CHEF-KOCH's Microblog ✨

Brave Browser Hardening by CHEF-KOCH

Logo Banner - Credit: ledger.com

Important - Please read this first

The new website is here (code-cktn.org), please do not link my outdated Bear Blog in public since I moved to my own websites and services.

I like to thank Bear Blog and the community for hosting my content over the years, bear blog is a fine website and service but I simply decided to host my own websites, projects and services instead as it gives me more control over my own content.

Project updates

I'll try to keep this hardening guidance updated as much as I can. The below listed flags configuration/changes and tips are only tested against Windows/Linux & Android, I do not plan to test them against Mac OS/iOS!

See statement above.

Introduction

Hardening does not start at choosing the right tools or networks, hardening begins with gathering information to inform yourself and others in order to stay up-to-date so that you can deal with current and upcoming threats. Tools, extensions and Co. are just a workaround until someone build the right system, that starts by voting and supporting the right politicians and organizations. – Statement CHEF-KOCH, 1997

The main purpose of this guidance is to inform people about possibilities to enhance Brave Browser without depending on other tools or the Brave Team or to rely on usually quickly outdated guides on the Internet.

In case you have some questions, you can ask them directly on my official Matrix Server or use the issue ticket feature to open relevant tickets so that we can address new stuff.

Important notice: READ this before you start changing some random Browser flags!

Just because there are some flag who promise X does not necessarily mean you should enable/change them, there are possible drawbacks!

Unresolved Issues with the biggest privacy/security impact

You find an overview of all opened privacy related and reported issues directly on the issue tracker (github.com).

☑ indicates that mentioned issue was fully resolved and ☒ that this is something that will not be fixed because it is by designed.

Additional Info:

Please keep in mind that just because there are open issues tickets that this is not necessarily actively abused in the real-world. In lots of cases it is hard to find evidence that theoretically problems are used to directly compromise your security or privacy. Also some of the mentioned issues might be very hard to fix because trying to workaround them can results in unwanted side effects, such as Browser crashes, website breakages etc.

Project History

10.05.2022 - Release: Brave Browser 1.38.115 for Desktop (github.com) - Release: Brave Browser 1.38.113 for Android (github.com)

Hardening is not a selling argument

The mass media and some privacy communities wrongfully echo chamber that hardening and applying best practices represent security and privacy, this is an unproven claim. The reason why this is unproven is the fact that the vast majority does not use hardened profiles on a daily bases, there are cases showing that even hardening setups can be compromised, it is a matter of effort. In other words there is no proof that this is enough, what it does is that it potentially reduced the attack surface but this is all. It does not mean you are untouchable or cannot be exploited. Even if you manage to harden everything you still need to take the human factor in consideration, social engineering works really well and can bypass every firewall, every OS or Browser hardening in a matter of time. The Browser acts like a gateway not meant to be a firewall to monitor every data package that goes trough.

I am entirely against selling privacy and security as product and the project goal here is not to fool people that hardening is something that is either one or zero. The factors for privacy and security are not products you install or scripts or tools you use. It is a relationship between developer and the community to deal with existent as well as new threats. Giving up control by depending on another unknown third-party who promises you xyz is not what I like to represent here because the overall goal is that mentioned issues getting shown to warn users that there are potential risks involved that you can address on a theoretical level, this means it should be shown in order to fix such problems, not to make profit out of it.

Claiming hardening makes you more secure because 0,1% of all users doing or using it is working with statistics. Statistics that are often flawed because depending on the data, point of view and experience, those can variate a lot. Assuming everything one day gets fixed, hackers still trying to bypass everything, break it or invent new techniques. This is a cat and mouse game without a winner because the web evolves as well as the Browser itself and hardening will always be a part of adapting those changes by workaround potential issues.

I am not a fan of mass advertising that hardening or to apply best practices is enough, what makes more sense is to make people aware of problems, provide some workarounds until it is fixed and then test it to verify if it is actually working as intended or not because even workarounds and fixes can cause additional problems or even new holes.

Energy consumption is not a big priority

As much as I would love putting this point into a bigger consideration I need to clearly say that I cannot do much tests regarding energy consumption in general. Especially not with individual flags and then even do independent tests across multiple OS and Browser builds. This would require me to work and research on this subject in full-time.

There are lots of variables which can and will influence the energy aspect and this is a huge topic which I am not willingly to do on my own.

The only big focus regarding the overall energy consumption is when a flag dramatically decreases battery life or put extra pressure on the CPU and/or GPU that is directly debuggable trough internal tools.

Enforced settings as new defaults

We change mentioned default settings to improve the default behavior in order to reduce possible risks. You can manually unlock stuff you need, which seems more work but it is worth it + you only have to do this once per domain. This basically acts like a firewall for specific things, which is then disabled by default and you need to manually unlock first (see last screenshot to understand what I mean).

Shield Defaults Settings Hardened

Shield Defaults

Normally we do not need to enable the Always use HTTPS option because under Security we enable and enforce to connect always to HTTPS first, however in some cases the option to always connect to HTTPS is hidden unless you enable the option.

Secure Connections

Example Page

Permission Defaults

Shield Defaults

On mobile we can theoretically do the same but there are some downsides, as you can see on the last screenshot, if your screen resolution is below x or you are on a smartphone with limited screen size you cannot see all options, which makes it impossible for you to change or reveal some settings or information. Brave as well as Chrome is aware that this modal dialogue is currently not optimal. That said, I - for now - only suggest doing this on Desktop and on Mobile only enforce the stronger Shield defaults only see first (screenshot).

Brave will not sync those newly set permission defaults. You need to backup your profile manually, this is still the best way to deal with profile corruptions or in case you want to copy your settings to another profile or PC. Permission sync is planned feature.

Why we enforce some settings that depending on your global Shields settings

We enforce some settings as defaults for various reasons however, some flags and features depending on your global Brave Shield settings for example by default Unlinkable Bouncing is only enable when you set your global Shield setting to aggressive. We override this behavior in case there are some website breakages but and temporarily lowering the shield setting for an specific website without loosing some protection mechanism.

In a nutshell

Using JS-Restrictor with Brave

JavaScript Restrictor or now called JShelter extension is normally not needed with Brave Browser, however you can use it to fine control some specific settings if you want to. Changing those options can make you more unique and is the reason why this is not suggested unless you know exactly what you are dealing with.

JShelter uses, depending on your selected or own created profile, twice as much CPU power than uBlock Origin or other solutions which you can check with the integrated Task Manager and internal debugging tools. This is the main reason why I not suggest using it on a daily basis. It is better to wait until Brave addresses all above listed privacy risks.

Import the configuration file.

Importing the configuration file is quickly done. Just import the configuration and click override. After that release the website and check the configuration to ensure that settings are fully working. I includes some example pages for reference.

