Brave Browser Hardening by CHEF-KOCH
Important - Please read this first
The new website is here (code-cktn.org), please do not link my outdated Bear Blog in public since I moved to my own websites and services.
I like to thank Bear Blog and the community for hosting my content over the years, bear blog is a fine website and service but I simply decided to host my own websites, projects and services instead as it gives me more control over my own content.
Project updates
I'll try to keep this hardening guidance updated as much as I can. The below listed flags configuration/changes and tips are only tested against Windows/Linux & Android, I do not plan to test them against Mac OS/iOS!
See statement above.
Introduction
Hardening does not start at choosing the right tools or networks, hardening begins with gathering information to inform yourself and others in order to stay up-to-date so that you can deal with current and upcoming threats. Tools, extensions and Co. are just a workaround until someone build the right system, that starts by voting and supporting the right politicians and organizations. – Statement CHEF-KOCH, 1997
The main purpose of this guidance is to inform people about possibilities to enhance Brave Browser without depending on other tools or the Brave Team or to rely on usually quickly outdated guides on the Internet.
In case you have some questions, you can ask them directly on my official Matrix Server or use the issue ticket feature to open relevant tickets so that we can address new stuff.
Important notice: READ this before you start changing some random Browser flags!
Just because there are some flag who promise X does not necessarily mean you should enable/change them, there are possible drawbacks!
- Browser flags are in general beta and can decrease performance/privacy or even corrupt your entire browser profile, however all mentioned flags here are carefully tested and reviewed before they are mentioned.
- In case you report some bugs in the official Brave Browser GitHub repository make sure that you use a fresh Browser profile, not any "optimized" one.
- Some flags (changes) depends on server-side related configuration and platform updates, which means that especially some security based flags only fully work when the server/domain actually supports them.
- Some flags are OS and platform specific, on older Android or Linux, Windows Builds or Versions they are probably listed under Unavailable, in this case you can, of course not use that flag on your platform.
QUIC is disabled due to privacy and fingerprinting concerns- This concern is fixed with Brave, based on Chromium 91.1.27.8 (nightly) and the original proposal got approved as RFC 9000. See here for a security overview. Remaining trackability is covered by Brave Shields. HTTP/3 and QUIC is generally faster than TCP and TLS. If you want a in-depth explainer for every byte, read this.- Use KeePass (or a fork) instead of the internal password manager. I personally prefer not to work with Browser based password manager/integration. For more information, read here.
- Voice (Android) search input is disabled due to multiple privacy concerns.
- Browser based PDF is not changed because I prefer Sumatra PDF (aka offline reading) due to multiple privacy/malware concerns.
- Omnibox functionality is limited due to multiple privacy concerns. See here for more info.
- Google's Safe Browsing and other security checks and connections are NOT wanted. The OS has its its own protection mechanism (OS security model + hardening).
- FLoC is disabled by default in Brave. Chrome users can use uBlock or change it manually via flags.
- How we compare the network behavior of popular browsers on first-run.
- All credential checks are disabled since we do not store passwords within the Brave Browser, instead we use sophisticated tools like KeePass or in general other password managers of your choice.
- Animations might be slower or entirely fail to load properly due to isolation flags which means the Reward System might be affected and causes you to do several attempts in order to complete the Reward challenge so that you can claim your BATs.
Unresolved Issues with the biggest privacy/security impact
You find an overview of all opened privacy related and reported issues directly on the issue tracker (github.com).
☑ indicates that mentioned issue was fully resolved and ☒ that this is something that will not be fixed because it is by designed.
Additional Info:
- Working with Flags and background info when they expire (chromium.googlesource.com)
- List of all Flags (source.chromium.org)
- List of all Flags that never expire (source.chromium.org)
Please keep in mind that just because there are open issues tickets that this is not necessarily actively abused in the real-world. In lots of cases it is hard to find evidence that theoretically problems are used to directly compromise your security or privacy. Also some of the mentioned issues might be very hard to fix because trying to workaround them can results in unwanted side effects, such as Browser crashes, website breakages etc.
- ☐ Letterboxing (window size)
- ☐ Crooked Style Sheets Tracking Attacks
- ☐ Cross-device tracking via ultrasonics
- ☐ DRAWN APART - A Device Identification Technique based on Remote GPU Fingerprinting (orenlab.sise.bgu.ac.il), pretty much every Browser is affected by the new attack. For additional details please see getSupportedExtensions in WebGL
- ☐ IPTC meta data in images
- ☐ Intel iGPU sandboxing in Linux does not exists, fixed with latest Chromium commit
- ☐ Resource Timing
- ☐ Retrieving your browsing history through a CAPTCHAs, see here. On Firefox this can be prevented toggling
layout.css.visited_links_enabled
while on Chrome you need to manually clear your Browsing history after the session ended. Mozilla has an article regarding such protection mechanism over here. - ☐ TCP Fast Open (TFO)
- ☐ TLS session resumption tracking
- ☐ There is currently no master password available for saved passwords, which can lead to security and privacy related issues.
- ☐ Trackability of QUIC connections, Brave AdBlock covers some parts except the server configuration part which needs to be implemented into the Browser. Keep in mind that mentioned papers are outdated and do not reflect current final QUIC implementation.
- ☐ WebGL Extension farbling
- ☐ Window dimension based fingerprinting
- ☐ Zoom Levels tracking
- ☐ window.Intl.DateTimeFormat() API
- ☒ One Bad Apple Can Spoil Your IPv6 Privacy - IPv6 privacy extension bypass to track users via prefix rotation on ISP end.
- ☒ Some AV products using and inspecting your camera and your lock screen - This is a wont-fix because this is how AVs and their security features work. You manually need to allow Brave to use the camera permission or block/allow the AV to use/not use it.
Project History
- 15.08.2022
- 07.08.2022
- Desktop Usability:
#extensions-menu-access-control
, startup glitch fixed so we can enforce it. - Info Privacy: IPv6 privacy extension bypass to track users via prefix rotation on ISP end added to the biggest known security and privacy impact section. Something only the ISP and potential your router can address, which means it is labeled as wont-fix.
- Info: eTag cached script concern is fixed, see here (github.com).
- Release: Brave Browser 1.42.88 for Desktop (github.com)
- Desktop Usability:
- 05.08.2022
- 03.08.2022
- 31.07.2022
- Desktop Performance:
#subframe-shutdown-delay
, flag will be removed in 106/107+. - Desktop/Mobile Security:
#clear-cross-site-cross-browsing-context-group-window-name
is stable enough. - Desktop/Mobile Privacy:
#reduce-user-agent-minor-version
is stable enough to be used.
- Desktop Performance:
- 30.07.2022
- Desktop Performance:
#brave-rewards-webui-panel
even if you do not use Rewards it is worth to get rid of old leftovers from loading during initial Browser startup. This will also replace the old extension which is more insecure as well as overall heavier on resources. - Desktop Security:
#enable-webview-tag-site-isolation
will be enforced, the flag was added in Brave Dev 1.44.8/104.0.5112.69.
- Desktop Performance:
- 28.07.2022
- Release: Brave Browser 1.42.81 for Desktop (github.com). Delayed for l10n (github.com), Google Chrome 104.0.5112.81 + Google Chrome 104.0.5112.79 Linux and MacOS.
- 26.07.2022
- Mobile Functionality:
#google-mobile-services-passwords
is no more - Desktop Performance:
#brave-federated
disabled due to performance reasons as well as storage reasons
- Mobile Functionality:
- 22.07.2022
- Article: Brave expands its Wallet Partner program with six additional leading DApps (brave.com)
- Article: STAR: Brave’s New System for Privacy-Preserving Data Collection (brave.com)
- Desktop/Mobile Privacy:
#brave-adblock-cosmetic-filtering-child-frame
enabled and enforced via flag. - Release: Brave Browser 1.41.100 for Android via Google Play Store
- 21.07.2022
- Release: Brave Browser 1.41.100 for Desktop (github.com), crash-fix release
- 20.07.2022
- 15.07.2022
- 12.07.2022
- Article: Solana DApp support now available for Brave Wallet desktop, mobile coming soon (brave.com)
- Release: Brave Browser 1.41.96 for Desktop (github.com). This release solves the
window.name
andHSTS
problematic.
- 10.07.2022
- Desktop/Mobile Performance:
#quick-intensive-throttling-after-loading
throttles background intense stuff but it will decrease the performance for an overall better battery life. I see more negative effects so far, which is the reason why this is not added in the list, the main issue with throttling intense stuff constantly is that it usually ends up eating more battery life and not less because the Browser is constantly awake, trying to limit processes which triggers more CPU cycles - that what people call battery drainage. In my tests the promise for longer battery life could not be hold and this is why this not getting added. The new flag got introduced in 105.x Dev build.
