adapting those changes by workaround potential issues.

I am not a fan of mass advertising that hardening or to apply best practices is enough, what makes more sense is to make people aware of problems, provide some workarounds until it is fixed and then test it to verify if it is actually working as intended or not because even workarounds and fixes can cause additional problems or even new holes.


Energy consumption is not a big priority

As much as I would love putting this point into a bigger consideration I need to clearly say that I cannot do much tests regarding energy consumption in general. Especially not with individual flags and then even do independent tests across multiple OS and Browser builds. This would require me to work and research on this subject in full-time.

There are lots of variables which can and will influence the energy aspect and this is a huge topic which I am not willingly to do on my own.

The only big focus regarding the overall energy consumption is when a flag dramatically decreases battery life or put extra pressure on the CPU and/or GPU that is directly debuggable trough internal tools.


Enforced settings as new defaults

We change mentioned default settings to improve the default behavior in order to reduce possible risks. You can manually unlock stuff you need, which seems more work but it is worth it + you only have to do this once per domain. This basically acts like a firewall for specific things, which is then disabled by default and you need to manually unlock first (see last screenshot to understand what I mean).

Shield Defaults Settings Hardened

Shield Defaults

Normally we do not need to enable the Always use HTTPS option because under Security we enable and enforce to connect always to HTTPS first, however in some cases the option to always connect to HTTPS is hidden unless you enable the option.

Secure Connections

Example Page

Permission Defaults

Shield Defaults

On mobile we can theoretically do the same but there are some downsides, as you can see on the last screenshot, if your screen resolution is below x or you are on a smartphone with limited screen size you cannot see all options, which makes it impossible for you to change or reveal some settings or information. Brave as well as Chrome is aware that this modal dialogue is currently not optimal. That said, I - for now - only suggest doing this on Desktop and on Mobile only enforce the stronger Shield defaults only see first (screenshot).

Brave will not sync those newly set permission defaults. You need to backup your profile manually, this is still the best way to deal with profile corruptions or in case you want to copy your settings to another profile or PC. Permission sync is planned feature.

Why we enforce some settings that depending on your global Shields settings

We enforce some settings as defaults for various reasons however, some flags and features depending on your global Brave Shield settings for example by default Unlinkable Bouncing is only enable when you set your global Shield setting to aggressive. We override this behavior in case there are some website breakages but and temporarily lowering the shield setting for an specific website without loosing some protection mechanism.

In a nutshell


Using JS-Restrictor with Brave

JavaScript Restrictor or now called JShelter extension is normally not needed with Brave Browser, however you can use it to fine control some specific settings if you want to. Changing those options can make you more unique and is the reason why this is not suggested unless you know exactly what you are dealing with.

JShelter uses, depending on your selected or own created profile, twice as much CPU power than uBlock Origin or other solutions which you can check with the integrated Task Manager and internal debugging tools. This is the main reason why I not suggest using it on a daily basis. It is better to wait until Brave addresses all above listed privacy risks.

Import the configuration file.

Importing the configuration file is quickly done. Just import the configuration and click override. After that release the website and check the configuration to ensure that settings are fully working. I includes some example pages for reference.


The impact is normally negligible because we often disable controversial APIs or features that are designed by Google. Some other flags are not fingerprintable under normal circumstances because API design evolves and developers are more aware and advocate privacy and security much more than 20 years ago.

Changing flags can make you stand out more but the tested flags are carefully chosen so that the difference is not dramatically noticeable except that some fingerprinting test pages might not actually return an accurate result. You should not rely on only such pages to measure how private our Brave Browser is, it simply gives you an small indication but that is all because some unknown fingerprinting mechanism might exist that are not covered in such tests or even in the wild.

Brave on its own already does a good job but we want to improve it a step further and want to enhance specific behaviors, stuff that is usually explained, linked or a reference was - if possible - provided in this guide.

Utilizing Brave Ad Block, the right-way

The overall amount of trackers are limited. This means that the majority of websites uses Google - among some other - tracking systems. Most popular and even unpopular websites trusting the big tracking players, which means it makes no sense to load filter-lists with 2 trillion entries when 80 Percent of the world uses the same tracking system. You can skip this section if you already block ads via DNS blocker system-wide in your network with AdGuard Home or Pi-Hole and continue with the manual filter-lists we could use, depending on your needs.

Finding some lists is pretty easy, you can manually search them or use some aggregators who list filter-lists.

By default those filters are already used and enabled by default.

  • Block Origin Filters
  • Brave Android-Specific Rules
  • Brave Social
  • Brave Social Unbreak
  • Brave Specific
  • Brave Unbreak
  • EasyList
  • EasyPrivacy
  • Peter Lowe's Ad and tracking server list
  • SugarCoat Rules
  • URLhaus Malicious URL Blocklist
  • uBlock Origin 2020 Filters
  • uBlock Origin 2021 Filters
  • uBlock Origin filters - Badware risks
  • uBlock Origin filters - Unbreak
  • uBlock Origin filters – Privacy
  • uBlock Origin filters – Resource abuse

General rules

  • By default without selecting, enabling or subscribing to third-party lists, Brave already blocks most stuff, if you are comfy enough with this then you can stop reading this entire section.
  • Less is more, everything counts because everything that needs to be loaded ends-up in your RAM or causes the CPU to consume more CPU cycles which can end-up eating more energy and more battery. Good quality filter lists shouldn't have a perceptible effect on browsing performance. The first worry with too many filter lists is undue website breakage.
  • Just because X filter-list has more entries does not mean it is more efficient.
  • Only use lists which are regularity updated and well maintained.

The following steps are on Desktop and Mobile platforms the same, so I do not explicitly mention them.

Go to brave://settings/shields/filters, just type it in the URL bar and it will display the ad-block interface with some options. By default nothing is selected and you have to choose which filters you want to enable or even manually add. Custom filters are being updated every 7 days, which might change in the future. Syncing filter-lists and your custom rules are possible - the flag is #brave-cosmetic-filtering-sync-load, it will get removed in the future and directly integrated and enabled by default once it is reliable enough.

Shields AdBlock.

Additional lists you can enable from the integrated Brave Ad Block page

  • YousList- To block various cosmetic stuff, aka annoyance in additional to above mentioned annoyances list. If you think this list is not enough use Dandelion Sprout's Annoying Banners and Overlays List instead.
  • ONE single language based list, based for your own country.

Now we can improve specific things alias manually subscribing to addition lists, but which one make the most sense... The answer is easy, we want to get rid of additional extensions and hopefully we can archive it by using an additional list that supports the things we need, anti-coinmining, url-shortener etc.

Optional filter-lists you could add

Additional filter-lists can be useful, for example to get rid of ClearURLs extension, or in case if we already block DNS based ads on our entire network, in this case we might wanna use something directly which only blocks cosmetic stuff. It should be noted that uBlock as well as Brave Ad Block solutions only removing the untouched query parameter given by the original URL, this means they cannot rewrite parts or the original path of clicked URL.

  • AdGuard DNS filter - https://filters.adtidy.org/windows/filters/15.txt
  • Actually Legitimate URL Shortener Tool - https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt
  • First-party trackers host list - https://hostfiles.frogeye.fr/firstparty-only-trackers-hosts.txt - You do not need it if you use DNS based network blocking.
  • EU_US+most_used_ad_and_tracking_networks - https://raw.githubusercontent.com/Kees1958/W3C_annual_most_used_survey_blocklist/master/EU_US%2Bmost_used_ad_and_tracking_networks
  • Social Media Filters, this is totally up to you.
  • You do not need any anti-coinminers, it is normally covered by your language based list which you choose. Adding another one makes no sense because by default we block or optional restrict JavaScript anyway via extension.
  • Block outside intruders breaking into LAN - https://github.com/gwarser/filter-lists/blob/master/lan-block.txt The list will become irrelevant at some point because Brave will at some point block all LAN requests by default starting with Chromium v101+. JS-Restrictor can do exactly the same, benefit in using the JS-Restrictor extension solution is that it is enabled by default and you can create with only two clicks exceptions for a domain.

This is all, you do not need 10+ lists. Well maintained lists are much more worth than huge lists that die within the first 6-12 months or that cause additional problems.