The impact is normally negligible because we often disable controversial APIs or features that are designed by Google. Some other flags are not fingerprintable under normal circumstances because API design evolves and developers are more aware and advocate privacy and security much more than 20 years ago.

Changing flags can make you stand out more but the tested flags are carefully chosen so that the difference is not dramatically noticeable except that some fingerprinting test pages might not actually return an accurate result. You should not rely on only such pages to measure how private our Brave Browser is, it simply gives you an small indication but that is all because some unknown fingerprinting mechanism might exist that are not covered in such tests or even in the wild.

Brave on its own already does a good job but we want to improve it a step further and want to enhance specific behaviors, stuff that is usually explained, linked or a reference was - if possible - provided in this guide.

Utilizing Brave Ad Block, the right-way

The overall amount of trackers are limited. This means that the majority of websites uses Google - among some other - tracking systems. Most popular and even unpopular websites trusting the big tracking players, which means it makes no sense to load filter-lists with 2 trillion entries when 80 Percent of the world uses the same tracking system. You can skip this section if you already block ads via DNS blocker system-wide in your network with AdGuard Home or Pi-Hole and continue with the manual filter-lists we could use, depending on your needs.

Finding some lists is pretty easy, you can manually search them or use some aggregators who list filter-lists.

By default those filters are already used and enabled by default.

General rules

The following steps are on Desktop and Mobile platforms the same, so I do not explicitly mention them.

Go to brave://settings/shields/filters, just type it in the URL bar and it will display the ad-block interface with some options. By default nothing is selected and you have to choose which filters you want to enable or even manually add. Custom filters are being updated every 7 days, which might change in the future. Syncing filter-lists and your custom rules are possible - the flag is #brave-cosmetic-filtering-sync-load, it will get removed in the future and directly integrated and enabled by default once it is reliable enough.

Shields AdBlock.

Additional lists you can enable from the integrated Brave Ad Block page

Now we can improve specific things alias manually subscribing to addition lists, but which one make the most sense... The answer is easy, we want to get rid of additional extensions and hopefully we can archive it by using an additional list that supports the things we need, anti-coinmining, url-shortener etc.

Optional filter-lists you could add

Additional filter-lists can be useful, for example to get rid of ClearURLs extension, or in case if we already block DNS based ads on our entire network, in this case we might wanna use something directly which only blocks cosmetic stuff. It should be noted that uBlock as well as Brave Ad Block solutions only removing the untouched query parameter given by the original URL, this means they cannot rewrite parts or the original path of clicked URL.

This is all, you do not need 10+ lists. Well maintained lists are much more worth than huge lists that die within the first 6-12 months or that cause additional problems.

Why fingerprinting matters less than you think

Fingerprinting per-see is not an intrinsically problem, which means it only becomes a problem when it makes it possible to render you entirely traceable, particularly across sessions. The main point is to become less traceable - or traceable only with adjustable levels of difficulty - whatever your "fingerpritability" could be.

And there are 2 ways to try to reach this goal

In the static (or often called low entropy) way, the user or you can try to display the same fingerprint than many others people. In that sense, being seen as unique is bad. The best way to achieve this "low entropy" goal is to use the Tor Browser on the Tor network. No Brave hardening, no Firefox Browser hardening with thousands of configuration changes, simply and pure Tor Browser because it provides much more than configuration changes and the best way is that each and every user uses the exact same fingerprint.

In the dynamic (or high entropy) way, you try to becomes "someone else" for each browser sessions, e.g. for each browsing session, you (ideally) try to change all your browser's displayed characteristics. In this case, being seen as unique is not a problem. At the contrary, it's something desirable: That a test site achieves to correlate you cross session, and so, achieves to see you as not unique, simply means that your attempts to becomes "someone else" for each session miserably failed and that you are traceable cross session (at least by this precise test site, and by any other site using the same tracking techniques). This way is the path that eg Brave developers are trying to take, this is also what you do if you harden other Browsers like Firefox, Edge etc.

In the real-world we have limited amount of possibilities to fingerprint users, this means most stuff heavily relies on JavaScript, CSS and so on. Developing counter-measures for this is possible, but since we enforce by default to disable JavaScript which already lower attacks by around 98%, the rest are some small tricks that abuses some weaknesses that are fixable more or less easily. There might be considerable small stuff which cannot be fixed but that never leads to leaks that can identify you, your browsing habits or connect other dots.

The most important stuff is listed above and is on the to-do regarding fingerprinting. None of the open issues are enough to truly expose you even if someone gets all of the remaining entropy that is currently not covered by Braves Shield. Most people just use the fingerprinting argument to bypass restrictions.

Unofficial Brave Browser Build on F-Droid

Passwords and Credentials

Do not use portable Browsers

Using portable Browsers has lots of security and privacy implications.

How Brave handles Cookies

Brave Browser is very well documented. Besides the source code and the wiki entries we have several good articles for beginners on how Brave actually handles the Cookie part.

Desktop Flags

The official Brave release schedule can be found over here, the archive is here.

Desktop Security

Flag Flag Name Enabled (✔️) / Disabled (❌) or/and Comment Default flag state
#block-insecure-private-network-requests Block insecure private network requests ✔️ unknown
#brave-domain-block Enable domain blocking ✔️ unknown
#brave-ephemeral-storage Enable Ephemeral Storage ✔️ unknown
#clear-cross-site-cross-browsing-context-group-window-name Clear window name in top-level cross-site cross-browsing-context-group navigation ✔️ unknown
#disallow-doc-written-script-loads Block scripts loaded via document.write ✔️ unknown
#enable-isolated-sandboxed-iframes Isolated sandboxed iframes ✔️ unknown
#enable-webview-tag-site-isolation Site isolation for tags ✔️ Default, which is disabled. Added in 1.44.8/104.0.5112.69.
#origin-agent-cluster-default Origin-keyed Agent Clusters by default ✔️ 102.x
#strict-origin-isolation Strict-Origin-Isolation unknown
#sync-trusted-vault-passphrase-recovery Enable sync trusted vault passphrase with improved recovery. unknown
#u2f-security-key-api Enable the U2F Security Key API unknown