- Desktop/Mobile Performance:
- 05.07.2022
- Release: Brave Browser 1.40.113 for Desktop (github.com), minor bugfix release, no relevant flag changes that would matter for us
- Release: Brave Browser 1.40.113 for Android (github.com), minor bugfix release, no relevant flag changes that would matter for us
- 02.07.2022
- Article: Brave partners with Guardian to bring a paid VPN and Firewall to Brave for Android (brave.com)
- Release: Brave Browser 1.40.111 for Android (github.com), minor bugfix release, no relevant flag changes that would matter for us
- 28.06.2022
- Release: Brave Browser 1.40.109 for Desktop (github.com), bugfix release, no relevant flag changes that would matter for us
- 24.06.2022
- Release: Brave Browser 1.40.107 for Desktop (github.com), bugfix release, no relevant flag changes that would matter for us
- Release: Brave Browser 1.40.106 for Android (github.com), minor bugfix release, no relevant flag changes that would matter for us
- 23.06.2022
- Release: Brave Browser 1.40.106 for Desktop (github.com), bugfix release, no relevant flag changes that would matter for us
- Release: Brave Browser 1.40.105 for Android (github.com), no relevant flag changes that would matter for us
- 22.06.2022
- 21.06.2022
- Release: Brave Browser 1.40.105 for Desktop (github.com), no relevant flag changes that would matter for us
- Article: Brave announces Filecoin integration and more preloaded EVM chains in Brave Wallet (brave.com)
- 16.06.2022
- 14.06.2022
- Release: Brave Browser 1.39.123 for Android (github.com), no relevant flag changes
- 10.06.2022
- News: NEAR Foundation and Brave announce partnership to integrate Aurora, an Ethereum Virtual Machine (EVM) on the NEAR protocol, into Brave Wallet (brave.com)
- Release: Brave Browser 1.39.122 for Desktop (github.com), no relevant flag changes, replaces 120, bugfix + Chromium update
- 08.06.2022
- News: Brave Welcomes 6 Leading DApps to its new Wallet Partner Program (brave.com)
- Release: Brave Browser 1.39.120 for Android (github.com), no relevant flag changes
- Release: Brave Browser 1.39.120 for Desktop (github.com), no relevant flag changes
- 03.06.2022
- News: Brave Hardener for Windows (github.com) basically a python script that utilize the Brave Hardening project and apply the settings, based on 3 profiles (Security, Privacy or Performance) into your Windows Brave Browser. The download provides an easy to use executable that you download from the repository and then execute, it guides you trough 3 profiles from which you can select from.
- Release: Brave Browser 1.39.115 for Android (github.com)
- 02.06.2022
- Alefvanoon's Repository seems gone, does not load or provides outdated builds.
- 29.05.2022
- Font based fingerprinting (github.com) is fixed with 1.39.111 (brave.com). The method described in this paper(blues.cs.berkeley.edu) was solved by reporting different fonts to different sites each time with a new browser instance.
- 25.05.2022
- Release: Brave Browser 1.39.111 for Android (github.com)
- News: AfrofutureDAO announces partnership with Brave browser to amplify and support indigenous African creators (brave.com)
- News: Brave Browser now Integrates with Solana Blockchain to Expand Web3 Access (brave.com)
- News: Brave and Guardian Team Up Again to Integrate the Brave Android Browser with Guardian Firewall + VPN (brave.com)
- 23.05.2022
- Release: Brave Browser 1.39.111 for Desktop (github.com)
- Info:
translate.brave.com
is possible in the works and might use the same Api as Vivaldi translation, Lingvanex. - Info: Added Translation FAQ section about the things we know so far.
- 21.05.2022
- 20.05.2022
- Desktop/Mobile Privacy:
#origin-agent-cluster-default
, see here for more details (github.com).
- Desktop/Mobile Privacy:
- 19.05.2022
- 17.05.2022
- 14.05.2022
10.05.2022 - Release: Brave Browser 1.38.115 for Desktop (github.com) - Release: Brave Browser 1.38.113 for Android (github.com)
- 03.05.2022
- Info: Difference between DDG and Brave de-AMP - Brave avoids rendering AMP pages and minimizes fetching from GOOGLE servers, whereas DDG's AMP bypass feature over-fetches and renders AMP content.
- Outdated: TLS Post-Quantum Confidentiality integrated into Chrome 101+, flag removed.
- Release: Brave Browser 1.38.111 for Desktop (github.com)
- 28.04.2022
- Info: de-AMP flag enforcement is not needed as the Settings override the flags preferences.
- Info: Starting with 1.38.109>= Shields v2 is enabled by default, if you prefer the old Shield version you can enable
#brave-shields-v1
in the flags and disable#brave-shields-v2
. Usually just disabling the v2 flag is just enough however, the problem is that it might break some sync features. So this is the recommend way to do it. - Workaround: In order to get the Hardware Media Key Handling opinion back that disappeared in latest Stable, Beta and Nightly you need to enable
#temporary-unexpire-flags-m100
, restart Brave Browser and then you see again the#hardware-media-key-handling
flag.
- 27.04.2022
- News: Verifying Brave Rewards with Gemini on Android has been released! (Version 1.38.x of Brave app on Android — keep an eye out on the app store for when the update becomes available for you!) (brave.com)
- Release: Brave Browser 1.38.109 for Android (github.com)
- Release: Brave Browser 1.38.109 for Desktop (github.com)
- 23.04.2022
- 22.04.2022
- Article: In a 2021 study of popular web browsers, Brave is the only "out-of-the-box" web browser that does not share IP address or details of web pages visited with their backend (ieeexplore.ieee.org)
- Mobile Privacy:
#feed-stamp
, added since Android 1.36.116+. The flag is somewhat optional, if you do not enabled Feeds it is irrelevant but if you enabled Feeds StAMP based Cards are fetched - but tunneled - by default. We take no risk and disable it regardless if it is tunneled or not. - Desktop Usability:
#quick-commands
, added since Brave Beta 1.39.78+. - Desktop/Mobile Privacy:
#brave-reduce-language
, added since Brave Beta 1.39.78+.
- 21.04.2022
- 20.04.2022
- Info: Brave Search removed the Beta tag in the Search Settings. The Website itself remains beta.
- Article: Brave Search no longer requires you to append ‘Reddit’ to your searches (theverge.com)
- Article: Goggles: Democracy dies in darkness, and so does the We [pdf] (brave.com), this was published a while back but I forgot to add it.
- Article: Discussions in Brave Search: real human answers in search results (brave.com)
- 19.04.2022
- Article: De-AMP: Cutting out Google and enhancing privacy (brave.com)
- Article: Brave’s De-AMP feature bypasses ‘harmful’ Google AMP pages (theverge.com)
- Desktop/Mobile Privacy:
#autofill-enable-sending-bcn-in-get-upload-details
disabled because we use#private-network-access-respect-preflight-results
and#private-network-access-send-preflights
.
- 14.04.2022
- Add a new indicator
Default flag state
in the chart to quickly see what the Browser uses as default settings, the ones that you see if you did not touched anything at all. - Release: Brave Browser 1.37.116 for Desktop + Android (github.com), link points to the Android version as the Desktop version only got an Chromium upgrade
- Add a new indicator
- 12.04.2022
- 06.04.2022
- Article: Use Brave Browser For Passive Income and Better Privacy - The complete guide to using Brave and BAT (medium.com)
- Article: Google's Topics API: Rebranding FLoC Without Addressing Key Privacy Issues (brave.com)
- Article: Google’s Third-Party Cookie Replacement Is Flawed, Experts Say (lifewire.com)
- 05.04.2022
- 01.04.2022
- Release: Brave Browser 1.37.110 for Android (github.com)
- Desktop/Mobile Performance: Back-forward cache causes, still some problems so we disable it, same like
#durable-client-hints-cache
. In general we try to avoid any cache, not only because performance and lags but also because fingerprinting reasons. Keep in mind that in general prefetch requests will not follow redirects, not send a Referer header, not send credentials for cross-origin requests, and do not pass through service workers. However, they still can be abused to fingerprint coming from extensions and PWAs. - Desktop Privacy:
#enable-webusb-device-detection
enforced to disabled. - Desktop Security:
#enable-isolated-sandboxed-iframes
will be enforced to enabled. - Desktop/Mobile Privacy:
#edit-context
enforced to disabled.
- 31.03.2022
- 30.03.2022
- 26.03.2022
- 24.03.2022
- News: Brave gets De-AMP feature (github.com) on Android it is by default off until the problems are resolved.
- 23.03.2022
- Desktop Privacy:
#disable-process-reuse
+#subframe-shutdown-delay
- News: Naomi Brockwell, known privacy advocate, recommends Brave Browser in her presentation (19:25) (youtube.com).
- Desktop Privacy:
- 22.03.2022
- 21.03.2022
- 17.03.2022
- Release: Brave Browser 1.36.116 Android
- 15.03.2022
- Release: Google Chrome 99.0.4844.74 (chromerelease.googleblog.com.com)
- Release: Brave Browser 1.36.116 Desktop (github.com)
- Release: Brave Browser 1.36.112 Android (github.com)
- Desktop/Mobile Privacy:
#font-access
- Desktop/Mobile Energy:
#throttle-foreground-timers
+#enable-throttle-display-none-and-visibility-hidden-cross-origin-iframes
- Mobile Usability:
#google-lens-sdk-intent
,#context-menu-translate-with-google-lens
,#context-menu-shop-with-google-lens
,#context-menu-search-with-google-lens
,#context-menu-google-lens-chip
- 10.03.2022
- News: DuckDuckGo under fire for the ranking scandal (twitter.com). It is relevant because DDG is - for now - the default choice for most countries, until Brave Search becomes fully stable.
- Mobile Performance:
#enable-drdc
, +#canvas-oop-rasterization
and#enable-gpu-rasterization
do not causing tabs to crash anymore. Debugging on Android remains a PITA because missing DEV-UI extension. - Linux Tip:
#enable-skia-renderer
gets rid of Intel iGPU log spam underbrave://gpu/
. You can also enable it on AMD systems without any problem, there are no drawbacks. However this is a Linux specific tip since Windows handles OpenGL differently and there is no skia composition as renderer so Chromium will ignore it anyway. - Desktop Performance: Enforce Vulkan via Flag instead of cmdline toggle. On Android it is too unstable and causes some additional problems, such as battery drain as well as graphic glitches. On newer Android versions this is less a problem but on older ones like Android 8+ it causes some issues. This was reported already and it might finally gets fixed in v101.
- Bugfix Release: Brave Browser 1.36.112 (github.com)
- 09.03.2022
- Desktop/Mobile Privacy: We are going to disable
#autofill-parse-merchant-promo-code-fields
and#autofill-fill-merchant-promo-code-fields
to avoid endpoint connections.