Why fingerprinting matters less than you think

Fingerprinting per-see is not an intrinsically problem, which means it only becomes a problem when it makes it possible to render you entirely traceable, particularly across sessions. The main point is to become less traceable - or traceable only with adjustable levels of difficulty - whatever your "fingerpritability" could be.

And there are 2 ways to try to reach this goal

  • The static way
  • The dynamic way

In the static (or often called low entropy) way, the user or you can try to display the same fingerprint than many others people. In that sense, being seen as unique is bad. The best way to achieve this "low entropy" goal is to use the Tor Browser on the Tor network. No Brave hardening, no Firefox Browser hardening with thousands of configuration changes, simply and pure Tor Browser because it provides much more than configuration changes and the best way is that each and every user uses the exact same fingerprint.

In the dynamic (or high entropy) way, you try to becomes "someone else" for each browser sessions, e.g. for each browsing session, you (ideally) try to change all your browser's displayed characteristics. In this case, being seen as unique is not a problem. At the contrary, it's something desirable: That a test site achieves to correlate you cross session, and so, achieves to see you as not unique, simply means that your attempts to becomes "someone else" for each session miserably failed and that you are traceable cross session (at least by this precise test site, and by any other site using the same tracking techniques). This way is the path that eg Brave developers are trying to take, this is also what you do if you harden other Browsers like Firefox, Edge etc.

In the real-world we have limited amount of possibilities to fingerprint users, this means most stuff heavily relies on JavaScript, CSS and so on. Developing counter-measures for this is possible, but since we enforce by default to disable JavaScript which already lower attacks by around 98%, the rest are some small tricks that abuses some weaknesses that are fixable more or less easily. There might be considerable small stuff which cannot be fixed but that never leads to leaks that can identify you, your browsing habits or connect other dots.

The most important stuff is listed above and is on the to-do regarding fingerprinting. None of the open issues are enough to truly expose you even if someone gets all of the remaining entropy that is currently not covered by Braves Shield. Most people just use the fingerprinting argument to bypass restrictions.


Unofficial Brave Browser Build on F-Droid


Passwords and Credentials

  • Do not store credentials in your Browser, ever. The reason (security.stackexchange.com) is that Chromium stores the database password insecurely and it the database is considerable easy to decrypt with e.g. freeware tools from Nirsoft (nirsoft.net).
  • Assuming you use Sync, do not enable password sync.
  • Use Password Manager such as KeePass or BitWarden that are more resilient against GPU brute-forcing attacks, ram hijacking and clipboard ex-filtration attacks.
  • Forcing an expiration date for passwords is not anymore recommend (ncsc.gov.uk), instead use a strong password that also can be generated trough Password Managers.
  • Check your passwords and databases against Have I Been Pwned? and other services, some Password Managers have integrated mechanism to do so and automatically warn you or plugins to do this.

Do not use portable Browsers

Using portable Browsers has lots of security and privacy implications.

  • In most cases the official Browser developer(s) do not provide any officially build, because of that people tend to use unofficial portable Browser repacks. Not often those repacks are done by fans and not experts and can possible contain tracking ads, Trojans, IP-grabbers etc.
  • There is no verification, since you use unofficial Browser repacked versions you cannot verify anything yourself. Even if you use some repacks that are open source, you cannot verify something because the installer or the browser itself might be signed with different signatures that does not match the ones from the original manufacturer.
  • No support, unofficial repack versions might not be approved nor directly supported from official site. This means they can be outdated after a short while, you already download an outdated version or the integrated update mechanism will fail because the updater depends on a service who check and delivers the actual update. Epic, MS etc Store will also not updating any portable versions.
  • Running your Browser and profile on an unprotected drive that everyone can freely access is a privacy and security nightmare. There exist tools to quickly read out your Cookies, passwords and more, usually those tool need admin rights to access protected folders but if the profile folder is unprotected you can even read our or steal the database or the entire profile without admin rights. The internal protection regarding database passwords is weak and easy to crack in seconds, the Browser typically has no master password for the database as well as a Browser startup password check.
  • You can workaround some of mentioned problems with a RamDrive or third-party Sandbox but the underlying issue is that it is overall by default easier for an attacker to extract, infect or compromise your Browser profile. Keep in mind that sandboxing trough external third-party apps can also be critical because the sandbox tool can be vulnerable or causes the Browser to crash because the Browser typically updates much more frequently than the sandbox tool needs to address in order to secure your Browser profile effectively. Another problem is that such workarounds might also require that such software is installed on the host, which needs admin rights. I am not aware of a sandbox solution that protects at low-level without admin rights, because this is what the OS requests to access inner rings.

How Brave handles Cookies

Brave Browser is very well documented. Besides the source code and the wiki entries we have several good articles for beginners on how Brave actually handles the Cookie part.


Desktop Flags

The official Brave release schedule can be found over here, the archive is here.

  • There is currently no plan to release a Brave Browser version for SmartTV, which means there is nothing to change or optimize on such platforms.
  • Below enabled / disabled flags recommendation means you should, if you like to harden Brave Browser further, use the advise to change the default flag state.

Desktop Security

Flag Flag Name Enabled (βœ”οΈ) / Disabled (❌) or/and Comment Default flag state
#block-insecure-private-network-requests Block insecure private network requests βœ”οΈ unknown
#brave-domain-block Enable domain blocking βœ”οΈ unknown
#brave-ephemeral-storage Enable Ephemeral Storage βœ”οΈ unknown
#clear-cross-site-cross-browsing-context-group-window-name Clear window name in top-level cross-site cross-browsing-context-group navigation βœ”οΈ unknown
#disallow-doc-written-script-loads Block scripts loaded via document.write βœ”οΈ unknown
#enable-isolated-sandboxed-iframes Isolated sandboxed iframes βœ”οΈ unknown
#enable-webview-tag-site-isolation Site isolation for tags βœ”οΈ Default, which is disabled. Added in 1.44.8/104.0.5112.69.
#origin-agent-cluster-default Origin-keyed Agent Clusters by default βœ”οΈ 102.x
#strict-origin-isolation Strict-Origin-Isolation ❌ unknown
#sync-trusted-vault-passphrase-recovery Enable sync trusted vault passphrase with improved recovery. ❌ unknown
#u2f-security-key-api Enable the U2F Security Key API ❌ unknown

πŸ” Back to top πŸ”

Desktop Privacy

Flag Flag Name Enabled (βœ”οΈ) / Disabled (❌) or/and Comment Default flag state
#autofill-enable-sending-bcn-in-get-upload-details Enable sending billing customer number in GetUploadDetails ❌ Enabled if preflights are enabled.
#autofill-fill-merchant-promo-code-fields Enable Autofill of promo code fields in forms ❌ unknown
#autofill-parse-merchant-promo-code-fields Parse promo code fields in forms ❌ unknown
#brave-adblock-cosmetic-filtering-child-frames Apply cosmetic filtering to frames other than the main frame of a page βœ”οΈ We enforce it for all Shield modes, otherwise it is only activated in aggressive mode. 103.1.42.74/1.42.74
#brave-dark-mode-block Enable dark mode blocking fingerprinting protection βœ”οΈ We enforce it for all Shield modes, otherwise it is only activated in aggressive mode. unknown
#brave-debounce Enable debouncing (94.x+) βœ”οΈ we enforce it unknown
#brave-domain-block-1pes Enable domain blocking using First Party Ephemeral Storage βœ”οΈ unknown
#brave-extension-network-blocking Enable extension network blocking βœ”οΈ (91+) unknown
#device-posture Device Posture API ❌ enabled
#disable-process-reuse Disable subframe process reuse βœ”οΈ unknown
#edit-context EditContext API ❌ (100.0+) unknown
#enable-accessibility-live-caption Live Caption ❌ (90.x+) ⚠️borked unknown
#enable-autofill-credit-card-authentication Allow using platform authenticators to retrieve server cards ❌ (87.x+) unknown
#enable-fenced-frames Enable the element. βœ”οΈ with ShadowDOM unknown
#enable-generic-sensor-extra-classes Generic Sensor Extra Classes ❌ unknown
#enable-quic Experimental QUIC protocol βœ”οΈ Needed for HTTP3/DoQ, now known as RFC 9000 unknown
#enable-webusb-device-detection Automatic detection of WebUSB-compatible devices ❌ we already disable WebUSB but the detection still sends a beacon unknown
#extensions-menu-access-control Extensions Menu Access Control βœ”οΈ unknown
#font-access Font Access APIs ❌ unknown
#omnibox-dynamic-max-autocomplete Omnibox Dynamic Max Autocomplete ❌ (can causes lags if enabled / 5+) unknown
#omnibox-rich-autocompletion-promisin Omnibox Rich Autocompletion Promising ❌ unknown
#partitioned-cookies Partitioned Cookies βœ”οΈ unknown
#reduce-user-agent Reduce User-Agent request header βœ”οΈ unknown
#reduce-user-agent-minor-version Reduce the minor version in the User-Agent string βœ”οΈ unknown
#system-keyboard-lock Experimental system keyboard lock ❌ (89.x+) unknown
#webxr-incubations WebXR Incubations ❌ (92.0+) unknown