🔝 Back to top 🔝

Desktop Privacy

Flag Flag Name Enabled (✔️) / Disabled (❌) or/and Comment Default flag state
#autofill-enable-sending-bcn-in-get-upload-details Enable sending billing customer number in GetUploadDetails Enabled if preflights are enabled.
#autofill-fill-merchant-promo-code-fields Enable Autofill of promo code fields in forms unknown
#autofill-parse-merchant-promo-code-fields Parse promo code fields in forms unknown
#brave-adblock-cosmetic-filtering-child-frames Apply cosmetic filtering to frames other than the main frame of a page ✔️ We enforce it for all Shield modes, otherwise it is only activated in aggressive mode. 103.1.42.74/1.42.74
#brave-dark-mode-block Enable dark mode blocking fingerprinting protection ✔️ We enforce it for all Shield modes, otherwise it is only activated in aggressive mode. unknown
#brave-debounce Enable debouncing (94.x+) ✔️ we enforce it unknown
#brave-domain-block-1pes Enable domain blocking using First Party Ephemeral Storage ✔️ unknown
#brave-extension-network-blocking Enable extension network blocking ✔️ (91+) unknown
#device-posture Device Posture API enabled
#disable-process-reuse Disable subframe process reuse ✔️ unknown
#edit-context EditContext API ❌ (100.0+) unknown
#enable-accessibility-live-caption Live Caption ❌ (90.x+) ⚠️borked unknown
#enable-autofill-credit-card-authentication Allow using platform authenticators to retrieve server cards ❌ (87.x+) unknown
#enable-fenced-frames Enable the element. ✔️ with ShadowDOM unknown
#enable-generic-sensor-extra-classes Generic Sensor Extra Classes unknown
#enable-quic Experimental QUIC protocol ✔️ Needed for HTTP3/DoQ, now known as RFC 9000 unknown
#enable-webusb-device-detection Automatic detection of WebUSB-compatible devices ❌ we already disable WebUSB but the detection still sends a beacon unknown
#extensions-menu-access-control Extensions Menu Access Control ✔️ unknown
#font-access Font Access APIs unknown
#omnibox-dynamic-max-autocomplete Omnibox Dynamic Max Autocomplete ❌ (can causes lags if enabled / 5+) unknown
#omnibox-rich-autocompletion-promisin Omnibox Rich Autocompletion Promising unknown
#partitioned-cookies Partitioned Cookies ✔️ unknown
#reduce-user-agent Reduce User-Agent request header ✔️ unknown
#reduce-user-agent-minor-version Reduce the minor version in the User-Agent string ✔️ unknown
#system-keyboard-lock Experimental system keyboard lock ❌ (89.x+) unknown
#webxr-incubations WebXR Incubations ❌ (92.0+) unknown

🔝 Back to top 🔝

Desktop Performance

Benchmarks against Edge and Firefox are pretty much useless. There are multiple reasons why, please read further below:

You can however compare features but not directly benchmark the whole browser to come to an final conclusion about how efficient it works.

Flag Name Enabled (✔️) / Disabled (❌) or/and Comment Default flag state
#brave-federated Enables local data collection for notification ad timing (brave-federated) 1.43.50/104.1.43.50 Beta (default which is enabled)
#back-forward-cache Back and forward Cache unknown
#brave-adblock-cookie-list-default Treat 'Easylist-Cookie List' as a default list source ✔️ unknown
#brave-rewards-verbose-logging Enable Brave Rewards verbose logging ❌ enabled by default since 1.25.68+ unknown
#brave-rewards-webui-panel Use WebUI Rewards Panel ✔️ 1.43.53/104.0.5112.69
#durable-client-hints-cache Persistent client hints unknown
#enable-parallel-downloading Parallel downloading ✔️ unknown
#enable-prerender2 Prerender2 ✔️ (90.x+) unknown
#enable-throttle-display-none-and-visibility-hidden-cross-origin-iframes Throttle non-visible cross-origin iframes ✔️ unknown
#enable-vulkan Use Vulkan as the graphics backend. ✔️ On Linux either Vulkan or raw draw, if you enable both it will prefer raw draw to avoid compatibility issues. unknown
#restrict-websockets-pool Restrict WebSockets pool ✔️ (97.x+) unknown
#subframe-shutdown-delay Add delay to subframe renderer process shutdown unknown

🔝 Back to top 🔝

Desktop Functionality / Usability

Flag Name Enabled (✔️) / Disabled (❌) or/and Comment Default flag state
#brave-adblock-cname-uncloaking Enable CNAME uncloaking ✔️ 91.1.27.36 (This will become obsolete and enabled by default once fully stable and merged into shields directly) unknown
#brave-cosmetic-filtering-sync-load) Enable sync loading of cosmetic filter rules ✔️ unknown
#chrome-whats-new-ui Show Chrome What's New page at brave://whats-new (93.x+) unknown
#enable-force-dark Force Dark Mode for Web Contents ✔️ increase text contrast unknown
#enable-jxl Enable JXL image format ✔️ (Chrome 91.1.x+) unknown
#extensions-menu-access-control Extensions Menu Access Control ❌ disabled, we enforce it to enabled
#extension-workflow-justification Extension request justification (93.x+) ✔️ unknown
#force-color-profile Force color profile ✔️scRBG or HDR (if your Monitor supports HDR enable the HDR option) unknown
#forced-colors Forced Colors ✔️ unknown
#history-journeys-omnibox-action History Journeys Omnibox Action ✔️ (Chrome 97+) unknown
#history-journeys History Journeys ✔️ (Chrome 98+) unknown
#page-info-history-desktop Page info history ✔️ (Chrome 97+) unknown
#quick-commands Quick Commands ✔️ Default (Disabled)
#scrollable-tabstrip Tab Scrolling ✔️ (tabs shrink to a medium width) unknown

🔝 Back to top 🔝

Desktop Scrolling

Flag Name Enabled (✔️) / Disabled (❌) or/and comment Default flag state
#smooth-scrolling Smooth Scrolling ✔️ Depends on the platform, disabled

🔝 Back to top 🔝

Desktop PWA

Flag Name Enabled (✔️) / Disabled (❌) or/and Comment Default flag state
#enable-desktop-pwas-launch-handler Desktop PWA launch handler ✔️ unknown
#enable-desktop-pwas-sub-apps Desktop PWA Sub Apps ✔️ unknown
#enable-desktop-pwas-tab-strip-settings Desktop PWA tab strips settings ✔️ unknown
#enable-desktop-pwas-web-bundles Desktop PWAs Web Bundles ✔️ unknown
#enable-desktop-pwas-window-controls-overlay Desktop PWA Window Controls Overlay ✔️ unknown

🔝 Back to top 🔝

Desktop Brave Reader Mode / Speedreader

Flag Name Enabled (✔️) / Disabled (❌) or/and Comment Default flag state
#enable-reader-mode Enable Reader Mode ✔️ Enabled available in settings (we enforce it, optional) Will be changable in Brave Settings, disabled by default