- Desktop/Mobile Privacy: We are going to disable
- 08.03.2022
- News: "Unlinkable Bouncing" for more protection against bounce tracking (brave.com) + Brave Bounce Tracking (theregister.com) + Brave Browser's Unlinkable Bouncing protection improves bounce tracking protection further (ghacks.net) + Brave takes on the creepy websites that override your privacy settings (arstechnica.com)
- 07.03.2022
- News: Android Brave Version 1.35.103+ (alias Chromium 98.0.4758.102+) from Google Play Store now fully supports and works with U2F, this means hardware like Yubikey Security Key through NFC is fully supported. Brave for Android is the only working mobile Browser that fully supports U2F that actually works. Keep in mind that U2F will soon be deprecated (developer.chrome.com) and replaced with WebAuthn (en.wikipedia.org). Chromiums implementation for WebAuthn will support FIDO2 and FIDO keys but not U2F based keys. It only supports FIDO based keys.
- Release: Brave Brave 1.36.111 (github.com)
- News: Announcing Brave Swap-stakes: Use Brave Wallet for a chance to win up to $500K in daily prizes, including a Bored Ape NFT (brave.com)
- 06.03.2022
- Changed: Browseraudit.com removed, the source code (github.com) is from 2015 and is heavily outdated, there is practical no activity anymore.
- Ad Block:
#brave-adblock-redirect-url
- Mobile Security:
#biometric-reauth-password-filling
, this depends on if you use biometric auth or not, keep in mind that we disable all autofills forms in general. The flag is not mentioned below as this is a personal decision and use-case scenario. - Mobile PWA:
#messages-for-android-pwa-install
- Desktop Usability:
#page-info-about-this-site
- Desktop Privacy:
#enable-payment-request-basic-card
,#enable-generic-sensor-extra-classes
,#device-posture
,#partitioned-cookies
,#brave-dark-mode-block
,#brave-domain-block-1pes
- Mobile Usability:
#voice-button-in-top-toolbar
, the flag finally works as intended.#android-picture-in-picture-api
,#shopping-list
,darken-websites-checkbox-in-themes-setting
,#photo-picker-video-support
,#page-info-about-this-site
,#messages-for-android-ads-blocked
,messages-for-android-permission-update
,#messages-for-android-reader-mode
- Mobile Privacy:
#related-searches-in-bar
,#enable-payment-request-basic-card
,#enable-generic-sensor-extra-classes
,#enable-commerce-price-tracking
,#device-posture
,#google-mobile-services-passwords
,#partitioned-cookies
,large-favicon-from-google
,#brave-dark-mode-block
,#brave-domain-block-1pes
- 05.03.2022
- Info: The guide is so big that I decided to put it on GitLab. However, I try to maintain this page as much as I can but things are already so big that one single page is too much for beginners to comprehend, not everyone likes to spend 1+ hour reading all this and the page loading times are also getting slower and slower with each new line and update. Bear Blog is not designed the way I use it.
- Changed: Lots of new flags added for Android. I try to release some updates tomorrow, the thing with Android and fragmentation is pretty huge. For example there are lots of Browser crashes when enabling specific flags especially on older Android versions. Browser mobile versions were always problematically due to the fact that its pretty rough to test all variables, we have different OS builds, different use-cases, e.g. MicroG users, AOSP users, LOS users etc. this can influence performance as well as how things are actually responding in the real-world. Some flags work perfectly fine, others are Android P+ only specific, finding out what flags makes most sense and provide an actual benefit is pretty hard and time intensive.
- 04.03.2022
- Desktop/Usability:
History Journeys
,History Journeys Omnibox Action
andPage info history
enabled which makes it easier to work with search and tab history. The journeys are not collected in private browser mode and nothing is submitted. I see it as useful to use those flags since it makes it easier to search and use history without opening dozens of new tabs. - Desktop/Mobile Performance: Enable
#restrict-websockets-pool
by default, which limits the connections to 6 which is enough for most websites. There are some intense websites that possible require more but I never found some websites who entirely break because of this. This also has a security benefit and the reason why I want to enforce it.
- Desktop/Usability:
- 03.03.2002
- Fixed: Starting with Chrome 99.0.4844.51+ you can again delete default search engine providers, this was actually by design, the story about this is that people started to remove all entries and had no visible option to restore the default list. The workaround to mess with profile settings and configuration files often ended up with profile corruptions and it was very hard foe beginners to deal with it. In the future Chrome will get an visible option and button to restore the default list.
- News: Brave announces Brave Talk extension, bringing one-click scheduling to Google Calendar (brave.com)
- 02.03.2022
- Release: Brave Brave 1.36.109 (github.com)
- Changed: Some minor improvements in the Readme, small updates nothing important.
- Release: Google Chrome 99.0.4844.51 (developer.chrome.com)
- Docs: Added small instructions how to work with Delta updates and debugging.
- 23.02.2022
- 21.02.2022
- 20.02.2022
- Research: Percival: Making In-Browser Perceptual Ad Blocking Practical With Deep Learning (brave.com)
- Research: Who Filters the Filters: Understanding the Growth, Usefulness and Efficiency of Crowdsourced Ad Blocking (brave.com)
- Research: AdGraph: A Machine Learning Approach to Automatic and Effective Adblocking (arxiv.org)
- Research: SugarCoat: Programmatically Generating Privacy-Preserving, Web-Compatible Resource Replacements for Content Blocking (brave.com)
- 19.02.2022
- 18.02.2022
- Release: Brave 1.35.103 Mobile (github.com)
- 17.02.2022
- Release: Brave 1.35.103 Desktop (github.com)
- 16.02.2022
- Obsolete since 1.35.101 Desktop:
#intensive-wake-up-throttling
,#https-only-mode-setting
,#http-cache-partitioning
,#sms-receiver-cross-device
,#restrict-gamepad-access
,#cross-origin-embedder-policy-credentialles
,#omnibox-keyword-search-button
,#webid
,#omnibox-drive-suggestions
,#enable-accessibility-live-caption-soda
,#tab-hover-card-images
,#debug-history-intervention-no-user-activation
,#tab-groups-collapse-freezing
,#installed-apps-in-cbd
,#calculate-native-win-occlusion
,#enable-desktop-pwas-app-icon-shortcuts-menu-ui
,#speedreader-legacy-backend
- Obsolete since 1.35.101 Mobile:
#intensive-wake-up-throttling
,#https-only-mode-setting
,#http-cache-partitioning
,#sms-receiver-cross-device
,#restrict-gamepad-access
,#cross-origin-embedder-policy-credentialless
,#webid
,#chrome-sharing--hub-v1-5
,#omnibox-most-visited-tiles
,#debug-history-intervention-no-user-activation
,#download-auto-resumption-native
,#enable-table-ng
,#enable-lite-video
,#webnotes-stylize
,#page-info-discoverability
,#page-info-version-2
- Obsolete since 1.35.101 Desktop:
- 14.02.2022
- Crash: #enable-fenced-frames (bugs.chromium.org) with DOM enabled causes Browser crashes whenever you close a tab, on Android versions prior 9. A workaround is to put it on only
Enabled
, this is an OS specific limitation with older Android versions. The fence frames designed docs are here (docs.google.com). - News: How to Set Brave as Default Browser on iPhone or iPad (osxdaily.com)
- Crash: #enable-fenced-frames (bugs.chromium.org) with DOM enabled causes Browser crashes whenever you close a tab, on Android versions prior 9. A workaround is to put it on only
- 13.02.2022
- Test: Official Brave QA Test Pages (dev-pages.brave.com)
- Privacy: How does Brave handles Cookies section added.
- 10.02.2022
- Release: Brave 1.35.101 Desktop (github.com)
- 09.02.2022
- 08.02.2022
- Privacy:
#navigator-connection-attribute
flag does not need to be manually disabled anymore starting with 1.35.100. - Release: Brave 1.35.100 Mobile (github.com)
- Privacy:
- 07.02.2022
- 02.01.2022
- 31.01.2022
- Privacy: Issue #4598 (github.com) resolved.
- Privacy: Issue #18062 (github.com) resolved.
- Privacy: Issue #3964 (github.com) resolved.
- Privacy: Issue #19685 (github.com) resolved.
- Privacy/Security: Add warning regarding the use of portable Browsers.
- Desktop/Mobile Privacy: DRAWN APART: A Device Identification Technique based on Remote GPU Fingerprinting (orenlab.site.bgu.ac.il) affects basically every Browser.
- 27.01.2022
- 25.01.2022
- 22.01.2022
- Release: Brave Browser Mobile 1.34.81 (github.com) released. The original internal name was 1.34.84. That said it can differ across other stores.
- News: I am still trying to solve some issues caused by Chrome x97 release, there might not be any updates until Chrome 98 because I need tremendous amount of time testing things, my apologies here.
- 21.01.2022
- Release: Brave Browser Desktop 1.34.81 (github.com) released.
- 19.01.2022
- Desktop Performance: Explainer why synthetic benchmarks are practical useless and the comparison based on this factor alone is not enough to come to an conclusion.
- 18.01.2022
- Mention
Block outside intruders breaking into LAN
filter-list. - Brave Search: Mention Premium Search, added new picture, the old one was removed.
- Mention
- 17.01.2022
- Extensions: Updated the section a little bit.
- Extensions: Mention Demodal extension, currently in early development.
- 13.01.2022
- iOS only: According to Braves GitHub repository, the Canvas Fingerprinting Protection is temporarily (github.com) going to be removed (github.com) because of the following -
Currently, the canvas fingerprinting protection is breaking captchas for iOS users. Remove the canvas fingerprint protection for now and improve the fingerprint protection implementation with farbling etc later on.
- iOS only: According to Braves GitHub repository, the Canvas Fingerprinting Protection is temporarily (github.com) going to be removed (github.com) because of the following -
- 07.01.2022
- Brave 1.34.80 Mobile released (github.com)
- GrabBag 3: Fixing PoolParty, Improving Fingerprinting Protections, More Debouncing, and Less Chromium Article released (brave.com)
- Former Mozilla Firefox employee: "Why I switched from Firefox to Brave as my main browser after 21 years" (twitter.com), the entire Blog post can be found here (flailingmonkey.com)
- 06.01.2022
- New flags and changes for Chromium 97.x will be released this weekend. Need some more time for the mobile version and to test the new changes.