πŸ” Back to top πŸ”

Desktop Performance

Benchmarks against Edge and Firefox are pretty much useless. There are multiple reasons why, please read further below:

  • Synthetic benchmarks might not reflect real-world performance because a normal website is not a benchmark suite, other factors can here the individual and subjective Browser performance.
  • Brave’s blocking and privacy protections require a fixed amount of additional work per page and frame. This means that Brave will do worse in synthetic benchmarks than other browsers (since Brave’s privacy protections won’t be useful in benchmark tests), but will do better on real world sites.
  • Firefox and Edge do not have any integrated ad-blocker, they use safe-browsing, which is also included in all Chromium based Browsers and enabled by default. Brave uses by default SafeBrowsing and Shields integrated blocking mechanism, which is much more heavy to handle, benchmark wise.
  • Firefox and Edge do not include any crypto wallets, IPFS and other optional features that you might have enabled and use. Enabling additional features and then doing benchmarks is useless.
  • Brave reduces the page load performance cost of its ad-blocker.
  • Benchmarks, are often outdated pretty fast. At best this is a snapshot of the current state but every Browser evolves, fixes stuff etc. and this pretty fast and pretty often.

You can however compare features but not directly benchmark the whole browser to come to an final conclusion about how efficient it works.

Flag Name Enabled (βœ”οΈ) / Disabled (❌) or/and Comment Default flag state
#brave-federated Enables local data collection for notification ad timing (brave-federated) ❌ 1.43.50/104.1.43.50 Beta (default which is enabled)
#back-forward-cache Back and forward Cache ❌ unknown
#brave-adblock-cookie-list-default Treat 'Easylist-Cookie List' as a default list source βœ”οΈ unknown
#brave-rewards-verbose-logging Enable Brave Rewards verbose logging ❌ enabled by default since 1.25.68+ unknown
#brave-rewards-webui-panel Use WebUI Rewards Panel βœ”οΈ 1.43.53/104.0.5112.69
#durable-client-hints-cache Persistent client hints ❌ unknown
#enable-parallel-downloading Parallel downloading βœ”οΈ unknown
#enable-prerender2 Prerender2 βœ”οΈ (90.x+) unknown
#enable-throttle-display-none-and-visibility-hidden-cross-origin-iframes Throttle non-visible cross-origin iframes βœ”οΈ unknown
#enable-vulkan Use Vulkan as the graphics backend. βœ”οΈ On Linux either Vulkan or raw draw, if you enable both it will prefer raw draw to avoid compatibility issues. unknown
#restrict-websockets-pool Restrict WebSockets pool βœ”οΈ (97.x+) unknown
#subframe-shutdown-delay Add delay to subframe renderer process shutdown ❌ unknown

πŸ” Back to top πŸ”

Desktop Functionality / Usability

Flag Name Enabled (βœ”οΈ) / Disabled (❌) or/and Comment Default flag state
#brave-adblock-cname-uncloaking Enable CNAME uncloaking βœ”οΈ 91.1.27.36 (This will become obsolete and enabled by default once fully stable and merged into shields directly) unknown
#brave-cosmetic-filtering-sync-load) Enable sync loading of cosmetic filter rules βœ”οΈ unknown
#chrome-whats-new-ui Show Chrome What's New page at brave://whats-new (93.x+) ❌ unknown
#enable-force-dark Force Dark Mode for Web Contents βœ”οΈ increase text contrast unknown
#enable-jxl Enable JXL image format βœ”οΈ (Chrome 91.1.x+) unknown
#extensions-menu-access-control Extensions Menu Access Control ❌ disabled, we enforce it to enabled
#extension-workflow-justification Extension request justification (93.x+) βœ”οΈ unknown
#force-color-profile Force color profile βœ”οΈscRBG or HDR (if your Monitor supports HDR enable the HDR option) unknown
#forced-colors Forced Colors βœ”οΈ unknown
#history-journeys-omnibox-action History Journeys Omnibox Action βœ”οΈ (Chrome 97+) unknown
#history-journeys History Journeys βœ”οΈ (Chrome 98+) unknown
#page-info-history-desktop Page info history βœ”οΈ (Chrome 97+) unknown
#quick-commands Quick Commands βœ”οΈ Default (Disabled)
#scrollable-tabstrip Tab Scrolling βœ”οΈ (tabs shrink to a medium width) unknown

πŸ” Back to top πŸ”

Desktop Scrolling

Flag Name Enabled (βœ”οΈ) / Disabled (❌) or/and comment Default flag state
#smooth-scrolling Smooth Scrolling βœ”οΈ Depends on the platform, disabled

πŸ” Back to top πŸ”

Desktop PWA

Flag Name Enabled (βœ”οΈ) / Disabled (❌) or/and Comment Default flag state
#enable-desktop-pwas-launch-handler Desktop PWA launch handler βœ”οΈ unknown
#enable-desktop-pwas-sub-apps Desktop PWA Sub Apps βœ”οΈ unknown
#enable-desktop-pwas-tab-strip-settings Desktop PWA tab strips settings βœ”οΈ unknown
#enable-desktop-pwas-web-bundles Desktop PWAs Web Bundles βœ”οΈ unknown
#enable-desktop-pwas-window-controls-overlay Desktop PWA Window Controls Overlay βœ”οΈ unknown

πŸ” Back to top πŸ”

Desktop Brave Reader Mode / Speedreader

Flag Name Enabled (βœ”οΈ) / Disabled (❌) or/and Comment Default flag state
#enable-reader-mode Enable Reader Mode βœ”οΈ Enabled available in settings (we enforce it, optional) Will be changable in Brave Settings, disabled by default

πŸ” Back to top πŸ”