🔝 Back to top 🔝

Desktop outdated, removed or integrated/replaced

Flag Name Disabled since or/and Comment
#pwa-update-dialog-for-name-and-icon Enable PWA install update dialog for name/icon changes ✔️ 1.38.x
#enable-desktop-pwas-remove-status-bar Desktop PWAs remove status bar ✔️ 1.38.x
#enable-desktop-pwas-prefix-app-name-in-window-title Desktop PWAs prefix window title with app name. ✔️ 1.38.x
#enable-desktop-pwas-notification-icon-and-title Desktop PWAs improvements in notification icon and title ✔️ 1.38.x
#enable-desktop-pwas-elided-extensions-menu Desktop PWAs elided extensions menu ✔️ 1.39.x
#percent-based-scrolling Percent-based Scrolling ✔️ 1.38.x
#sharing-hub-desktop-omnibox Desktop Sharing Hub in Omnibox ✔️ (Chrome 91+) 1.38.x
#sharing-hub-desktop-app-menu Desktop Sharing Hub in App Menu ✔️ (Chrome 91+) 1.40.x
#shared-highlighting-v2 Shared Highlighting 2.0 ✔️ (Chrome 90.x+) 1.39.x
#playback-speed-button Playback Speed Button ✔️ 1.40.x
#page-info-about-this-site About this Site in Page Info ✔️ 1.40.x
#omnibox-keyword-space-triggering-setting Omnibox Keyword Space Triggering Setting ✔️ 1.39.x
#media-session-webrtc Enable WebRTC actions in Media Session (93.x+) ✔️ 1.40.x
#colr-v1-fonts COLR v1 Fonts ✔️ 1.39.x
#brave-talk Enable Brave Talk ✔️ 1.40.x
#brave-adblock-redirect-url Enable support for $redirect-url filter option for adblock rules ✔️ 1.41.96+
#throttle-foreground-timers Throttle Foreground Timers to 30 Hz ✔️ 1.41.96+
#subframe-shutdown-delay Add delay to subframe renderer process shutdown 1.41.96+
#privacy-review Privacy Review (93.1.31.39+) ✔️ 1.41.96+
#omnibox-pedals-batch2 Omnibox Pedals batch 2 1.41.96+
#ntp-cache-one-google-bar Cache OneGoogleBar 1.41.96+
#force-major-version-to-100 #force-major-version-to-100 1.41.96+
#enable-payment-request-basic-card PaymentRequest API 'basic-card' method 1.41.96+
#strict-extension-isolation Strict Extension Isolation ✔️ 1.41.96+
#enable-tls13-early-data TLS 1.3 Early Data ✔️ 1.41.96+
#post-quantum-cecpq2 TLS Post-Quantum Confidentiality ✔️ integrated and merged into Chrome 101+.
#brave-speedreader Enable SpeedReader ✔️ This is now a settings point under Browser Settings since v95+ which you can easily switch.
N/A Enable Tab Search (the little arrow down icon to search trough tabs) Chrome 90, to disable it you can use -disable-features=TabSearch, an option to disable it is planned.
#enable-experimental-fling-animation Enable experimental fling animation (enabled) Chrome 91+
#vertical-tabs Vertical tabs (enabled) Implemented in Brave 91+ - Menu allows multiple states, hide on click, on/off etc.
#pdf-viewer-update PDF Viewer Update (enabled) Chrome 91+
N/A Cookies without SameSite must be secure (enabled) Chrome 91+
N/A SameSite by default cookies (enabled) Chrome 91+
N/A Anonymize local IPs exposed by WebRTC (enabled) Chrome 91+
N/A Show enhanced protection message in security interstitials (enabled) Chrome 90+
#storage-access-api Storage Access API Chrome 90+
N/A Treat risky downloads over insecure connections as active mixed content (enabled) Chrome 90+, default in 91+ (no visible option)
Multiple flags Every image lazy loading flag Enabled, but caused too much problems
N/A Load media router component (disabled) Chrome 89+
N/A Force empty CORB and CORS allowlist (enabled) Chrome 89+
N/A Load media router component (disabled) By default removed by Brave (Chrome 89+)
N/A Background Push Notifications (disabled) Push replaced/tunneled(Chrome 89+)
N/A Enable On-Demand Media Router Extension (disabled) Chrome 89+
N/A Toast Notification Background Task Event Handlers (disabled) Chrome 89+
N/A Enable Share Targets (disabled) Chrome 89+
#use-sync-sandbox Use Chrome Sync Sandbox (disabled) Brave enforces disabled as default state (metadata).
#global-media-controls-for-chromeos Global Media Controls for ChromeOS ChromeOS 90 (default)
N/A screen-capture (disabled) Default with Chrome 89+
#scanning-ui Scanning UI Enabled by default in Chrome 90+
#app-service-adaptive-icons Adaptive Icons Replaced in Chrome 90+
#enable-holding-space Holding Space API Replaced with Chrome 90+
#holding-space-previews Space Previews Disabled by default in Chrome 90+
#enhanced_clipboard Enhanced Clipboard Removed with Chrome 89+
#ash-limit-alt-tab-to-active-desk Activate Tab limit Removed with Chrome 88+
#ash-limit-shelf-items-to-active-desk N/A Default in Chrome 90+ (removed, no visible option)
#enable-auto-select Enable Auto Select Default integrated since Chrome 89+
#force-preferred-interval-for-video Force preferred Internal Video Default in Chrome 89+ (removed, no visible option)
#files-filters-in-recents Filter files in Recents Obsolete with Chrome 89+
#copy-link-to-text Copy link to Text Disabled with Brave 1.31.87
#enable-accessibility-live-caption Enable Accessibility Live Caption (disabled) Broken in Chrome 89, pulls data from Google
N/A Allow all sites to initiate mirroring (disabled) Removed with Chrome 88+
N/A Enable Share Targets (disabled) Disabled in Chrome 89+
#turn-off-streaming-media-caching-always Turn off caching of streaming media to disk (Chrome 92+) ✔️
#turn-off-streaming-media-caching-on-battery Turn off caching of streaming media to disk while on battery power. (Chrome 91+) ✔️
#enable-new-contacts-picker Enables the new contacts picker ✔️
#enable-new-photo-picker Enables the new photo picker ✔️
#enable-ftp Enable FTP FTP support was removed in Chrome 95+.
#sync-compromised-credentials Syncing of Security Issues
#brave-adblock-default-1p-blocking Shields first-party network blocking (1.30.27+) ✔️
#brave-dark-mode-block Enable dark mode blocking fingerprinting protection (1.30.27+), the settings depends now on Shield settings ✔️
#omnibox-short-bookmark-suggestions Omnibox short bookmark suggestions
#omnibox-tab-switch-suggestions Omnibox switch to tab suggestions ❌ (Omnibox calls to Google Backend for Beacon, Statistics etc.)
#omnibox-pedal-suggestions Omnibox Pedal suggestions
#schemeful-same-site Schemeful Same-Site ✔️
#brave-permission-lifetime Permission Lifetime ✔️ (91+)
#safe-browsing-real-time-url-lookup-enterprise-ga-endpoint Use the new GA endpoint to perform enterprise real time URL check.
#clear-cross-browsing-context-group-main-frame-name Clear window name in top-level cross-browsing-context-group navigation ✔️ (91.1+) ⚠️ needs further investigation, since the impact is unclear.
#passwords-account-storage Enable the account data storage for passwords ❌ (88.x+)
#brave-ads-custom-notifications Enable Brave Ads custom notifications ✔️
#window-naming Window Naming ✔️ Setting under More tools - Name Window
#brave-adblock-cname-uncloaking Enable CNAME uncloaking ✔️ 91.1.27.36 (This will become obsolete and enabled by default once fully stable and merged into shields directly)
#dns-httpssvc Support for HTTPSSVC records in DNS ✔️ (needs further investigation)
#omnibox-default-typed-navigations-to-https Omnibox - Use HTTPS as the default protocol for navigations ✔️
#brave-first-party-ephemeral-storage First Party Ephemeral Storage (95.0.4638.40+) ✔️
#enable-unsafe-webgpu-service Unsafe WebGPU Service
#quiet-notification-prompts Quieter notification permission prompts ✔️
#privacy-sandbox-settings Privacy Sandbox Settings ✔️ (90.1+)
#safety-check-chrome-cleaner-child Enables the Chrome Cleanup Tool child in safety check. ❌ (91.x+)