- Brave 1.34.80 Desktop released (github.com)
- Firefox 95 vs. Chrome 97 Browser Performance On Linux (phoronix.com)
- 05.01.2022
- 31.12.2021
- 22.12.2021
- Partitioning Network-State for Privacy (brave.com) article released.
- 16.12.2021
- Brave Shields UI update via
--enable-features=BraveShieldsPanelV2
in Nightly 1.35.44+ (twitter.com) - Brave Browser Mobile v1.33.106 (github.com) released
- Brave Wallet now available on Android (beta), and soon on iOS! Users can store, manage, grow, & swap their crypto portfolio from a crypto wallet built natively into the Brave mobile browser (brave.com).
- Brave Shields UI update via
- 15.12.2021
- Brave Browser Desktop v1.33.106 (github.com) released
- Brave: Preventing Pool-Party Attacks (brave.com) article released
- 11.12.2021
- Brave is not affected by CVE-2021-44228 Apache Log4j Remote Code Execution Vulnerability (security.googleblog.com), same like every other Chromium based Browser.
- Microsoft steals Braves Ads idea and calls it Transparent Ads (techcommunity.microsoft.com) without even mentioning Brave Browser, after that they take over Xander (wsj.com), an ad platform.
- CSS-Exfil-Protection (github.com) will be declared obsolete with Chromium 102+.
- The attack on uBlock is fixed, as per discussion (github.com). It will be integrated in the next stable bugfix release. Rust fixed it with v0.4.2+.
- 08.12.2021
- Next flags update will be for the major 97x Chromium version.
- Brave 1.32.115 (github.com) released
- 03.12.2021
- 02.12.2021
- Brave Browser lands in an unofficial F-Droid Repository.
- XSinator – XS-Leak Browser Test Suite test (github.com) added into Parcourstest
- Desktop Privacy:
#extensions-menu-access-control
added, upcoming in the next stave version. - Desktop/Mobile:
#brave-news
is a new flag which controls if you can entirely enable or disable Brave News, even on Android. This is not security or privacy relevant. Upcoming in the next stable version. - Desktop/Mobile:
#brave-ads-allowed-to-fallback-to-custom-push-notification-ads
is an individual flag which normally does not need to enabled. In the future this flag will become redundant and self-regulated. - Desktop/Mobile Ad-Block:
#brave-adblock-cookie-list-default
makes manually enablingEasylist-Cookie List - Filter Obtrusive Cookie Notices
obsolete, I prefer the flag because it is more reliable and overrides AdBlock settings. I put it under performance because I do not intend to create a section for just ad-blocking related flags, we already have below an explainer how to utilize Braves AdBlock mechanism the right way. The flag gets introduced for everyone in the upcoming stable release.
- 29.11.2021
- Brave News for Android, Nightly only for now added to the Browser FAQ. The flag currently is not listed because there are multiple reasons not to use it.
- 25.11.2021
- Brave Browser 1.32.113 (github.com) Desktop released
- 24.11.2021
- Brave Browser 1.32.112 (github.com) Mobile released
- 23.11.2021
- Mention Brave Search censorship.
- 18.11.2021
- Brave Search requires you to solve a Captcha behind a VPN or Tor
- Brave and UC San Diego Announce SugarCoat, A New Solution to Strengthen the Protection of Web Users’ Privacy While Not Breaking Websites (brave.com)
- 16.11.2021
- 11.11.2021
- Microsoft has blocked third parties from changing the default browser in Windows 11 #19402 (github.com)
- Brave VPN FAQ added
- Desktop/Mobile privacy: Set
force-major-version-to-100
to disabled until this is resolved in Brave. Introduced into 96.0.4664.35+ BETA.
- 10.11.2021
- Chromium added the ability for websites owner to block the view source option (chromium-review.googlesource.com). It works (textsplashplain.com) on machine level and is highly controversial.
- Syncv2 fixed with 1.33.74 Beta+
- Sandbox workaround for Linux is to set
MESA_GLSL_CACHE_DISABLE=true
in the environment variables until above mentioned Intel iGPU bug is adopted in Brave. AMD and nVidia users are NOT affected.
- 09.11.2021
- Brave Browser 1.31.91 (github.com) released
- 07.11.2021
- Desktop/Mobile security:
#intensive-wake-up-throttling
added to limit possible cryptojacking.
- Desktop/Mobile security:
- 05.11.2021
- Desktop/Mobile privacy: #enable-fenced-frames (github.com) added
- 04.11.2021
Backup chrome flags to json and restore the backup on another machine
script no longer works with 95.x and higher. I contacted the author.- Listed extension
Hackertab.dev
now got greedy and integrated ads and gets removed. Clickbait on behalf of Brave in the Media
section addedDNS Info
section added, not visible yet- Mobile privacy:
#omnibox-native-voice-suggestions-provider
is now obsolete, credit to Legend for finding this.
- 02.11.2021
Mobile PWA
section added, optional.Desktop PWA
section added, same like the scrolling section this is optional.- Brave search FAQ updated: New privacy concerns added.
- The
brave://flags#freeze-user-agent
flag was renamed tobrave://flags/#reduce-user-agent
in Chrome 93+ and the values were updated to align with the plan below (also testable via--enable-features=ReduceUserAgent
). We enforce the flag. - New parcourstest entry added:
is-chrome-100-yet.glitch.me
that must returnNO
.
- 01.11.2021
- Force Chrome major version to 100 in the User-Agent string (developer-chrome.com) with flag
#force-major-version-to-100
in Chrome 96+. We do not want to use it (bleepingcomputer.com) since it is controversial (github.com), see here (androidpolice.com). - No one noticed it for months but it was not
brave://flags#
how listed Brave flags started, it actually isbrave://flags/#
. Now flags working if you copy the URL and open it in another tap. Opening them via right-click and open in new tab will automatically blocked, you need to copy the link and open it in another tab, then it jumps to the flag and highlights it, however I replaced it now withbrave://
to make it compatible with other chromium based browsers. Brave internal uses chrome anyway.
- Force Chrome major version to 100 in the User-Agent string (developer-chrome.com) with flag
- 31.10.2021
- Why does fingerprinting matters less than you think added.
- Utilizing Brave Ad Block, the right-way section added.
- 30.10.2021
- Improved Brave RAM section.
- Added Tabs Session Manager under considerable essential extensions. The reason is that the extension is suggested in AMO as well as in Google Store, it is FOSS + has independent Sync option + the options page renders nicely even on tablets.
- Added JS-Restrictor extension settings. This is optional.
- Removed since 95+ Desktop:
#dns-httpssvc
,#omnibox-default-typed-navigations-to-https
,#brave-first-party-ephemeral-storage
,enable-unsafe-webgpu-service
,#quiet-notification-prompts
got implemented into the settings UI,#privacy-sandbox-settings
,#safety-check-chrome-cleaner-child
- Removed since 95+ Mobile:
#u2f-security-key-api
,#cookies-without-same-site-must-be-secure
,#legacy-tls-enforced
,#omnibox-default-typed-navigations-to-https
,#treat-unsafe-downloads-as-active-content
,#brave-first-party-ephemeral-storage
,#safe-browsing-client-side-detection-android
,#omnibox-drive-suggestions
,#omnibox-local-zero-suggest-frcency-ranking
,#share-by-default-in-cct
,#enable-accessibility-live-caption
,#enable-accessibility-live-caption-soda
,#system-keyboard-lock
,#privacy-sandbox-settings
,#chrome-share-highlights-android
,#cookie-deprecation-messages
,#enable-android-dark-search
,#enable-ephemeral-tab-bottom-sheet
,#quiet-notification-prompts
,#read-later
,#share-button-in-top-toolbar
,#toolbar-iph-android
,#sharing-hub-desktop-app-menu
,#sharing-hub-desktop-omnibox
- 29.10.2021
- 28.10.2021
#brave-vpn
flag got removed but it will return, once it is final, I have no exact date or when the official beta starts.- Added Zoom Levels tracing as privacy concern.
- Added cross-device tracking via ultrasonics as privacy concern.
- Added TLS session resumption tracking as privacy concern.
- Added trackability of QUIC connections as privacy concern.
- Added tracking via Progressive Web Application Manifests as privacy concern.
- Added SpeechSynthesis API as privacy concern.
- Marked Alt-Svc header tracking as fixed, see above.
- End-of-Life:
#https-only-mode-setting
does not needs to be enforced anymore starting with Chrome 96+. This listed flag will be changed once Brave comes with 96+ stable.#brave-dark-mode-block
gets removed as flag on Desktop at some point, there is no specific date given, Brave Shields settings will handle it if you set it to aggressive (which we do, see below). - Outdated with Chrome 95+ Desktop:
#brave-speedreader
now has his own Menu Point under Settings, therefore we do not need any flag anymore.#brave-decentralized-dns
removed as suggestion, the option under Settings now fully works, so we do not need to list the flag.#brave-adblock-cname-uncloaking
is not anymore needed to be enforced, this depends starting with 95.x on the Shields settings, on mobile it still needs to be enforced until 96.x. - Added new section for Browser Desktop Defaults (chef-koch.bearblog.dev) with pictures.
- Starting working on Chrome 96 and 97 flags. There are bigger changes to come which will take some time to test.
- 27.10.2021
- 21.10.2021
- Brave Wallet FAQ added, needs 1.33.24+ Brave native Wallet is estimated to be available in Release channel in version 1.32.x around November 16, 2021.
- 20.10.2021
- IDLE detection marked as solved (github.com).
- Brave 1.31.87 (github.com) Stable + Google Chrome 95.0.4638.54 Stable Released
- Desktop/Mobile Privacy:
#cross-origin-embedder-policy-credentialless
enabled, it becomes enabled by default in Chrome 96 (chromestatus.com).
- 14.10.2021
- Fix Internal linking for headings.