Desktop outdated, removed or integrated/replaced

Flag Name Disabled since or/and Comment
#pwa-update-dialog-for-name-and-icon Enable PWA install update dialog for name/icon changes βœ”οΈ 1.38.x
#enable-desktop-pwas-remove-status-bar Desktop PWAs remove status bar βœ”οΈ 1.38.x
#enable-desktop-pwas-prefix-app-name-in-window-title Desktop PWAs prefix window title with app name. βœ”οΈ 1.38.x
#enable-desktop-pwas-notification-icon-and-title Desktop PWAs improvements in notification icon and title βœ”οΈ 1.38.x
#enable-desktop-pwas-elided-extensions-menu Desktop PWAs elided extensions menu βœ”οΈ 1.39.x
#percent-based-scrolling Percent-based Scrolling βœ”οΈ 1.38.x
#sharing-hub-desktop-omnibox Desktop Sharing Hub in Omnibox βœ”οΈ (Chrome 91+) 1.38.x
#sharing-hub-desktop-app-menu Desktop Sharing Hub in App Menu βœ”οΈ (Chrome 91+) 1.40.x
#shared-highlighting-v2 Shared Highlighting 2.0 βœ”οΈ (Chrome 90.x+) 1.39.x
#playback-speed-button Playback Speed Button βœ”οΈ 1.40.x
#page-info-about-this-site About this Site in Page Info βœ”οΈ 1.40.x
#omnibox-keyword-space-triggering-setting Omnibox Keyword Space Triggering Setting βœ”οΈ 1.39.x
#media-session-webrtc Enable WebRTC actions in Media Session (93.x+) βœ”οΈ 1.40.x
#colr-v1-fonts COLR v1 Fonts βœ”οΈ 1.39.x
#brave-talk Enable Brave Talk βœ”οΈ 1.40.x
#brave-adblock-redirect-url Enable support for $redirect-url filter option for adblock rules βœ”οΈ 1.41.96+
#throttle-foreground-timers Throttle Foreground Timers to 30 Hz βœ”οΈ 1.41.96+
#subframe-shutdown-delay Add delay to subframe renderer process shutdown ❌ 1.41.96+
#privacy-review Privacy Review (93.1.31.39+) βœ”οΈ 1.41.96+
#omnibox-pedals-batch2 Omnibox Pedals batch 2 ❌ 1.41.96+
#ntp-cache-one-google-bar Cache OneGoogleBar ❌ 1.41.96+
#force-major-version-to-100 #force-major-version-to-100 ❌ 1.41.96+
#enable-payment-request-basic-card PaymentRequest API 'basic-card' method ❌ 1.41.96+
#strict-extension-isolation Strict Extension Isolation βœ”οΈ 1.41.96+
#enable-tls13-early-data TLS 1.3 Early Data βœ”οΈ 1.41.96+
#post-quantum-cecpq2 TLS Post-Quantum Confidentiality βœ”οΈ integrated and merged into Chrome 101+.
#brave-speedreader Enable SpeedReader βœ”οΈ This is now a settings point under Browser Settings since v95+ which you can easily switch.
N/A Enable Tab Search (the little arrow down icon to search trough tabs) Chrome 90, to disable it you can use -disable-features=TabSearch, an option to disable it is planned.
#enable-experimental-fling-animation Enable experimental fling animation (enabled) Chrome 91+
#vertical-tabs Vertical tabs (enabled) Implemented in Brave 91+ - Menu allows multiple states, hide on click, on/off etc.
#pdf-viewer-update PDF Viewer Update (enabled) Chrome 91+
N/A Cookies without SameSite must be secure (enabled) Chrome 91+
N/A SameSite by default cookies (enabled) Chrome 91+
N/A Anonymize local IPs exposed by WebRTC (enabled) Chrome 91+
N/A Show enhanced protection message in security interstitials (enabled) Chrome 90+
#storage-access-api Storage Access API Chrome 90+
N/A Treat risky downloads over insecure connections as active mixed content (enabled) Chrome 90+, default in 91+ (no visible option)
Multiple flags Every image lazy loading flag Enabled, but caused too much problems
N/A Load media router component (disabled) Chrome 89+
N/A Force empty CORB and CORS allowlist (enabled) Chrome 89+
N/A Load media router component (disabled) By default removed by Brave (Chrome 89+)
N/A Background Push Notifications (disabled) Push replaced/tunneled(Chrome 89+)
N/A Enable On-Demand Media Router Extension (disabled) Chrome 89+
N/A Toast Notification Background Task Event Handlers (disabled) Chrome 89+
N/A Enable Share Targets (disabled) Chrome 89+
#use-sync-sandbox Use Chrome Sync Sandbox (disabled) Brave enforces disabled as default state (metadata).
#global-media-controls-for-chromeos Global Media Controls for ChromeOS ChromeOS 90 (default)
N/A screen-capture (disabled) Default with Chrome 89+
#scanning-ui Scanning UI Enabled by default in Chrome 90+
#app-service-adaptive-icons Adaptive Icons Replaced in Chrome 90+
#enable-holding-space Holding Space API Replaced with Chrome 90+
#holding-space-previews Space Previews Disabled by default in Chrome 90+
#enhanced_clipboard Enhanced Clipboard Removed with Chrome 89+
#ash-limit-alt-tab-to-active-desk Activate Tab limit Removed with Chrome 88+
#ash-limit-shelf-items-to-active-desk N/A Default in Chrome 90+ (removed, no visible option)
#enable-auto-select Enable Auto Select Default integrated since Chrome 89+
#force-preferred-interval-for-video Force preferred Internal Video Default in Chrome 89+ (removed, no visible option)
#files-filters-in-recents Filter files in Recents Obsolete with Chrome 89+
#copy-link-to-text Copy link to Text Disabled with Brave 1.31.87
#enable-accessibility-live-caption Enable Accessibility Live Caption (disabled) Broken in Chrome 89, pulls data from Google
N/A Allow all sites to initiate mirroring (disabled) Removed with Chrome 88+
N/A Enable Share Targets (disabled) Disabled in Chrome 89+
#turn-off-streaming-media-caching-always Turn off caching of streaming media to disk (Chrome 92+) βœ”οΈ
#turn-off-streaming-media-caching-on-battery Turn off caching of streaming media to disk while on battery power. (Chrome 91+) βœ”οΈ
#enable-new-contacts-picker Enables the new contacts picker βœ”οΈ
#enable-new-photo-picker Enables the new photo picker βœ”οΈ
#enable-ftp Enable FTP FTP support was removed in Chrome 95+.
#sync-compromised-credentials Syncing of Security Issues ❌
#brave-adblock-default-1p-blocking Shields first-party network blocking (1.30.27+) βœ”οΈ
#brave-dark-mode-block Enable dark mode blocking fingerprinting protection (1.30.27+), the settings depends now on Shield settings βœ”οΈ
#omnibox-short-bookmark-suggestions Omnibox short bookmark suggestions ❌
#omnibox-tab-switch-suggestions Omnibox switch to tab suggestions ❌ (Omnibox calls to Google Backend for Beacon, Statistics etc.)
#omnibox-pedal-suggestions Omnibox Pedal suggestions ❌
#schemeful-same-site Schemeful Same-Site βœ”οΈ
#brave-permission-lifetime Permission Lifetime βœ”οΈ (91+)
#safe-browsing-real-time-url-lookup-enterprise-ga-endpoint Use the new GA endpoint to perform enterprise real time URL check. ❌
#clear-cross-browsing-context-group-main-frame-name Clear window name in top-level cross-browsing-context-group navigation βœ”οΈ (91.1+) ⚠️ needs further investigation, since the impact is unclear.
#passwords-account-storage Enable the account data storage for passwords ❌ (88.x+)
#brave-ads-custom-notifications Enable Brave Ads custom notifications βœ”οΈ
#window-naming Window Naming βœ”οΈ Setting under More tools - Name Window
#brave-adblock-cname-uncloaking Enable CNAME uncloaking βœ”οΈ 91.1.27.36 (This will become obsolete and enabled by default once fully stable and merged into shields directly)
#dns-httpssvc Support for HTTPSSVC records in DNS βœ”οΈ (needs further investigation)
#omnibox-default-typed-navigations-to-https Omnibox - Use HTTPS as the default protocol for navigations βœ”οΈ
#brave-first-party-ephemeral-storage First Party Ephemeral Storage (95.0.4638.40+) βœ”οΈ
#enable-unsafe-webgpu-service Unsafe WebGPU Service ❌
#quiet-notification-prompts Quieter notification permission prompts βœ”οΈ
#privacy-sandbox-settings Privacy Sandbox Settings βœ”οΈ (90.1+)
#safety-check-chrome-cleaner-child Enables the Chrome Cleanup Tool child in safety check. ❌ (91.x+)

πŸ” Back to top πŸ”

Android (mobile) Flags

Mobile Security

Flag Name Enabled (βœ”οΈ) / Disabled (❌) or/and Comment Default flag state
#block-insecure-private-network-requests Block insecure private network requests. βœ”οΈ unknown
#brave-ephemeral-storage Enable Ephemeral Storage βœ”οΈ unknown
#clear-cross-site-cross-browsing-context-group-window-name Clear window name in top-level cross-site cross-browsing-context-group navigation βœ”οΈ unknown
#disallow-doc-written-script-loads Block scripts loaded via document.write βœ”οΈ unknown
#enable-site-isolation-for-password-sites Enable site Isolation for Password Sites βœ”οΈ unknown
#enable-site-per-process Part of Site isolation βœ”οΈ unknown
#origin-agent-cluster-default Origin-keyed Agent Clusters by default βœ”οΈ 102.x
#strict-origin-isolation Strict-Origin-Isolation ❌ unknown
#sync-trusted-vault-passphrase-recovery Enable sync trusted vault passphrase with improved recovery ❌ unknown