🔝 Back to top 🔝

Android (mobile) Flags

Mobile Security

Flag Name Enabled (✔️) / Disabled (❌) or/and Comment Default flag state
#block-insecure-private-network-requests Block insecure private network requests. ✔️ unknown
#brave-ephemeral-storage Enable Ephemeral Storage ✔️ unknown
#clear-cross-site-cross-browsing-context-group-window-name Clear window name in top-level cross-site cross-browsing-context-group navigation ✔️ unknown
#disallow-doc-written-script-loads Block scripts loaded via document.write ✔️ unknown
#enable-site-isolation-for-password-sites Enable site Isolation for Password Sites ✔️ unknown
#enable-site-per-process Part of Site isolation ✔️ unknown
#origin-agent-cluster-default Origin-keyed Agent Clusters by default ✔️ 102.x
#strict-origin-isolation Strict-Origin-Isolation unknown
#sync-trusted-vault-passphrase-recovery Enable sync trusted vault passphrase with improved recovery unknown

🔝 Back to top 🔝

Mobile Privacy

Flag Name Enabled (✔️) / Disabled (❌) or/and Comment Default flag state
#autofill-enable-sending-bcn-in-get-upload-details Enable sending billing customer number in GetUploadDetails Enabled if preflights are enabled.
#autofill-fill-merchant-promo-code-fields Enable Autofill of promo code fields in forms unknown
#autofill-parse-merchant-promo-code-fields Parse promo code fields in forms unknown
#brave-adblock-cosmetic-filtering-child-frames Apply cosmetic filtering to frames other than the main frame of a pagn ✔️ We enforce it for all Shield modes, otherwise it is only activated in aggressive mode. 103.1.42.74/1.42.74
#brave-dark-mode-block Enable dark mode blocking fingerprinting protection ✔️ We enforce it for all Shield modes, otherwise it is only activated in aggressive mode. unknown
#brave-debounce Enable debouncing (94.x+) ✔️ unknown
#brave-domain-block-1pes Enable domain blocking using First Party Ephemeral Storage ✔️ unknown
#continuous-search Continues Search unknown
#device-posture Device Posture API unknown
#edit-context EditContext API ❌ (100.0+) unknown
#enable-autofill-credit-card-authentication Allow using platform authenticators to retrieve server cards ❌ (87.x+) unknown
#enable-commerce-price-tracking Price Tracking ❌ Connections to Google and partners + market influence and manipulation. It is better and more privacy-friendly to trust independent retailers and engine-crawlers such as Geizhals, Mindfactory etc. unknown
#enable-fenced-frames Enable the element. ✔️ with ShadowDOM, on older Android versions prior 9 set this to Enabled otherwise you might get Browser crashes. unknown
#enable-generic-sensor-extra-classes Generic Sensor Extra Classes unknown
#enable-payment-request-basic-card PaymentRequest API 'basic-card' method unknown
#enable-quic Enable QUIC Protocol ✔️ (Brave filters controversial APIs) unknown
#feed-stamp Enable StAMP cards in the Feed Default, depends on if you use Feeds or not.
#font-access Font Access APIs unknown
#force-major-version-to-100 #force-major-version-to-100 unknown
#incognito-screenshot Allow Incognito Screenshots unknown
#large-favicon-from-google Large favicons from Google unknown
#omnibox-assistant-voice-search Omnibox Voice Search Assistant unknown
#partitioned-cookies Partitioned Cookies ✔️ unknown
#reduce-user-agent Reduce User-Agent request header ✔️ unknown
#reduce-user-agent-minor-version Reduce the minor version in the User-Agent string ✔️ unknown
#related-searches-in-bar Enables showing Related Searches in the peeking bar. ❌ disabled to avoid search engine ping backs unknown
#wallet-service-use-sandbox Wallet Services uses Google's Sandbox ❌Connects to some Google Endpoints. unknown
#webxr-incubations WebXR Incubations ❌ (92.0+) unknown

🔝 Back to top 🔝

Mobile PWA

Flag Name Enabled (✔️) / Disabled (❌) or/and Comment Default flag state
#messages-for-android-pwa-install PWA Installation Messages UI ✔️ disabled
#pwa-update-dialog-for-name-and-icon Enable PWA install update dialog for name/icon changes ✔️ disabled

🔝 Back to top 🔝

Mobile Performance

Flag Name Enabled (✔️) / Disabled (❌) or/and Comment Default flag state
#back-forward-cache Back and forward Cache disabled
#brave-adblock-cookie-list-default Treat 'Easylist-Cookie List' as a default list source ✔️ disabled
#canvas-oop-rasterization Out-of-process 2D canvas rasterization. ✔️ enable it on Android 10+ disabled
#chrome-share-long-screenshot Long press share screenshot unknown
#contextual-search-debug Contextual Search Debug unknown
#contextual-search-longpress-resolve N/A unknown
#contextual-search-translation N/A unknown
#durable-client-hints-cache Persistent client hints unknown
#enable-drdc Enables Display Compositor to use a new gpu thread. ✔️ enable Android 10+ unknown
#enable-gpu-rasterization GPU rasterization ✔️ enable Android 10+ unknown
#enable-instant-start Instant start ✔️ unknown
#enable-parallel-downloading Parallel downloading ✔️ unknown
#enable-prerender2 Prerender2 ✔️ (90.x+) unknown
#enable-throttle-display-none-and-visibility-hidden-cross-origin-iframes Throttle non-visible cross-origin iframes ✔️ unknown
#restrict-websockets-pool Restrict WebSockets pool ✔️ (97.x+) unknown
#smooth-scrolling Smooth Scrolling ✔️ unknown
#throttle-foreground-timers Throttle Foreground Timers to 30 Hz ✔️ unknown