- Info about
try.bravesoftware.com
: This is not a malware URL, it is or was a referral website. They earn commission when somebody downloads and use Brave Rewards which is not anymore applicable to newer brave accounts because the referral program is stopped now. - Desktop/Mobile Privacy:
#brave-debounce
added, see here (brave.com) what it is - Brave released #5: Encrypting DNS Zone Transfers (brave.com) article.
- Desktop/Mobile Privacy:
#brave-first-party-ephemeral-storage
enabled, same like this (github.com) but for session cookies only (github.com). We do not need to touch#enable-autofill-account-wallet-storage
because we use third-party password manager for passwords (tomsguide.com) and we disabled auto fill entirely for password fields. - Desktop/Mobile usability:
#brave-cosmetic-filtering-sync-load
enabled (Chrome 95+) which ensures that the custom filters are regularly synced and updated. #brave-rewards-bitflyer
flag moved to outdated.- Rewards on Arch based Distros are borked because of Wayland.
- Preparations for Chrome 96, we are going wait until Google fixes the quieter permission notifications and tab group options, right-now it puts extra pressure on the CPU under Android and Linux which gets fixed in Chrome 96.
- Mention
Privacytests.org
, which provides an overview chart, it is as time of writing this still beta. - Desktop/Mobile Security:
#u2f-security-key-api
disabled - Chrome 95 does not introduce any GUI improvements (androidpolice.com).
- 08.10.2021
- Desktop/Mobile Security: #https-only-mode-setting enforced (beebom.com). This makes Brave Shields HTTPS mode obsolete (twitter.com). After you enabled the mentioned option you must go to the Settings page and enable the HTTPS first mode manually, it is not enough to just toggle the flag and restart Brave Browser. Brave Shield HTTPS upgrade option might gets removed and replaced with this option, once it is enabled by default.
- 06.10.2021
- Default fonts section added
- 02.10.2021
- Extension list updated to reflect latest extension trends.
- Preparations for Chrome 95.
- 29.09.2021
- Manually added filter-lists updating every 7 days (twitter.com), it is planned to reduce the update time.
- enumerateDevices fingerprinting is resolved
- IDLE detection (
brave://settings/content/idleDetection
) topic is covered (see above under "Unresolved Issues")
- 25.09.2021
- Brave Talk FAQ added
- ClearURLs extension is not needed anymore since 1.30.84+ (github.com) or higher. For cosmetic based parameters (github.com) e.g. hiding additional references, you must manually subscribe an ad-block list (brave://adblock/).
- 17.09.2021
- Logo updated + Reference updated & some markdown gimmicks added
- 15.09.2021
- Chrome 94+ removes
--disable-features=SameSiteByDefaultCookies,CookiesWithoutSameSiteMustBeSecure
command line option.
- Chrome 94+ removes
- 31.08.2021
- Desktop/Mobile: Enable Native Wallet removed, it is redundant now since v1.29.76 (gemini.com), you can toggle it now without enforcing the flag.
- Added Reference for the Brave vs. Browser X discussion (rentry.co) section
- Obsolete flags removed:
#enable-ftp
,#sync-compromised-credentials
,#brave-adblock-default-1p-blocking
,#brave-dark-mode-block
,#omnibox-short-bookmark-suggestions
,#omnibox-tab-switch-suggestions
,#omnibox-pedal-suggestions
,#schemeful-same-site
,#brave-permission-lifetime
,#safe-browsing-real-time-url-lookup-enterprise-ga-endpoint
,#clear-cross-browsing-context-group-main-frame-name
,#passwords-account-storage
,#brave-ads-custom-notifications
,#window-naming
- Brave release schedule link (github.com) added.
- Mention some useful command line parameters, they are listed under "Other Useful Brave Browser Tips (rentry.co)"
- 29.08.2021
- Desktop privacy:
#enable-lens-region-search
disabled - Desktop privacy:
#privacy-review
enabled - Desktop usability:
#extension-workflow-justification
enabled - Desktop/Mobile usability:
#media-session-webrtc
enabled
- Desktop privacy:
- 27.08.2021
- Desktop privacy: Unsafe WebGPU Service (blog.chromium.org) disabled, the upper layer flag
#enable-unsafe-webgpu
is by default disabled
- Desktop privacy: Unsafe WebGPU Service (blog.chromium.org) disabled, the upper layer flag
- 25.08.2021
- Mobile privacy: Safe Browsing Client Side Detection on Android disabled
- Mobile performance:
#enable-instant-start
enabled - Mobile security:
#enable-tls13-early-data
is EOL, on Desktop - we keep it until v100.x. - Linux performance:
Enable Mojo Shared Memory Channel
mentioned (this depends on your Distro). - Desktop usability:
Enable experimental Brave native wallet
enabled DO NOT enable it on mobile it will crash some websites because Wallet services require Google Play Store and are NOT bypassable via MicroG, if you have Google Play Services preinstalled (Stock ROMs) you can enable it.
- 22.08.2021
- Desktop usability:
brave://whats-new
page disabled (Chrome 93+) - Desktop/Mobile security: Enable sync trusted vault passphrase with improved recovery will be enforced to disabled
- Desktop/Mobile performance: Debug flag for history intervention on no user activation disabled
- Desktop/Mobile usability: Playback Speed Button enabled
- Mobile usability: Lite videos enabled
- Desktop performance: Chrome Cleanup Tool in safety check disabled
- Desktop/Mobile security: TLS 1.3 Early Data (now usable since Chrome 92+)
- Desktop privacy: Omnibox keyword search button disabled
- Desktop usability: Omnibox Keyword Space Triggering Setting enabled (digitalinformationworld.com) (Chrome 92.0.4505.0+)
- Desktop usability:
- 20.08.2021
- Desktop/mobile privacy: Disabled WebXR Incubations (chromestatus.com)
- Mobile usability:
#enable-quick-action-search-widget-android
added, needs (Chrome 93+) - Mobile usability:
#webnotes-stylize
added, needs (Chrome 93+)
- 19.08.2021
- Ask me anything (AMA) section (rentry.co) added
- Desktop/Mobile Privacy: Added WebID (github.com)
- Desktop/Mobile Security: Added WebOTP Cross Device (chromestatus.com)
- Desktop/Mobile Privacy + Security: Added HTTP Cache Partitioning (developers.google.com)
- Desktop usability:
#scrollable-tabstrip
set toenabled - tabs shrink to a medium width
to workaround this (community.brave.com). - Deprecated:
#turn-off-streaming-media-caching-on-battery
- Deprecated:
#turn-off-streaming-media-caching-always
- 18.08.2021
- Desktop/Mobile Privacy: Added Enable dark mode blocking fingerprinting protection & Shields first-party network blocking enforced
- Desktop usability: Added Enable Brave Ads custom notifications. This allows to see media content within the ads notification which triggers showing more ads. Even if you do not use Brave to gain some BATs, you can set it to enabled (in case you change your mind).
- Desktop/Mobile Security: Added Enforce the use of Braves VPN (there will be an GUI option given at some point, but for now we enforce it)
- Desktop usability: Added Brave Talk enabled which is a secure alternative to Microsoft Teams. You find it in the sidebar once enabled (first entry, the webcam symbol).
- Desktop/Mobile Security: Enable Ephemeral Storage (threatpost.com)
- 24.07.2021
- Desktop/Mobile usability: Changed Dark mode setting from
invert everything
toincrease text contrast
. It lands in the next Brave stable version. - SameSite 🍪 sandbox (samesite-sandbox.glitch.me) test added
- Desktop/Mobile usability: Changed Dark mode setting from
- 18.07.2021
- Desktop/Security: Added Strict Extension Isolation (chromestory.com)
- Desktop/usability: Added COLRv1 Color Gradient Vector Fonts flag (chromestatus.com)
- 20.06.2021
- No more 5 BAT payout minimum for creators, increased to 10.
- 14.06.2021
- TablesNG test added
- 13.06.2021
- Linux: No video hardware acceleration available on some pages
- 11.06.2021
- Workaround: (Linux) SIGSEGV & SIGTRAP error codes (bbs.archlinux.org) in Brave added
- Google killed #omnibox-context-menu-show-full-urls & omnibox ui (therecord.media), If users wanted to view the full link, they could click or hover the Chrome address bar to reveal the rest of the page URL. You find the native settings under
View
menu-bar item...Always Show Full URLs
as option since v1.25.70+.
- 10.06.2021
- Brave FAQ section added to address concerns from random people (old.reddit.com)
- 05.06.2021
- Ad-blocking/Speedreader: (Desktop)
#speedreader-legacy-backend
added. Uses AdBlock (ctrl.blog) rules to determine if pages are readable and distills using CSS selector rules.
- Ad-blocking/Speedreader: (Desktop)
- 03.06.2021
- AdBlocking/usability: (Mobile/Desktop)
#brave-adblock-cname-uncloaking
added which takes DNS CNAME records (cloudflare.com) into account when making network request blocking decisions. - Brave Search FAQ: Explained what "bangs" are.
- AdBlocking/usability: (Mobile/Desktop)
- 31.05.2021
- Privacy: Enforce
#privacy-sandbox-settings
, currently only works for Australia, Brasil, Canada, India, Indonesia, Japan, Mexico, New Zealand and Philippines its part of disabling FLoC (Federated Learning of Cohorts). We enforce it because in the future this flag will be expanded to trigger other privacy related mechanism.
- Privacy: Enforce
- 29.05.2021
- Privacy:
#enable-autofill-credit-card-authentication
(Mobile/Desktop) - Avoid Google Endpoint connections/leakage. - Privacy:
#passwords-account-storage
(Mobile/Desktop) - Avoid Google Endpoint connections/leakage. - Test: Parcourstest (rentry.co) section added
- Removed:
#heavy-ad-privacy-mitigations
only needed for developers (developers.google.com) basically overthinking the process and they send reports about blocked ADs.