πŸ” Back to top πŸ”

Mobile Privacy

Flag Name Enabled (βœ”οΈ) / Disabled (❌) or/and Comment Default flag state
#autofill-enable-sending-bcn-in-get-upload-details Enable sending billing customer number in GetUploadDetails ❌ Enabled if preflights are enabled.
#autofill-fill-merchant-promo-code-fields Enable Autofill of promo code fields in forms ❌ unknown
#autofill-parse-merchant-promo-code-fields Parse promo code fields in forms ❌ unknown
#brave-adblock-cosmetic-filtering-child-frames Apply cosmetic filtering to frames other than the main frame of a pagn βœ”οΈ We enforce it for all Shield modes, otherwise it is only activated in aggressive mode. 103.1.42.74/1.42.74
#brave-dark-mode-block Enable dark mode blocking fingerprinting protection βœ”οΈ We enforce it for all Shield modes, otherwise it is only activated in aggressive mode. unknown
#brave-debounce Enable debouncing (94.x+) βœ”οΈ unknown
#brave-domain-block-1pes Enable domain blocking using First Party Ephemeral Storage βœ”οΈ unknown
#continuous-search Continues Search ❌ unknown
#device-posture Device Posture API ❌ unknown
#edit-context EditContext API ❌ (100.0+) unknown
#enable-autofill-credit-card-authentication Allow using platform authenticators to retrieve server cards ❌ (87.x+) unknown
#enable-commerce-price-tracking Price Tracking ❌ Connections to Google and partners + market influence and manipulation. It is better and more privacy-friendly to trust independent retailers and engine-crawlers such as Geizhals, Mindfactory etc. unknown
#enable-fenced-frames Enable the element. βœ”οΈ with ShadowDOM, on older Android versions prior 9 set this to Enabled otherwise you might get Browser crashes. unknown
#enable-generic-sensor-extra-classes Generic Sensor Extra Classes ❌ unknown
#enable-payment-request-basic-card PaymentRequest API 'basic-card' method ❌ unknown
#enable-quic Enable QUIC Protocol βœ”οΈ (Brave filters controversial APIs) unknown
#feed-stamp Enable StAMP cards in the Feed ❌ Default, depends on if you use Feeds or not.
#font-access Font Access APIs ❌ unknown
#force-major-version-to-100 #force-major-version-to-100 ❌ unknown
#incognito-screenshot Allow Incognito Screenshots ❌ unknown
#large-favicon-from-google Large favicons from Google ❌ unknown
#omnibox-assistant-voice-search Omnibox Voice Search Assistant ❌ unknown
#partitioned-cookies Partitioned Cookies βœ”οΈ unknown
#reduce-user-agent Reduce User-Agent request header βœ”οΈ unknown
#reduce-user-agent-minor-version Reduce the minor version in the User-Agent string βœ”οΈ unknown
#related-searches-in-bar Enables showing Related Searches in the peeking bar. ❌ disabled to avoid search engine ping backs unknown
#wallet-service-use-sandbox Wallet Services uses Google's Sandbox ❌Connects to some Google Endpoints. unknown
#webxr-incubations WebXR Incubations ❌ (92.0+) unknown

πŸ” Back to top πŸ”

Mobile PWA

Flag Name Enabled (βœ”οΈ) / Disabled (❌) or/and Comment Default flag state
#messages-for-android-pwa-install PWA Installation Messages UI βœ”οΈ disabled
#pwa-update-dialog-for-name-and-icon Enable PWA install update dialog for name/icon changes βœ”οΈ disabled

πŸ” Back to top πŸ”

Mobile Performance

Flag Name Enabled (βœ”οΈ) / Disabled (❌) or/and Comment Default flag state
#back-forward-cache Back and forward Cache ❌ disabled
#brave-adblock-cookie-list-default Treat 'Easylist-Cookie List' as a default list source βœ”οΈ disabled
#canvas-oop-rasterization Out-of-process 2D canvas rasterization. βœ”οΈ enable it on Android 10+ disabled
#chrome-share-long-screenshot Long press share screenshot ❌ unknown
#contextual-search-debug Contextual Search Debug ❌ unknown
#contextual-search-longpress-resolve N/A ❌ unknown
#contextual-search-translation N/A ❌ unknown
#durable-client-hints-cache Persistent client hints ❌ unknown
#enable-drdc Enables Display Compositor to use a new gpu thread. βœ”οΈ enable Android 10+ unknown
#enable-gpu-rasterization GPU rasterization βœ”οΈ enable Android 10+ unknown
#enable-instant-start Instant start βœ”οΈ unknown
#enable-parallel-downloading Parallel downloading βœ”οΈ unknown
#enable-prerender2 Prerender2 βœ”οΈ (90.x+) unknown
#enable-throttle-display-none-and-visibility-hidden-cross-origin-iframes Throttle non-visible cross-origin iframes βœ”οΈ unknown
#restrict-websockets-pool Restrict WebSockets pool βœ”οΈ (97.x+) unknown
#smooth-scrolling Smooth Scrolling βœ”οΈ unknown
#throttle-foreground-timers Throttle Foreground Timers to 30 Hz βœ”οΈ unknown

πŸ” Back to top πŸ”

Mobile Functionality / Usability

Flag Name Enabled (βœ”οΈ) / Disabled (❌) or/and Comment Default flag state
#android-picture-in-picture-api Picture in Picture Web API for Android βœ”οΈ unknown
#brave-adblock-cname-uncloaking Enable CNAME uncloaking βœ”οΈ 91.1.27.36 (This will become obsolete and enabled by default once fully stable and merged into shields directly) unknown
#brave-adblock-redirect-url Enable support for $redirect-url filter option for adblock rules βœ”οΈ unknown
#brave-cosmetic-filtering-sync-load) Enable sync loading of cosmetic filter rules βœ”οΈ unknown
#context-menu-google-lens-chip Google Lens powered image search for surfaced as a chip below the context menu. ❌ unknown
#context-menu-search-with-google-lens Google Lens powered image search in the context menu. ❌ unknown
#context-menu-shop-with-google-lens Google Lens powered image search for shoppable images in the context menu. ❌ unknown
#context-menu-translate-with-google-lens Google Lens powered image search for translatable images surfaced as a chip under the context menu. ❌ unknown
#continuous-search Continuous Search βœ”οΈ unknown
#darken-websites-checkbox-in-themes-setting Darken Websites checkbox in Theme settings βœ”οΈ unknown
#enable-force-dark Force Dark Mode for Web Contents βœ”οΈ increase text contrast unknown
#enable-jxl Enable JXL image format βœ”οΈ (Chrome 91.1.x+) unknown
#enable-quick-action-search-widget-android Quick Search Widget βœ”οΈ unknown
#google-lens-sdk-intent Enable the use of the Lens SDK when starting intent into Lens. ❌ unknown
#media-session-webrtc Enable WebRTC actions in Media Session (93.x+) βœ”οΈ unknown
#messages-for-android-ads-blocked Ads Blocked Messages UI βœ”οΈ unknown
#messages-for-android-permission-update Permission Update Messages UI βœ”οΈ unknown
#messages-for-android-reader-mode Reader Mode Messages UI βœ”οΈ unknown
#page-info-about-this-site About this Site in Page Info βœ”οΈ unknown
#photo-picker-video-support Photo Picker Video Support βœ”οΈ (with animated thumbnails), the option only works on Android 9+ unknown
#playback-speed-button Playback Speed Button βœ”οΈ unknown
#shared-highlighting-v2 Shared Highlighting 2.0 βœ”οΈ (Chrome 90.x+) unknown
#shopping-list Shopping List ❌ can create problems with Sync and working with Bookmarks is a PITA in Chrome in general, hopefully Brave gets a Widget for this one day. unknown
#voice-button-in-top-toolbar Voice Button in Top Toolbar ❌ The reason why Voice function will never work is that Google prevents using alternative services, so we disable it. unknown

πŸ” Back to top πŸ”