🔝 Back to top 🔝

Mobile Functionality / Usability

Flag Name Enabled (✔️) / Disabled (❌) or/and Comment Default flag state
#android-picture-in-picture-api Picture in Picture Web API for Android ✔️ unknown
#brave-adblock-cname-uncloaking Enable CNAME uncloaking ✔️ 91.1.27.36 (This will become obsolete and enabled by default once fully stable and merged into shields directly) unknown
#brave-adblock-redirect-url Enable support for $redirect-url filter option for adblock rules ✔️ unknown
#brave-cosmetic-filtering-sync-load) Enable sync loading of cosmetic filter rules ✔️ unknown
#context-menu-google-lens-chip Google Lens powered image search for surfaced as a chip below the context menu. unknown
#context-menu-search-with-google-lens Google Lens powered image search in the context menu. unknown
#context-menu-shop-with-google-lens Google Lens powered image search for shoppable images in the context menu. unknown
#context-menu-translate-with-google-lens Google Lens powered image search for translatable images surfaced as a chip under the context menu. unknown
#continuous-search Continuous Search ✔️ unknown
#darken-websites-checkbox-in-themes-setting Darken Websites checkbox in Theme settings ✔️ unknown
#enable-force-dark Force Dark Mode for Web Contents ✔️ increase text contrast unknown
#enable-jxl Enable JXL image format ✔️ (Chrome 91.1.x+) unknown
#enable-quick-action-search-widget-android Quick Search Widget ✔️ unknown
#google-lens-sdk-intent Enable the use of the Lens SDK when starting intent into Lens. unknown
#media-session-webrtc Enable WebRTC actions in Media Session (93.x+) ✔️ unknown
#messages-for-android-ads-blocked Ads Blocked Messages UI ✔️ unknown
#messages-for-android-permission-update Permission Update Messages UI ✔️ unknown
#messages-for-android-reader-mode Reader Mode Messages UI ✔️ unknown
#page-info-about-this-site About this Site in Page Info ✔️ unknown
#photo-picker-video-support Photo Picker Video Support ✔️ (with animated thumbnails), the option only works on Android 9+ unknown
#playback-speed-button Playback Speed Button ✔️ unknown
#shared-highlighting-v2 Shared Highlighting 2.0 ✔️ (Chrome 90.x+) unknown
#shopping-list Shopping List ❌ can create problems with Sync and working with Bookmarks is a PITA in Chrome in general, hopefully Brave gets a Widget for this one day. unknown
#voice-button-in-top-toolbar Voice Button in Top Toolbar ❌ The reason why Voice function will never work is that Google prevents using alternative services, so we disable it. unknown

🔝 Back to top 🔝

Mobile outdated, removed or integrated/replaced

Flag Name Disabled since or/and Comment
#google-mobile-services-passwords Google Mobile Services for Passwords unknown
#post-quantum-cecpq2 TLS Post-Quantum Confidentiality ✔️ integrated and merged into Chrome 101+.
#enable-tab-grid-layout Tab Grid Layout This flag is a leftover, the function was removed from the source code. If you want Grid you need to use 1.35.104
#brave-sync-v2 Enable Brave Sync v2 Depends on user choice (opt-in) you manually can set under Settings.
#global-media-controls-for-chromeos Global Media Controls for ChromeOS Depends on your Platform, only avbl. in ChromeOS
#enable-sharing-page-via-qr-code Enable sharing page via QR Code Merged into the Browser (stable).
#enable-tls13-early-data TLS 1.3 Early Data ✔️
#enable-ftp Enable FTP Removed from the source code
#brave-adblock-default-1p-blocking Shields first-party network blocking (1.30.27+) ✔️
#brave-dark-mode-block Enable dark mode blocking fingerprinting protection (1.30.27+), the settings depends now on Shield settings ✔️
#clear-cross-browsing-context-group-main-frame-name Clear window name in top-level cross-browsing-context-group navigation ✔️ (91.1+) ⚠️ needs further investigation, since the impact is unclear.
#passwords-account-storage Enable the account data storage for passwords ❌ (88.x+)
#brave-rewards-bitflyer Enable bitFlyer for Brave Rewards (default) Will be detected by keyboard/OS language
#u2f-security-key-api Enable the U2F Security Key API
#cookies-without-same-site-must-be-secure N/A ✔️
#legacy-tls-enforced N/A ❌ (might break some pages who use "outdated TLS configurations")
#omnibox-default-typed-navigations-to-https N/A ✔️
#treat-unsafe-downloads-as-active-content N/A ✔️
#brave-first-party-ephemeral-storage First Party Ephemeral Storage (95.0.4638.40+) ✔️
#safe-browsing-client-side-detection-android Safe Browsing Client Side Detection on Android
#omnibox-local-zero-suggest-frcency-ranking Omnibox Local Zero Suggest Frequency Ranking
#share-by-default-in-cct Share by Default
#enable-accessibility-live-caption Live Caption ❌ (90.x+) ⚠️borked
#system-keyboard-lock Experimental system keyboard lock ❌ (89.x+)
#privacy-sandbox-settings Privacy Sandbox Settings ✔️ (90.1+)
#chrome-share-highlights-android N/A
#cookie-deprecation-messages N/A
#enable-android-dark-search Enable Android Dark Search ✔️
#enable-ephemeral-tab-bottom-sheet Enable Ephemeral Tab Bottom Sheet ✔️ Open at half state
#quiet-notification-prompts Quit Notification Prompts ✔️ adaptive activation
#read-later Read Later (Reading List) ✔️
#share-button-in-top-toolbar Share Button in Top Toolbar
#toolbar-iph-android Toolbar IPH in Android
#sharing-hub-desktop-app-menu Desktop Sharing Hub in App Menu ✔️ (Chrome 91+)
#sharing-hub-desktop-omnibox Desktop Sharing Hub in Omnibox ✔️ (Chrome 91+)
#omnibox-native-voice-suggestions-provider Omnibox Native Voice Suggestions Provider

🔝 Back to top 🔝

Brave only specific flags (not needed to be enforced)

Flag Name Info Comment Default flag state
#brave-adblock-cosmetic-filtering Enable cosmetic filtering Enabled by default even if it only shows "default" enabled
#brave-adblock-csp-rules Enable support for CSP rules Not need to be enforced (since 1.25.68+) unknown
#brave-ads-allowed-to-fallback-to-custom-push-notification-ads Allow Brave Ads to fallback from native to custom push notifications This is OS specific and in the future will be obsolete since Brave will detect the OS and then automatically fallback to the legacy system. unknown
#brave-decentralized-dns Enable Decentralized DNS ✔️ This is now a settings point under Browser Settings since v95+ which you can easily switch. unknown
#brave-news Enable Brave News Your own decision to enable it or not, it is a global switch. unknown
#enable-lens-region-search Search your screen with Google Lens (93.1.31.39+), since 1.36.112 it is disabled by default. unknown
#enable-webrtc-hide-local-ips-with-mdns This is not Brave only specific but there are two ways how Brave handles it, via Shields or Setting Do not enforce it via flag unknown

🔝 Back to top 🔝

Other Useful Brave Browser Tips

🔝 Back to top 🔝

Linux specific Tips

You can create a file called chrome-flags.conf and put it into $HOME/.config/chrome-flags.conf, this makes it easier to work with flags without opening the Browser.