- Privacy:
- 28.05.2021
- Privacy:
#system-keyboard-lock
(Mobile/Desktop) disabled due to privacy (fingerprinting) concerns. - usability:
#installed-apps-in-cbd
(Desktop) added - Added Brave Search FAQ to warn about fakes & give some additional guidance.
- usability:
#calculate-native-win-occlusion
(Disabled, Windows only)
- Privacy:
- 27.05.2021
- Added:
#sharing-hub-desktop-app-menu
(Mobile/Desktop - usability) - Added:
#sharing-hub-desktop-omnibox
(Mobile/Desktop - usability) Both flags are needed for the new "Send to Device/Desktop" feature. - Added:
thisisunsafe
trick under the Tips section (this allows to unlock "dangerous content") - Removed:
#brave-adblock-csp-rules
- It is enabled by default (Desktop). - Disabled:
#brave-rewards-verbose-logging
it is enabled by default to debug Rewards (Desktop).
- Added:
- 26.05.2021
- Changed: Flags have clickable links
brave://flags
which makes it easier to follow, debug and edit stuff in the editor (+ easier to find typos).
- Changed: Flags have clickable links
- 25.05.2021
- Added:
#enable-jxl
(Mobile/Desktop) (will become enabled by default in Chrome 95+). - Added:
#clear-cross-browsing-context-group-main-frame-name
which needs more investigation - Added
Contextual Search Debug
(Mobile) - Disabled:
Live Caption
(Mobile/Desktop) due to privacy concerns (downloads & depends on third-party closed source Google stuff, will be addressed by Brave Team) - Added:
#shared-highlighting-v2
Shared Highlighting 2.0 (Mobile/Desktop) to improve usability - Added:
#enable-prerender2
Prerender2 (Mobile/Desktop) enabled to increase performance - Added: Linux specific Tips (rentry.co) section
- Corrected: Typos & all user based feedback reports addressed
- Added:
- 24.05.2021
- Disabled:
#safe-browsing-real-time-url-lookup-enterprise-ga-endpoint
(Desktop) It connects to some Google Endpoints. - Added: Rewards FAQ added to solve some community based questions/problems
- Added: Extensions list
- Disabled:
- 23.05.2021
- Changed: Merged from Ruqqus to rentry.co (this website)
- Removed: Obsolete "lazy loading" options (Chrome 91.1.27.8+) it will be merged with "Lite Videos" (once stable)
- 25.03.2021
- Added: Security:
#sync-compromised-credentials
- Added: Security:
- 24.03.2021
- Added: Privacy
#omnibox-drive-suggestions
(Desktop/Android) - Added/Changed:"Critical" (outdated) section to point finger of critical opened issues
- Added: Privacy
- 23.03.2021
- Added:
Enable decentralized DNS
flag for Brave 1.22.66+.
- Added:
- 21.03.2021
- Added:
pdf-viewer-update
Semi-needed and only mentioned for the ones who insist on using the browser based PDF reader. - Added/Changed:
reader mode
Reader mode is end of life and will be replaced.
- Added:
- 16.03.2021
- Removed: Outdated Chrome 89 flags
- Added: Scrolling only section
- Added: Window Naming, for now only useful in Chrome OS & Desktop
- Duplicates removed
- 15.03.2021
- Reworked: Android section
- 14.03.2021
- Added: Android section
- 12.03.2021
- Added:
Tab Hover Card Images
(Desktop) - Added:
Tab Groups Collapse Freezing
(Desktop)
- Added:
- 05.03.2021
- Initial release: First public version
- Brave was originally built on Gecko (Mozilla) but due to some issues/limitations they decided to move to Chromium (brianbondy.com).
Hardening is not a selling argument
The mass media and some privacy communities wrongfully echo chamber that hardening and applying best practices represent security and privacy, this is an unproven claim. The reason why this is unproven is the fact that the vast majority does not use hardened profiles on a daily bases, there are cases showing that even hardening setups can be compromised, it is a matter of effort. In other words there is no proof that this is enough, what it does is that it potentially reduced the attack surface but this is all. It does not mean you are untouchable or cannot be exploited. Even if you manage to harden everything you still need to take the human factor in consideration, social engineering works really well and can bypass every firewall, every OS or Browser hardening in a matter of time. The Browser acts like a gateway not meant to be a firewall to monitor every data package that goes trough.
I am entirely against selling privacy and security as product and the project goal here is not to fool people that hardening is something that is either one or zero. The factors for privacy and security are not products you install or scripts or tools you use. It is a relationship between developer and the community to deal with existent as well as new threats. Giving up control by depending on another unknown third-party who promises you xyz is not what I like to represent here because the overall goal is that mentioned issues getting shown to warn users that there are potential risks involved that you can address on a theoretical level, this means it should be shown in order to fix such problems, not to make profit out of it.
Claiming hardening makes you more secure because 0,1% of all users doing or using it is working with statistics. Statistics that are often flawed because depending on the data, point of view and experience, those can variate a lot. Assuming everything one day gets fixed, hackers still trying to bypass everything, break it or invent new techniques. This is a cat and mouse game without a winner because the web evolves as well as the Browser itself and hardening will always be a part of adapting those changes by workaround potential issues.
I am not a fan of mass advertising that hardening or to apply best practices is enough, what makes more sense is to make people aware of problems, provide some workarounds until it is fixed and then test it to verify if it is actually working as intended or not because even workarounds and fixes can cause additional problems or even new holes.
Energy consumption is not a big priority
As much as I would love putting this point into a bigger consideration I need to clearly say that I cannot do much tests regarding energy consumption in general. Especially not with individual flags and then even do independent tests across multiple OS and Browser builds. This would require me to work and research on this subject in full-time.
There are lots of variables which can and will influence the energy aspect and this is a huge topic which I am not willingly to do on my own.
The only big focus regarding the overall energy consumption is when a flag dramatically decreases battery life or put extra pressure on the CPU and/or GPU that is directly debuggable trough internal tools.
Enforced settings as new defaults
We change mentioned default settings to improve the default behavior in order to reduce possible risks. You can manually unlock stuff you need, which seems more work but it is worth it + you only have to do this once per domain. This basically acts like a firewall for specific things, which is then disabled by default and you need to manually unlock first (see last screenshot to understand what I mean).
Normally we do not need to enable the Always use HTTPS option because under Security we enable and enforce to connect always to HTTPS first, however in some cases the option to always connect to HTTPS is hidden unless you enable the option.
On mobile we can theoretically do the same but there are some downsides, as you can see on the last screenshot, if your screen resolution is below x or you are on a smartphone with limited screen size you cannot see all options, which makes it impossible for you to change or reveal some settings or information. Brave as well as Chrome is aware that this modal dialogue is currently not optimal. That said, I - for now - only suggest doing this on Desktop and on Mobile only enforce the stronger Shield defaults only see first (screenshot).
Brave will not sync those newly set permission defaults. You need to backup your profile manually, this is still the best way to deal with profile corruptions or in case you want to copy your settings to another profile or PC. Permission sync is planned feature.
Why we enforce some settings that depending on your global Shields settings
We enforce some settings as defaults for various reasons however, some flags and features depending on your global Brave Shield settings for example by default Unlinkable Bouncing is only enable when you set your global Shield setting to aggressive. We override this behavior in case there are some website breakages but and temporarily lowering the shield setting for an specific website without loosing some protection mechanism.
In a nutshell
- GPU information is removed in strict mode, in general fingerprint protect depends on several factors which is the reason why we enforce the strongest settings as new defaults.
- Canvas and WebAudio are randomized
- Shield turned off means no protection at all
- The tor approach to make every user look the same has some issues, which is the reason why we fight website breakages with randomization instead. The approach is explained in-depth over here
- Other Browser promise a lot but have weak protections against known fingerprinting attacks
- Per-site Shields settings always override the global settings page, please keep that in mind in case you make cookie etc exceptions.
Using JS-Restrictor with Brave
JavaScript Restrictor or now called JShelter extension is normally not needed with Brave Browser, however you can use it to fine control some specific settings if you want to. Changing those options can make you more unique and is the reason why this is not suggested unless you know exactly what you are dealing with.
JShelter uses, depending on your selected or own created profile, twice as much CPU power than uBlock Origin or other solutions which you can check with the integrated Task Manager and internal debugging tools. This is the main reason why I not suggest using it on a daily basis. It is better to wait until Brave addresses all above listed privacy risks.
Importing the configuration file is quickly done. Just import the configuration and click override. After that release the website and check the configuration to ensure that settings are fully working. I includes some example pages for reference.
Privacy and Security related impact of changed Flags
The impact is normally negligible because we often disable controversial APIs or features that are designed by Google. Some other flags are not fingerprintable under normal circumstances because API design evolves and developers are more aware and advocate privacy and security much more than 20 years ago.
Changing flags can make you stand out more but the tested flags are carefully chosen so that the difference is not dramatically noticeable except that some fingerprinting test pages might not actually return an accurate result. You should not rely on only such pages to measure how private our Brave Browser is, it simply gives you an small indication but that is all because some unknown fingerprinting mechanism might exist that are not covered in such tests or even in the wild.
Brave on its own already does a good job but we want to improve it a step further and want to enhance specific behaviors, stuff that is usually explained, linked or a reference was - if possible - provided in this guide.
Utilizing Brave Ad Block, the right-way
The overall amount of trackers are limited. This means that the majority of websites uses Google - among some other - tracking systems. Most popular and even unpopular websites trusting the big tracking players, which means it makes no sense to load filter-lists with 2 trillion entries when 80 Percent of the world uses the same tracking system. You can skip this section if you already block ads via DNS blocker system-wide in your network with AdGuard Home or Pi-Hole and continue with the manual filter-lists we could use, depending on your needs.
Finding some lists is pretty easy, you can manually search them or use some aggregators who list filter-lists.
By default those filters are already used and enabled by default.