Mobile outdated, removed or integrated/replaced

Flag Name Disabled since or/and Comment
#google-mobile-services-passwords Google Mobile Services for Passwords ❌ unknown
#post-quantum-cecpq2 TLS Post-Quantum Confidentiality βœ”οΈ integrated and merged into Chrome 101+.
#enable-tab-grid-layout Tab Grid Layout This flag is a leftover, the function was removed from the source code. If you want Grid you need to use 1.35.104
#brave-sync-v2 Enable Brave Sync v2 Depends on user choice (opt-in) you manually can set under Settings.
#global-media-controls-for-chromeos Global Media Controls for ChromeOS Depends on your Platform, only avbl. in ChromeOS
#enable-sharing-page-via-qr-code Enable sharing page via QR Code Merged into the Browser (stable).
#enable-tls13-early-data TLS 1.3 Early Data βœ”οΈ
#enable-ftp Enable FTP Removed from the source code
#brave-adblock-default-1p-blocking Shields first-party network blocking (1.30.27+) βœ”οΈ
#brave-dark-mode-block Enable dark mode blocking fingerprinting protection (1.30.27+), the settings depends now on Shield settings βœ”οΈ
#clear-cross-browsing-context-group-main-frame-name Clear window name in top-level cross-browsing-context-group navigation βœ”οΈ (91.1+) ⚠️ needs further investigation, since the impact is unclear.
#passwords-account-storage Enable the account data storage for passwords ❌ (88.x+)
#brave-rewards-bitflyer Enable bitFlyer for Brave Rewards (default) Will be detected by keyboard/OS language
#u2f-security-key-api Enable the U2F Security Key API ❌
#cookies-without-same-site-must-be-secure N/A βœ”οΈ
#legacy-tls-enforced N/A ❌ (might break some pages who use "outdated TLS configurations")
#omnibox-default-typed-navigations-to-https N/A βœ”οΈ
#treat-unsafe-downloads-as-active-content N/A βœ”οΈ
#brave-first-party-ephemeral-storage First Party Ephemeral Storage (95.0.4638.40+) βœ”οΈ
#safe-browsing-client-side-detection-android Safe Browsing Client Side Detection on Android ❌
#omnibox-local-zero-suggest-frcency-ranking Omnibox Local Zero Suggest Frequency Ranking ❌
#share-by-default-in-cct Share by Default ❌
#enable-accessibility-live-caption Live Caption ❌ (90.x+) ⚠️borked
#system-keyboard-lock Experimental system keyboard lock ❌ (89.x+)
#privacy-sandbox-settings Privacy Sandbox Settings βœ”οΈ (90.1+)
#chrome-share-highlights-android N/A ❌
#cookie-deprecation-messages N/A ❌
#enable-android-dark-search Enable Android Dark Search βœ”οΈ
#enable-ephemeral-tab-bottom-sheet Enable Ephemeral Tab Bottom Sheet βœ”οΈ Open at half state
#quiet-notification-prompts Quit Notification Prompts βœ”οΈ adaptive activation
#read-later Read Later (Reading List) βœ”οΈ
#share-button-in-top-toolbar Share Button in Top Toolbar ❌
#toolbar-iph-android Toolbar IPH in Android ❌
#sharing-hub-desktop-app-menu Desktop Sharing Hub in App Menu βœ”οΈ (Chrome 91+)
#sharing-hub-desktop-omnibox Desktop Sharing Hub in Omnibox βœ”οΈ (Chrome 91+)
#omnibox-native-voice-suggestions-provider Omnibox Native Voice Suggestions Provider ❌

πŸ” Back to top πŸ”

Brave only specific flags (not needed to be enforced)

Flag Name Info Comment Default flag state
#brave-adblock-cosmetic-filtering Enable cosmetic filtering Enabled by default even if it only shows "default" enabled
#brave-adblock-csp-rules Enable support for CSP rules Not need to be enforced (since 1.25.68+) unknown
#brave-ads-allowed-to-fallback-to-custom-push-notification-ads Allow Brave Ads to fallback from native to custom push notifications This is OS specific and in the future will be obsolete since Brave will detect the OS and then automatically fallback to the legacy system. unknown
#brave-decentralized-dns Enable Decentralized DNS βœ”οΈ This is now a settings point under Browser Settings since v95+ which you can easily switch. unknown
#brave-news Enable Brave News Your own decision to enable it or not, it is a global switch. unknown
#enable-lens-region-search Search your screen with Google Lens (93.1.31.39+), since 1.36.112 it is disabled by default. ❌ unknown
#enable-webrtc-hide-local-ips-with-mdns This is not Brave only specific but there are two ways how Brave handles it, via Shields or Setting Do not enforce it via flag unknown

πŸ” Back to top πŸ”

Other Useful Brave Browser Tips

  • Add shortcuts to instantly use a website's search bar directly from Brave's search bar, e.g. youtube, amazon, etc.
  • DO NOT use nightly builds. The logic to use nightly builds to get "things first" is flawed. Often you run into MORE fingerprinting due to bugs and not reviewed stuff than using stable builds. Critical vulnerabilities getting fixed immediately in stable builds anyway.
  • Brave is well documented and their Wiki helps a lot.
  • Export / import Chrome flags (mobile/desktop) via script, see here.
  • Go to brave://adblock (URI also works in Mobile!) and enable following Filters only to maintain the best filtering performance: CJX's Annoyance List, Easylist-Cookie List - Filter Obtrusive Cookie Notices, Fanboy Annoyances List, Fanboy Social List (optional), uBlock Annoyances List (used with Fanboy Annoyances List) + one OPTIONAL language based Easylist (depends on your Region). DO NOT enable more filters, more is not (always) better.
  • Starting with Chrome 90/91+ Sandboxie Technologies (SBIE Open source) has some issues with Chrome/Chromium/Brave, I do not suggest using it. If you want another isolation layer use a RAM Disk and outsource entirely all temp data into that drive. It has a much better performance than Sandboxie.
  • You still can change the User-Agent on mobile with root, it is not advised to change the UA because Brave addressed all UA based concerns.
  • How-To start Brave in Incognito Mode, see also here for a more in-depth guidance.
  • You can start Brave directly in Tor Mode via onion e.g. "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" onion, further modes and implementation is been discussed over here.
  • If Brave Browser blocks your download turn off "Safe Browsing" in the settings. There is also a secret cheat code built into these warnings like "This is not a safe connection" etc. if you type in using your keyboard thisisunsafe in all lower case, you can bypass any security warnings.
  • "Zero-copy rasterizer" and "Disable site isolation" shall be never touched, they causing crashes.
  • Some useful start parameters are --silent-launch, --tor and --incognito, those cmdline params work since 1.29.48 (or higher).

πŸ” Back to top πŸ”

Linux specific Tips

You can create a file called chrome-flags.conf and put it into $HOME/.config/chrome-flags.conf, this makes it easier to work with flags without opening the Browser.

Example chrome-flags.conf shown below.

--disable-features=UseChromeOSDirectVideoDecoder
--disable-gpu-driver-bug-workarounds
--enable-accelerated-2d-canvas
--enable-accelerated-video-decode
--enable-features=VaapiVideoDecoder
--enable-gpu-rasterization
--enable-oop-rasterization
--enable-zero-copy
--ignore-gpu-blocklist
# Borked until Chrome 96
#  https://chromiumdash.appspot.com/commit/a4de986102a45e29c3ef596f22704bdca244c26c
# ... and Chrome 98
# https://bugs.chromium.org/p/chromium/issues/detail?id=1236697
#
# Up to you and your preference and device.
# --gpu-testing-vendor-id=0x8086
# --gpu-testing-device-id=0x5917
# --force-device-scale-factor=1.00
# --enable-features=WebUIDarkMode
# --force-dark-mode
  • You can enforce the usage of vaapi by default via brave --enable-oop-rasterization --enable-accelerated-video-decode.
  • To enforce Wayland support (Chromium 87+) you can use brave --enable-features=UseOzonePlatform --ozone-platform=wayland. In case you get crashes on some Distros, you need to use it together with --disable-gpu to avoid hard crashes.
  • SIGSEGV & SIGTRAP error codes in Brave
  • No video hardware acceleration available on some pages: Some videos on e.g. YouTube are encoded using AV1 and Brave will use dav1d software decoder for that. But for ones encoded differently, Brave will indeed uses GPU for it if you enabled --enable-features=VaapiVideoDecoder on.
  • Override software rendering list flag can be used to enforce that your GPU will be used (which might be blacklisted otherwise).
  • Enable Mojo Shared Memory Channel flag can be used to share messages from GPU buffer, which might increase performance a bit.
  • On Ubuntu based Distros I personally use the following combination for passthrough --ignore-gpu-blocklist, --enable-gpu-rasterization, --enable-zero-copy, --disable-gpu-driver-bug-workarounds and --use-gl=desktop. Keep in mind that rasterization and zero-copy are highly unstable (depends on the OS/distro).
  • Font rendering can be a PITA, Settings --> Advanced --> System --> Hardware Acceleration is your first starter here.
  • #enable-gpu-rasterization + #enable-zero-copy + #canvas-oop-rasterization combined can boost the performance on Linux by solid 10 percent, do not enable those flags on other platforms.
  • #enable-skia-renderergets rid of log spam on Intel iGPUs.