Example chrome-flags.conf shown below.

--disable-features=UseChromeOSDirectVideoDecoder
--disable-gpu-driver-bug-workarounds
--enable-accelerated-2d-canvas
--enable-accelerated-video-decode
--enable-features=VaapiVideoDecoder
--enable-gpu-rasterization
--enable-oop-rasterization
--enable-zero-copy
--ignore-gpu-blocklist
# Borked until Chrome 96
#  https://chromiumdash.appspot.com/commit/a4de986102a45e29c3ef596f22704bdca244c26c
# ... and Chrome 98
# https://bugs.chromium.org/p/chromium/issues/detail?id=1236697
#
# Up to you and your preference and device.
# --gpu-testing-vendor-id=0x8086
# --gpu-testing-device-id=0x5917
# --force-device-scale-factor=1.00
# --enable-features=WebUIDarkMode
# --force-dark-mode

🔝 Back to top 🔝

Default Fonts

By default Brave Browser uses Poppins and Muli for the content you see around the web, those mentioned fonts are not the default fonts to render the actual content.

The actual fonts are

Keep in mind that the list can be different because some Distros do not include mentioned fonts by default. In this case other fonts are the default ones. Font rendering and issues are actually a thing.

My own suggestion is

There is currently no way to disable font anti-aliasing/font smoothing.

🔝 Back to top 🔝

Browser Extensions

In general less is more, which means less memory + attack surface & in terms of speed and fingerprinting.

Extension Comment
Behave! Monitors and warns if a web page performs DNS Rebinding attacks to Private IPs, accesses Private IPs and allows Port Scans (among other features).
Bypass Paywalls alternative Bypass Paywalls for Chrome Clean Bypass annoying article PayWalls.
CSS Exfil Protection Guard your browser against CSS Exfil attacks (will be obsolete with Chrome 102+).
Demodal A browser extension that blocks modals and overlays. It can be used in additional to uBlock or Braves Ad-Block to bypass eg. Paywalls and other modals which are hard to block via uBO or heavily rely on static filterlists.
Extension source viewer View source code of Chrome extensions, Firefox addons or Opera extensions (crx/nex/xpi) from the Chrome web store and elsewhere.
JShelter alias JS-Restrictor Extension for increasing security and privacy level of the user.
Keyboard Privacy Prevents behavioral profiling by randomizing the rate at which characters reach the DOM (will be obsolete with Chrome 92+!).
Old Reddit Redirect Alternative via script, I prefer the script! Or you use Redirector 👇.
Redirector The add-on lets you create redirects for specific webpages, e.g. always redirect http://bing.com to http://startpage.com
Session Buddy Manage Browser Tabs and Bookmarks easily.
Tabs Session Manager WebExtensions for restoring and saving window / tab states.
Terms of Service; Didn’t Read Ranks website terms & privacy policies from very good Class A to very bad Class E.
uBlacklist Blocks specific sites from appearing in Google search results.
zwBlocker An extension that helps spot zero-width characters.

🔝 Back to top 🔝

Optional Browser Extensions (some suggestions for specific needs)

Extension Comment
Acid Tabs Auto-Grouping your Tabs easily.
Old Brave Dark Theme Workaround some dark mode issues.
CheaperThan. Amazon Snipe Amazon deals.
ClearURLs Until merged with Brave adblock (needs syntax changes in Braves AdBlock). Merged in 1.30.84.
Consent-O-Matic Automatic handling of GDPR consent forms.
Copy Guard A browser extension to prevent copy hijacking. It can be useful if you want a feedback.
Enhancer for YouTube Improve some YouTube features.
Export links of all extensions Export your list of extensions.
External Application Button Useful if you want to add YouTube-DL to right-click menu.
Fake news debunker by InVID & WeVerify AI to detect fake news.
FastForward Don't waste your time with compliance. FastForward automatically skips annoying link shortener.
Grammar and Spell Checker — LanguageTool Spellchecking is integrated into the Brave Browser (might not work on all websites.
Header Editor An extension which can modify the request, include request headers, response headers, redirect requests, and cancel requests.
JShelter Browser extension to mitigate potential threats from JavaScript.
Kee - Password Manager Helper extension for KeePass.
Metamask The MetaMask browser extension enables browsing Ethereum blockchain enabled websites.
MyJDownloader Browser Extension Only relevant if you use/work with JDownloader2.
Reddit Enhancement Suite Some Reddit tweaks.
Search by Image reverse Image Search utility.
Shodan alternative (Open Source) Country Flag & Website Info IP info, Whois and more for visited domain (website).
SponsorBlock for YouTube Skip sponsor ads on YouTube.
Tampermonkey Make sure to opt-out of telemetry! There are alternatives but they do not work as well as TM. TM needs #enable-javascript-harmony & #enable-experimental-web-platform-features for some features (default disabled in Brave), only activate it if absolutely necessary.
The Commenter Check for comments on the web.
Tomato Clock Egg timer for your Browser.
VectorDraw - Paint on Tab Pain on tabs, useful if you do some videos and want to show something.
Web Scrobbler Web Scrobbler helps online music listeners to scrobble their playback history.
WebWormhole WebWormhole lets you send files from one place to another.
YouTube Dislike Count which doesn't need external API call Userscript solution which works without any external API, an extension but with external calls is available here.
papers-with-video Add a video icon to the paper title on arxiv.org if a conference video exists for the paper.
vidIQ Vision for YouTube YouTube statistics (needs login for advance functions!)

🔝 Back to top 🔝

Browser Extensions you do NOT need

Extension Comment
Barrier Already integrated into Brave Shields.
Canvas Blocker Brave randomize the fingerprint, depending on your Shield settings (brave.com).
Canvas Fingerprint Defender
CanvasFingerprintBlock
ChromeGalvanizer Harden your browser against extension backdoors and exploits. Brave includes hardening already by default.
Cookie-AutoDelete Set shield defaults to never allow Cookies and only unlock Cookies when needed, ensure "clear browser data on exit" and cookies are enabled in Brave's settings.
Decentraleyes Decentraleyes is practically abandonware with little to no impact and outdated resources. The benefit cannot be proven in the real-world because CDNs update very often, due to security fixes, performance etc. using hardcoded and old libraries can make you more vulnerable.
Disconnect Useless, integrated into Braves filter-lists.
Ghostery (ghostery.com) Brave Ad Block does the same. ↑
HTTPS Everywhere Integrated into Brave Shields (support.brave.com).
LAN-port-scan forbidder Browser extension to protect private network. You can archive same with a Lan blocking filterlist + Browser restricts specific ports already by default.
LocalCDN Integrated into Brave Shields, lots of CDNs and Endpoints getting tunneled.
NoScript Not needed, you archive same with Brave shield or uBlock (if you know how to work with custom filters).
Privacy Badger Privacy Badger does same as uBO/Brave Adblock, the "AI" based function (learning) got disabled by default due to metadata (privacy) concerns. It can also easily be detected (adtechmadness.wordpress.com).
Privacy Possum Integrated into Brave Shields.
Trace Partially integrated into Shields, not all features.
uBlock Origin Only needed if you are an advance user because Brave Adblock constantly evolves together with uBlock and new features getting adopted and integrated.