- Block Origin Filters
- Brave Android-Specific Rules
- Brave Social
- Brave Social Unbreak
- Brave Specific
- Brave Unbreak
- EasyList
- EasyPrivacy
- Peter Lowe's Ad and tracking server list
- SugarCoat Rules
- URLhaus Malicious URL Blocklist
- uBlock Origin 2020 Filters
- uBlock Origin 2021 Filters
- uBlock Origin filters - Badware risks
- uBlock Origin filters - Unbreak
- uBlock Origin filters – Privacy
- uBlock Origin filters – Resource abuse
General rules
- By default without selecting, enabling or subscribing to third-party lists, Brave already blocks most stuff, if you are comfy enough with this then you can stop reading this entire section.
- Less is more, everything counts because everything that needs to be loaded ends-up in your RAM or causes the CPU to consume more CPU cycles which can end-up eating more energy and more battery. Good quality filter lists shouldn't have a perceptible effect on browsing performance. The first worry with too many filter lists is undue website breakage.
- Just because X filter-list has more entries does not mean it is more efficient.
- Only use lists which are regularity updated and well maintained.
The following steps are on Desktop and Mobile platforms the same, so I do not explicitly mention them.
Go to brave://settings/shields/filters
, just type it in the URL bar and it will display the ad-block interface with some options. By default nothing is selected and you have to choose which filters you want to enable or even manually add. Custom filters are being updated every 7 days, which might change in the future. Syncing filter-lists and your custom rules are possible - the flag is #brave-cosmetic-filtering-sync-load
, it will get removed in the future and directly integrated and enabled by default once it is reliable enough.
Additional lists you can enable from the integrated Brave Ad Block page
YousList
- To block various cosmetic stuff, aka annoyance in additional to above mentioned annoyances list. If you think this list is not enough useDandelion Sprout's Annoying Banners and Overlays List
instead.- ONE single
language based
list, based for your own country.
Now we can improve specific things alias manually subscribing to addition lists, but which one make the most sense... The answer is easy, we want to get rid of additional extensions and hopefully we can archive it by using an additional list that supports the things we need, anti-coinmining, url-shortener etc.
Optional filter-lists you could add
Additional filter-lists can be useful, for example to get rid of ClearURLs extension, or in case if we already block DNS based ads on our entire network, in this case we might wanna use something directly which only blocks cosmetic stuff. It should be noted that uBlock as well as Brave Ad Block solutions only removing the untouched query parameter given by the original URL, this means they cannot rewrite parts or the original path of clicked URL.
- AdGuard DNS filter -
https://filters.adtidy.org/windows/filters/15.txt
- Actually Legitimate URL Shortener Tool -
https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt
- First-party trackers host list -
https://hostfiles.frogeye.fr/firstparty-only-trackers-hosts.txt
- You do not need it if you use DNS based network blocking. - EU_US+most_used_ad_and_tracking_networks -
https://raw.githubusercontent.com/Kees1958/W3C_annual_most_used_survey_blocklist/master/EU_US%2Bmost_used_ad_and_tracking_networks
Social Media Filters
, this is totally up to you.- You
do not need any anti-coinminers
, it is normally covered by your language based list which you choose. Adding another one makes no sense because by default we block or optional restrict JavaScript anyway via extension. - Block outside intruders breaking into LAN -
https://github.com/gwarser/filter-lists/blob/master/lan-block.txt
The list will become irrelevant at some point because Brave will at some point block all LAN requests by default starting with Chromium v101+. JS-Restrictor can do exactly the same, benefit in using the JS-Restrictor extension solution is that it is enabled by default and you can create with only two clicks exceptions for a domain.
This is all, you do not need 10+ lists. Well maintained lists are much more worth than huge lists that die within the first 6-12 months or that cause additional problems.
Why fingerprinting matters less than you think
Fingerprinting per-see is not an intrinsically problem, which means it only becomes a problem when it makes it possible to render you entirely traceable, particularly across sessions. The main point is to become less traceable - or traceable only with adjustable levels of difficulty - whatever your "fingerpritability" could be.
And there are 2 ways to try to reach this goal
- The static way
- The dynamic way
In the static (or often called low entropy) way, the user or you can try to display the same fingerprint than many others people. In that sense, being seen as unique is bad. The best way to achieve this "low entropy" goal is to use the Tor Browser on the Tor network. No Brave hardening, no Firefox Browser hardening with thousands of configuration changes, simply and pure Tor Browser because it provides much more than configuration changes and the best way is that each and every user uses the exact same fingerprint.
In the dynamic (or high entropy) way, you try to becomes "someone else" for each browser sessions, e.g. for each browsing session, you (ideally) try to change all your browser's displayed characteristics. In this case, being seen as unique is not a problem. At the contrary, it's something desirable: That a test site achieves to correlate you cross session, and so, achieves to see you as not unique, simply means that your attempts to becomes "someone else" for each session miserably failed and that you are traceable cross session (at least by this precise test site, and by any other site using the same tracking techniques). This way is the path that eg Brave developers are trying to take, this is also what you do if you harden other Browsers like Firefox, Edge etc.
In the real-world we have limited amount of possibilities to fingerprint users, this means most stuff heavily relies on JavaScript, CSS and so on. Developing counter-measures for this is possible, but since we enforce by default to disable JavaScript which already lower attacks by around 98%, the rest are some small tricks that abuses some weaknesses that are fixable more or less easily. There might be considerable small stuff which cannot be fixed but that never leads to leaks that can identify you, your browsing habits or connect other dots.
The most important stuff is listed above and is on the to-do regarding fingerprinting. None of the open issues are enough to truly expose you even if someone gets all of the remaining entropy that is currently not covered by Braves Shield. Most people just use the fingerprinting argument to bypass restrictions.
Unofficial Brave Browser Build on F-Droid
Passwords and Credentials
- Do not store credentials in your Browser, ever. The reason (security.stackexchange.com) is that Chromium stores the database password insecurely and it the database is considerable easy to decrypt with e.g. freeware tools from Nirsoft (nirsoft.net).
- Assuming you use Sync, do not enable password sync.
- Use Password Manager such as KeePass or BitWarden that are more resilient against GPU brute-forcing attacks, ram hijacking and clipboard ex-filtration attacks.
- Forcing an expiration date for passwords is not anymore recommend (ncsc.gov.uk), instead use a strong password that also can be generated trough Password Managers.
- Check your passwords and databases against Have I Been Pwned? and other services, some Password Managers have integrated mechanism to do so and automatically warn you or plugins to do this.
Do not use portable Browsers
Using portable Browsers has lots of security and privacy implications.
- In most cases the official Browser developer(s) do not provide any officially build, because of that people tend to use unofficial portable Browser repacks. Not often those repacks are done by fans and not experts and can possible contain tracking ads, Trojans, IP-grabbers etc.
- There is no verification, since you use unofficial Browser repacked versions you cannot verify anything yourself. Even if you use some repacks that are open source, you cannot verify something because the installer or the browser itself might be signed with different signatures that does not match the ones from the original manufacturer.
- No support, unofficial repack versions might not be approved nor directly supported from official site. This means they can be outdated after a short while, you already download an outdated version or the integrated update mechanism will fail because the updater depends on a service who check and delivers the actual update. Epic, MS etc Store will also not updating any portable versions.
- Running your Browser and profile on an unprotected drive that everyone can freely access is a privacy and security nightmare. There exist tools to quickly read out your Cookies, passwords and more, usually those tool need admin rights to access protected folders but if the profile folder is unprotected you can even read our or steal the database or the entire profile without admin rights. The internal protection regarding database passwords is weak and easy to crack in seconds, the Browser typically has no master password for the database as well as a Browser startup password check.
- You can workaround some of mentioned problems with a RamDrive or third-party Sandbox but the underlying issue is that it is overall by default easier for an attacker to extract, infect or compromise your Browser profile. Keep in mind that sandboxing trough external third-party apps can also be critical because the sandbox tool can be vulnerable or causes the Browser to crash because the Browser typically updates much more frequently than the sandbox tool needs to address in order to secure your Browser profile effectively. Another problem is that such workarounds might also require that such software is installed on the host, which needs admin rights. I am not aware of a sandbox solution that protects at low-level without admin rights, because this is what the OS requests to access inner rings.
How Brave handles Cookies
Brave Browser is very well documented. Besides the source code and the wiki entries we have several good articles for beginners on how Brave actually handles the Cookie part.
- Ephemeral Storage (brave.com) + Test (dev-pages.brave.software). This is the quinquevalent to Firefox Dynamic First-Party Isolation (bugzilla.mozilla.org) (dFPI) and Total Cookie Protection (blog.mozilla.org) mechanism.
- Insight about how cookies are handled (github.com)
- Cookies behavior in Chrome vs. Firefox (iframe involved) (gracefulunfitlinkedlist.ciprianamariei.repl.co)
Desktop Flags
The official Brave release schedule can be found over here, the archive is here.
- There is currently no plan to release a Brave Browser version for SmartTV, which means there is nothing to change or optimize on such platforms.
- Below enabled / disabled flags recommendation means you should, if you like to harden Brave Browser further, use the advise to change the default flag state.