πŸ” Back to top πŸ”

Default Fonts

By default Brave Browser uses Poppins and Muli for the content you see around the web, those mentioned fonts are not the default fonts to render the actual content.

The actual fonts are

  • Standard font: Liberation Serif / Times New Roman 16
  • Serif font: Liberation Serif / Times New Roman 16
  • Liberation Serif Sans-serif font: Liberation / Arial 16
  • Sans Fixed-width font: Monospace / Consolas 13

Keep in mind that the list can be different because some Distros do not include mentioned fonts by default. In this case other fonts are the default ones. Font rendering and issues are actually a thing.

My own suggestion is

  • Poppin 16
  • Poppin 16
  • Open Sans 16
  • Muli 12
  • Set the minimum font size to 6 and not 0 which is a borked default.

There is currently no way to disable font anti-aliasing/font smoothing.

πŸ” Back to top πŸ”

Browser Extensions

In general less is more, which means less memory + attack surface & in terms of speed and fingerprinting.

Extension Comment
Behave! Monitors and warns if a web page performs DNS Rebinding attacks to Private IPs, accesses Private IPs and allows Port Scans (among other features).
Bypass Paywalls alternative Bypass Paywalls for Chrome Clean Bypass annoying article PayWalls.
CSS Exfil Protection Guard your browser against CSS Exfil attacks (will be obsolete with Chrome 102+).
Demodal A browser extension that blocks modals and overlays. It can be used in additional to uBlock or Braves Ad-Block to bypass eg. Paywalls and other modals which are hard to block via uBO or heavily rely on static filterlists.
Extension source viewer View source code of Chrome extensions, Firefox addons or Opera extensions (crx/nex/xpi) from the Chrome web store and elsewhere.
JShelter alias JS-Restrictor Extension for increasing security and privacy level of the user.
Keyboard Privacy Prevents behavioral profiling by randomizing the rate at which characters reach the DOM (will be obsolete with Chrome 92+!).
Old Reddit Redirect Alternative via script, I prefer the script! Or you use Redirector πŸ‘‡.
Redirector The add-on lets you create redirects for specific webpages, e.g. always redirect http://bing.com to http://startpage.com
Session Buddy Manage Browser Tabs and Bookmarks easily.
Tabs Session Manager WebExtensions for restoring and saving window / tab states.
Terms of Service; Didn’t Read Ranks website terms & privacy policies from very good Class A to very bad Class E.
uBlacklist Blocks specific sites from appearing in Google search results.
zwBlocker An extension that helps spot zero-width characters.

πŸ” Back to top πŸ”

Optional Browser Extensions (some suggestions for specific needs)

Extension Comment
Acid Tabs Auto-Grouping your Tabs easily.
Old Brave Dark Theme Workaround some dark mode issues.
CheaperThan. Amazon Snipe Amazon deals.
ClearURLs Until merged with Brave adblock (needs syntax changes in Braves AdBlock). Merged in 1.30.84.
Consent-O-Matic Automatic handling of GDPR consent forms.
Copy Guard A browser extension to prevent copy hijacking. It can be useful if you want a feedback.
Enhancer for YouTube Improve some YouTube features.
Export links of all extensions Export your list of extensions.
External Application Button Useful if you want to add YouTube-DL to right-click menu.
Fake news debunker by InVID & WeVerify AI to detect fake news.
FastForward Don't waste your time with compliance. FastForward automatically skips annoying link shortener.
Grammar and Spell Checker β€” LanguageTool Spellchecking is integrated into the Brave Browser (might not work on all websites.
Header Editor An extension which can modify the request, include request headers, response headers, redirect requests, and cancel requests.
JShelter Browser extension to mitigate potential threats from JavaScript.
Kee - Password Manager Helper extension for KeePass.
Metamask The MetaMask browser extension enables browsing Ethereum blockchain enabled websites.
MyJDownloader Browser Extension Only relevant if you use/work with JDownloader2.
Reddit Enhancement Suite Some Reddit tweaks.
Search by Image reverse Image Search utility.
Shodan alternative (Open Source) Country Flag & Website Info IP info, Whois and more for visited domain (website).
SponsorBlock for YouTube Skip sponsor ads on YouTube.
Tampermonkey Make sure to opt-out of telemetry! There are alternatives but they do not work as well as TM. TM needs #enable-javascript-harmony & #enable-experimental-web-platform-features for some features (default disabled in Brave), only activate it if absolutely necessary.
The Commenter Check for comments on the web.
Tomato Clock Egg timer for your Browser.
VectorDraw - Paint on Tab Pain on tabs, useful if you do some videos and want to show something.
Web Scrobbler Web Scrobbler helps online music listeners to scrobble their playback history.
WebWormhole WebWormhole lets you send files from one place to another.
YouTube Dislike Count which doesn't need external API call Userscript solution which works without any external API, an extension but with external calls is available here.
papers-with-video Add a video icon to the paper title on arxiv.org if a conference video exists for the paper.
vidIQ Vision for YouTube YouTube statistics (needs login for advance functions!)

πŸ” Back to top πŸ”

Browser Extensions you do NOT need

Extension Comment
Barrier Already integrated into Brave Shields.
Canvas Blocker Brave randomize the fingerprint, depending on your Shield settings (brave.com).
Canvas Fingerprint Defender ↑
CanvasFingerprintBlock ↑
ChromeGalvanizer Harden your browser against extension backdoors and exploits. Brave includes hardening already by default.
Cookie-AutoDelete Set shield defaults to never allow Cookies and only unlock Cookies when needed, ensure "clear browser data on exit" and cookies are enabled in Brave's settings.
Decentraleyes Decentraleyes is practically abandonware with little to no impact and outdated resources. The benefit cannot be proven in the real-world because CDNs update very often, due to security fixes, performance etc. using hardcoded and old libraries can make you more vulnerable.
Disconnect Useless, integrated into Braves filter-lists.
Ghostery (ghostery.com) Brave Ad Block does the same. ↑
HTTPS Everywhere Integrated into Brave Shields (support.brave.com).
LAN-port-scan forbidder Browser extension to protect private network. You can archive same with a Lan blocking filterlist + Browser restricts specific ports already by default.
LocalCDN Integrated into Brave Shields, lots of CDNs and Endpoints getting tunneled.
NoScript Not needed, you archive same with Brave shield or uBlock (if you know how to work with custom filters).
Privacy Badger Privacy Badger does same as uBO/Brave Adblock, the "AI" based function (learning) got disabled by default due to metadata (privacy) concerns. It can also easily be detected (adtechmadness.wordpress.com).
Privacy Possum Integrated into Brave Shields.
Trace Partially integrated into Shields, not all features.
uBlock Origin Only needed if you are an advance user because Brave Adblock constantly evolves together with uBlock and new features getting adopted and integrated.

πŸ” Back to top πŸ”

Parcourstest

Here are the tests the Browser (Desktop/Mobile) needs to pass. This needs to be done so that we know the flag/changes we done do not influence (negatively) the Browser in a way we do not want. Privacytests.org provides a solid but not perfect overview of what is currently covered with the DEFAULT Brave Browser settings and shield settings. Test results variate a lot with changed shield settings as well as changed flags and settings.