🔝 Back to top 🔝

Parcourstest

Here are the tests the Browser (Desktop/Mobile) needs to pass. This needs to be done so that we know the flag/changes we done do not influence (negatively) the Browser in a way we do not want. Privacytests.org provides a solid but not perfect overview of what is currently covered with the DEFAULT Brave Browser settings and shield settings. Test results variate a lot with changed shield settings as well as changed flags and settings.

This is my own test ground. You can verify studies that are always opt-in only via Griffin, the website Brave Variations basically check and verifies given flags and studies and you can exanimate what is currently activated or what is inactive. Griffin is not spyware, it is designed to review the current staging process as well as to review quickly stuff like upcoming features test and the roll-out process.

Official Test:

The official Brave QA Test Pages are here (dev-pages.brave.software).

Obsolete test pages:

🔝 Back to top 🔝

Brave Browser FAQ

🔝 Back to top 🔝

Brave VPN FAQ

Brave VPN

🔝 Back to top 🔝

Brave Talk FAQ

🔝 Back to top 🔝

Brave Rewards FAQ

New and improved Brave Reward Popup to claim Rewards

Flagged Rewards Account

🔝 Back to top 🔝

Brave News FAQ

🔝 Back to top 🔝

Brave Wallet FAQ

You can see the Wallet implementation progress here (github.com).

🔝 Back to top 🔝

Brave Search FAQ

Brave needs to fix mentioned points otherwise I cannot suggest using it as private alternative. Until then you could use Qwant, Presearch or other [listed alternatives (chef-koch.bearblog.dev)]](https://chef-koch.bearblog.dev/privacy-tools-list-by-chef-koch/#metasearch-engines).

Brave Premium Search

🔝 Back to top 🔝

Brave Translation FAQ

🔝 Back to top 🔝

Brave - Ask me anything (AMA) (sorted from newest to oldest)

🔝 Back to top 🔝

Brave Stories explained

Brave Referral Story

The whole story got a lot of attention, however it always was misleading and spread to gain clicks. The matter was resolved after 7-8 hours and pushed within 12 hours as commit. The actual update got released within 24 hours. Some users had to wait 48 hours because this is how the distribution system handles and delivers updates to avoid huge pressure on the server or hit GitHub limitations.

“That being said, I think there was a lot of misunderstanding of the situation. There was no privacy harm to users, and what was being done is similar to how most, if not all, browsers interact with search engines, to receive referral cash. Using DDG in Firefox, to give one example, tells DDG the query came from Firefox the "FFAB", or, guessing, "Firefox Address Bar"…”

“…The user was never able to be tracked, the site wasn't able to learn anything additional about you, etc.”

Source (reddit.com)

Later in 2020 the referral program was shut down (brave.com).

Reference for the Brave vs. Browser X discussion

🔝 Back to top 🔝

Why does Brave consume more RAM than Chrome

🔝 Back to top 🔝

Aggressive trolling because Brave uses the word ”Privacy”

Especially some Firefox people or shall I say loyal fans trolling (wikipedia.org) Brave Browser and their Developer Team since practically day one because of the marketing slogan - ”privacy browser”. This is harsh as well as based because no Browser ever will be perfect in this regard. Privacy is not an on or off switch and needs continuously inspection, maintenance and changes to adopt and respond to new problems. Those smear campaigns come often from uneducated people that are not even developers themselves, such people tend to cherry pick some leaks or open issue tickets and claim the Browser is not as private as advertised to make the Browser look worse than others. This is a pointless effort because you find on every single Browser some open issue tickets, Tor Browser, Firefox, all of them have always some open issue tickets regarding privacy. This is not how FOSS works and this is no measurement instrument as "privacy index". The Brave Team puts a lot of time and research into privacy related problems, same like Firefox and the Tor Browser Project.

Another strategy is to spread fake forks to smear Brave (aur.archlinux.com), even after I reported it to Brave and the Arch Team via Tweet, such disrespectful forks continue to stay online. Not only is this deformation it also exposes how based people are against any competition.

Brave Browser is de facto privacy respecting and does by default more than any other Browser on the market, this is done by including a lot of ideas and privacy respecting changes directly into the Brave Browser. In every other Browser you need to work with extensions or configuration changes to come even remotely close to Brave Browser. I do not see how the troll argumentation holds that Brave fails regarding privacy, it is offering a solid ground with the arguably best default out-of-the-box configuration.

If you goal is to become nearly anonymous then use Tor Browser, the Brave Team clearly communicated this since day one on their website.

🔝 Back to top 🔝

Story about Dissenter

A fake story with false background information, see Brave legally threatens Brave fork trying to remove adds (bitgrum.com).

In April 2019, Dissenter was removed from the Firefox Add-ons website and the Chrome Web Store for violation of their policies that causes the creation of the Dissenter web browser.

Source (discourse.mozilla.org)

Actual why this really was removed:

🔝 Back to top 🔝

Using Brave's “Private Window with Tor” could get you fired

There are several stories that you can get fired if you use Tor the problem is that there are industries where compliance requires all work-related communications be logged and monitored.

This is a general problem and not related to Tor or Brave Browser, it is about what you agreed with in your employment contract. Make sure you check this before you attempt using Tor in general.

🔝 Back to top 🔝

Story about Braver Fork

The story was mainly about Trademark (trademarks.justia.com) violation and not about replacing ads, the Team never asked or contacted Brave to ask for permission to begin with. Also you need to do some legal proceeding because GitHub does not take content offline without any court order or trademark confirmation.

🔝 Back to top 🔝

Contradiction regarding Privacy Communities

Brave contradicts themselves with weird statements regarding supporting privacy related communities or not. This is not positive nor negative, just weird.

"Brave doesn't want to be associated with privacy focused groups" (web.archive.org) while Peter Snyder (brave.com) is backing GPC (brave.com) along with DuckDuckGo (spreadprivacy.com), Mozilla (blog.mozilla.org), Disconnect (blog.disconnect.me), Abine (abine.com) and the EFF (eff.org).

Personal Note

I do not work for Brave nor do I get paid for writing any of this. The intention/motivation behind this guide is to harden Brave Browser for maximum performance, security, privacy and make it even more awesome than it already is.

🔝 Back to top 🔝

#brave-browser #browser-flags #chef-koch #chrome-hardening #chromium #hardening