This is my own test ground. You can verify studies that are always opt-in only via Griffin, the website Brave Variations basically check and verifies given flags and studies and you can exanimate what is currently activated or what is inactive. Griffin is not spyware, it is designed to review the current staging process as well as to review quickly stuff like upcoming features test and the roll-out process.

Official Test:

The official Brave QA Test Pages are here (dev-pages.brave.software).

Obsolete test pages:

  • https://mixed-script.badssl.com/
  • https://https-everywhere.badssl.com/

πŸ” Back to top πŸ”


Brave Browser FAQ

πŸ” Back to top πŸ”

Brave VPN FAQ

Brave VPN

πŸ” Back to top πŸ”

Brave Talk FAQ

πŸ” Back to top πŸ”

Brave Rewards FAQ

New and improved Brave Reward Popup to claim Rewards

Flagged Rewards Account

πŸ” Back to top πŸ”

Brave News FAQ

  • Brave News basically acts like an RSS-Feed gateway in which you can choose from existent news feed or add your own. Unless other services there are no trackers involved.
  • News feature is enabled by default with build 1.36.105 and higher.

πŸ” Back to top πŸ”

Brave Wallet FAQ

You can see the Wallet implementation progress here (github.com).

  • Brave Wallet’s source code (github.com) is available under an Open Source license, unlike other popular web 3.0 extensions.
  • Default currency and crypto conversion display settings. (planned)
  • Full native NFT support, including owned NFT discovery, an NFT catalog, and the addition of NFT asset values in your portfolio. (planned)
  • If you install MetaMask, then the default wallet will actively change to MetaMask. If you’re a user of the old Crypto Wallets extension in Brave (a fork of MetaMask), then the first thing to know is that you can switch back to the old wallet in brave://settings/wallet by changing your default wallet back to Crypto Wallets.
  • Live Market data for most asset (including non EVM based assets) (planned)
  • Support for more blockchains (planned)

πŸ” Back to top πŸ”

Brave Search FAQ

Brave needs to fix mentioned points otherwise I cannot suggest using it as private alternative. Until then you could use Qwant, Presearch or other [listed alternatives (chef-koch.bearblog.dev)]](https://chef-koch.bearblog.dev/privacy-tools-list-by-chef-koch/#metasearch-engines).

Brave Premium Search

πŸ” Back to top πŸ”

Brave Translation FAQ

  • Brave currently has no translation engine and they cannot use Googles without violating their terms of service, which results in placeholders and incompatibility with the Google Translate extension. Same goes for Voice btw.
  • Official website will be translate.brave.com.
  • The API might be the same as Vivaldi, Lingvanex (lingvanex.com).

πŸ” Back to top πŸ”

Brave - Ask me anything (AMA) (sorted from newest to oldest)

πŸ” Back to top πŸ”

Brave Stories explained

Brave Referral Story

The whole story got a lot of attention, however it always was misleading and spread to gain clicks. The matter was resolved after 7-8 hours and pushed within 12 hours as commit. The actual update got released within 24 hours. Some users had to wait 48 hours because this is how the distribution system handles and delivers updates to avoid huge pressure on the server or hit GitHub limitations.

β€œThat being said, I think there was a lot of misunderstanding of the situation. There was no privacy harm to users, and what was being done is similar to how most, if not all, browsers interact with search engines, to receive referral cash. Using DDG in Firefox, to give one example, tells DDG the query came from Firefox the "FFAB", or, guessing, "Firefox Address Bar"…”

β€œβ€¦The user was never able to be tracked, the site wasn't able to learn anything additional about you, etc.”

Source (reddit.com)

Later in 2020 the referral program was shut down (brave.com).

Reference for the Brave vs. Browser X discussion

πŸ” Back to top πŸ”

Why does Brave consume more RAM than Chrome

  • Brave currently contains over 250k code changes compared to Chrome, which adds a lot of more features such as ad-blocking, Rewards, Wallet integration and more. Brave is not only yet another Chromium fork and adds a lot of unique features.
  • You can reduce the overall memory footprint by disabling hardware acceleration and disable to let run Brave in the background. Both options are enabled by default. You find the options under brave://settings/system. Disabling Brave News also reduces the memory usage.
  • The Brave Team as well as the Chrome team constantly working on lowering the overall memory footprint, however while adding more and more features and dependencies this is a challenging task.
  • On some systems Brave comes preinstalled with an extension called Plasma Integration, it is enabled by default. If you do not use the GTK+ theme + search for e.g. Kwin or KRunner you can disable or uninstall it.

πŸ” Back to top πŸ”

Aggressive trolling because Brave uses the word ”Privacy”

Especially some Firefox people or shall I say loyal fans trolling (wikipedia.org) Brave Browser and their Developer Team since practically day one because of the marketing slogan - ”privacy browser”. This is harsh as well as based because no Browser ever will be perfect in this regard. Privacy is not an on or off switch and needs continuously inspection, maintenance and changes to adopt and respond to new problems. Those smear campaigns come often from uneducated people that are not even developers themselves, such people tend to cherry pick some leaks or open issue tickets and claim the Browser is not as private as advertised to make the Browser look worse than others. This is a pointless effort because you find on every single Browser some open issue tickets, Tor Browser, Firefox, all of them have always some open issue tickets regarding privacy. This is not how FOSS works and this is no measurement instrument as "privacy index". The Brave Team puts a lot of time and research into privacy related problems, same like Firefox and the Tor Browser Project.

Another strategy is to spread fake forks to smear Brave (aur.archlinux.com), even after I reported it to Brave and the Arch Team via Tweet, such disrespectful forks continue to stay online. Not only is this deformation it also exposes how based people are against any competition.

Brave Browser is de facto privacy respecting and does by default more than any other Browser on the market, this is done by including a lot of ideas and privacy respecting changes directly into the Brave Browser. In every other Browser you need to work with extensions or configuration changes to come even remotely close to Brave Browser. I do not see how the troll argumentation holds that Brave fails regarding privacy, it is offering a solid ground with the arguably best default out-of-the-box configuration.

If you goal is to become nearly anonymous then use Tor Browser, the Brave Team clearly communicated this since day one on their website.

πŸ” Back to top πŸ”

Story about Dissenter

A fake story with false background information, see Brave legally threatens Brave fork trying to remove adds (bitgrum.com).

In April 2019, Dissenter was removed from the Firefox Add-ons website and the Chrome Web Store for violation of their policies that causes the creation of the Dissenter web browser.

Source (discourse.mozilla.org)

Actual why this really was removed:

πŸ” Back to top πŸ”

Using Brave's β€œPrivate Window with Tor” could get you fired

There are several stories that you can get fired if you use Tor the problem is that there are industries where compliance requires all work-related communications be logged and monitored.

This is a general problem and not related to Tor or Brave Browser, it is about what you agreed with in your employment contract. Make sure you check this before you attempt using Tor in general.

πŸ” Back to top πŸ”

Story about Braver Fork

The story was mainly about Trademark (trademarks.justia.com) violation and not about replacing ads, the Team never asked or contacted Brave to ask for permission to begin with. Also you need to do some legal proceeding because GitHub does not take content offline without any court order or trademark confirmation.

πŸ” Back to top πŸ”

Contradiction regarding Privacy Communities

Brave contradicts themselves with weird statements regarding supporting privacy related communities or not. This is not positive nor negative, just weird.

"Brave doesn't want to be associated with privacy focused groups" (web.archive.org) while Peter Snyder (brave.com) is backing GPC (brave.com) along with DuckDuckGo (spreadprivacy.com), Mozilla (blog.mozilla.org), Disconnect (blog.disconnect.me), Abine (abine.com) and the EFF (eff.org).

Personal Note

I do not work for Brave nor do I get paid for writing any of this. The intention/motivation behind this guide is to harden Brave Browser for maximum performance, security, privacy and make it even more awesome than it already is.

πŸ” Back to top πŸ”

#chef-koch #hardening #chromium #brave-browser #browser-flags #chrome-hardening

- 24 toasts