Desktop Security
Flag | Flag Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#block-insecure-private-network-requests | Block insecure private network requests | ✔️ | unknown |
#brave-domain-block | Enable domain blocking | ✔️ | unknown |
#brave-ephemeral-storage | Enable Ephemeral Storage | ✔️ | unknown |
#clear-cross-site-cross-browsing-context-group-window-name | Clear window name in top-level cross-site cross-browsing-context-group navigation | ✔️ | unknown |
#disallow-doc-written-script-loads | Block scripts loaded via document.write | ✔️ | unknown |
#enable-isolated-sandboxed-iframes | Isolated sandboxed iframes | ✔️ | unknown |
#enable-webview-tag-site-isolation | Site isolation for tags | ✔️ | Default, which is disabled. Added in 1.44.8/104.0.5112.69. |
#origin-agent-cluster-default | Origin-keyed Agent Clusters by default | ✔️ | 102.x |
#strict-origin-isolation | Strict-Origin-Isolation | ❌ | unknown |
#sync-trusted-vault-passphrase-recovery | Enable sync trusted vault passphrase with improved recovery. | ❌ | unknown |
#u2f-security-key-api | Enable the U2F Security Key API | ❌ | unknown |
Desktop Privacy
Flag | Flag Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#autofill-enable-sending-bcn-in-get-upload-details | Enable sending billing customer number in GetUploadDetails | ❌ | Enabled if preflights are enabled. |
#autofill-fill-merchant-promo-code-fields | Enable Autofill of promo code fields in forms | ❌ | unknown |
#autofill-parse-merchant-promo-code-fields | Parse promo code fields in forms | ❌ | unknown |
#brave-adblock-cosmetic-filtering-child-frames | Apply cosmetic filtering to frames other than the main frame of a page | ✔️ We enforce it for all Shield modes, otherwise it is only activated in aggressive mode. | 103.1.42.74/1.42.74 |
#brave-dark-mode-block | Enable dark mode blocking fingerprinting protection | ✔️ We enforce it for all Shield modes, otherwise it is only activated in aggressive mode. | unknown |
#brave-debounce | Enable debouncing (94.x+) | ✔️ we enforce it | unknown |
#brave-domain-block-1pes | Enable domain blocking using First Party Ephemeral Storage | ✔️ | unknown |
#brave-extension-network-blocking | Enable extension network blocking | ✔️ (91+) | unknown |
#device-posture | Device Posture API | ❌ | enabled |
#disable-process-reuse | Disable subframe process reuse | ✔️ | unknown |
#edit-context | EditContext API | ❌ (100.0+) | unknown |
#enable-accessibility-live-caption | Live Caption | ❌ (90.x+) ⚠️borked | unknown |
#enable-autofill-credit-card-authentication | Allow using platform authenticators to retrieve server cards | ❌ (87.x+) | unknown |
#enable-fenced-frames | Enable the element. | ✔️ with ShadowDOM | unknown |
#enable-generic-sensor-extra-classes | Generic Sensor Extra Classes | ❌ | unknown |
#enable-quic | Experimental QUIC protocol | ✔️ Needed for HTTP3/DoQ, now known as RFC 9000 | unknown |
#enable-webusb-device-detection | Automatic detection of WebUSB-compatible devices | ❌ we already disable WebUSB but the detection still sends a beacon | unknown |
#extensions-menu-access-control | Extensions Menu Access Control | ✔️ | unknown |
#font-access | Font Access APIs | ❌ | unknown |
#omnibox-dynamic-max-autocomplete | Omnibox Dynamic Max Autocomplete | ❌ (can causes lags if enabled / 5+) | unknown |
#omnibox-rich-autocompletion-promisin | Omnibox Rich Autocompletion Promising | ❌ | unknown |
#partitioned-cookies | Partitioned Cookies | ✔️ | unknown |
#reduce-user-agent | Reduce User-Agent request header | ✔️ | unknown |
#reduce-user-agent-minor-version | Reduce the minor version in the User-Agent string | ✔️ | unknown |
#system-keyboard-lock | Experimental system keyboard lock | ❌ (89.x+) | unknown |
#webxr-incubations | WebXR Incubations | ❌ (92.0+) | unknown |
Desktop Performance
Benchmarks against Edge and Firefox are pretty much useless. There are multiple reasons why, please read further below:
- Synthetic benchmarks might not reflect real-world performance because a normal website is not a benchmark suite, other factors can here the individual and subjective Browser performance.
- Brave’s blocking and privacy protections require a fixed amount of additional work per page and frame. This means that Brave will do worse in synthetic benchmarks than other browsers (since Brave’s privacy protections won’t be useful in benchmark tests), but will do better on real world sites.
- Firefox and Edge do not have any integrated ad-blocker, they use safe-browsing, which is also included in all Chromium based Browsers and enabled by default. Brave uses by default SafeBrowsing and Shields integrated blocking mechanism, which is much more heavy to handle, benchmark wise.
- Firefox and Edge do not include any crypto wallets, IPFS and other optional features that you might have enabled and use. Enabling additional features and then doing benchmarks is useless.
- Brave reduces the page load performance cost of its ad-blocker.
- Benchmarks, are often outdated pretty fast. At best this is a snapshot of the current state but every Browser evolves, fixes stuff etc. and this pretty fast and pretty often.
You can however compare features but not directly benchmark the whole browser to come to an final conclusion about how efficient it works.
Flag | Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#brave-federated | Enables local data collection for notification ad timing (brave-federated) | ❌ | 1.43.50/104.1.43.50 Beta (default which is enabled) |
#back-forward-cache | Back and forward Cache | ❌ | unknown |
#brave-adblock-cookie-list-default | Treat 'Easylist-Cookie List' as a default list source | ✔️ | unknown |
#brave-rewards-verbose-logging | Enable Brave Rewards verbose logging | ❌ enabled by default since 1.25.68+ | unknown |
#brave-rewards-webui-panel | Use WebUI Rewards Panel | ✔️ | 1.43.53/104.0.5112.69 |
#durable-client-hints-cache | Persistent client hints | ❌ | unknown |
#enable-parallel-downloading | Parallel downloading | ✔️ | unknown |
#enable-prerender2 | Prerender2 | ✔️ (90.x+) | unknown |
#enable-throttle-display-none-and-visibility-hidden-cross-origin-iframes | Throttle non-visible cross-origin iframes | ✔️ | unknown |
#enable-vulkan | Use Vulkan as the graphics backend. | ✔️ On Linux either Vulkan or raw draw, if you enable both it will prefer raw draw to avoid compatibility issues. | unknown |
#restrict-websockets-pool | Restrict WebSockets pool | ✔️ (97.x+) | unknown |
#subframe-shutdown-delay | Add delay to subframe renderer process shutdown | ❌ | unknown |
Desktop Functionality / Usability
Flag | Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#brave-adblock-cname-uncloaking | Enable CNAME uncloaking | ✔️ 91.1.27.36 (This will become obsolete and enabled by default once fully stable and merged into shields directly) | unknown |
#brave-cosmetic-filtering-sync-load) | Enable sync loading of cosmetic filter rules | ✔️ | unknown |
#chrome-whats-new-ui | Show Chrome What's New page at brave://whats-new (93.x+) |
❌ | unknown |
#enable-force-dark | Force Dark Mode for Web Contents | ✔️ increase text contrast |
unknown |
#enable-jxl | Enable JXL image format | ✔️ (Chrome 91.1.x+) | unknown |
#extensions-menu-access-control | Extensions Menu Access Control | ❌ disabled, we enforce it to enabled | |
#extension-workflow-justification | Extension request justification (93.x+) | ✔️ | unknown |
#force-color-profile | Force color profile | ✔️scRBG or HDR (if your Monitor supports HDR enable the HDR option) | unknown |
#forced-colors | Forced Colors | ✔️ | unknown |
#history-journeys-omnibox-action | History Journeys Omnibox Action | ✔️ (Chrome 97+) | unknown |
#history-journeys | History Journeys | ✔️ (Chrome 98+) | unknown |
#page-info-history-desktop | Page info history | ✔️ (Chrome 97+) | unknown |
#quick-commands | Quick Commands | ✔️ | Default (Disabled) |
#scrollable-tabstrip | Tab Scrolling | ✔️ (tabs shrink to a medium width) | unknown |
Desktop Scrolling
Flag | Name | Enabled (✔️) / Disabled (❌) or/and comment | Default flag state |
---|---|---|---|
#smooth-scrolling | Smooth Scrolling | ✔️ | Depends on the platform, disabled |
Desktop PWA
Flag | Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#enable-desktop-pwas-launch-handler | Desktop PWA launch handler | ✔️ | unknown |
#enable-desktop-pwas-sub-apps | Desktop PWA Sub Apps | ✔️ | unknown |
#enable-desktop-pwas-tab-strip-settings | Desktop PWA tab strips settings | ✔️ | unknown |
#enable-desktop-pwas-web-bundles | Desktop PWAs Web Bundles | ✔️ | unknown |
#enable-desktop-pwas-window-controls-overlay | Desktop PWA Window Controls Overlay | ✔️ | unknown |
Desktop Brave Reader Mode / Speedreader
Flag | Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#enable-reader-mode | Enable Reader Mode | ✔️ Enabled available in settings (we enforce it, optional) | Will be changable in Brave Settings, disabled by default |
Desktop outdated, removed or integrated/replaced
Flag | Name | Disabled since or/and Comment | |
---|---|---|---|
#pwa-update-dialog-for-name-and-icon | Enable PWA install update dialog for name/icon changes | ✔️ | 1.38.x |
#enable-desktop-pwas-remove-status-bar | Desktop PWAs remove status bar | ✔️ | 1.38.x |
#enable-desktop-pwas-prefix-app-name-in-window-title | Desktop PWAs prefix window title with app name. | ✔️ | 1.38.x |
#enable-desktop-pwas-notification-icon-and-title | Desktop PWAs improvements in notification icon and title | ✔️ | 1.38.x |
#enable-desktop-pwas-elided-extensions-menu | Desktop PWAs elided extensions menu | ✔️ | 1.39.x |
#percent-based-scrolling | Percent-based Scrolling | ✔️ | 1.38.x |
#sharing-hub-desktop-omnibox | Desktop Sharing Hub in Omnibox | ✔️ (Chrome 91+) | 1.38.x |
#sharing-hub-desktop-app-menu | Desktop Sharing Hub in App Menu | ✔️ (Chrome 91+) | 1.40.x |
#shared-highlighting-v2 | Shared Highlighting 2.0 | ✔️ (Chrome 90.x+) | 1.39.x |
#playback-speed-button | Playback Speed Button | ✔️ | 1.40.x |
#page-info-about-this-site | About this Site in Page Info | ✔️ | 1.40.x |
#omnibox-keyword-space-triggering-setting | Omnibox Keyword Space Triggering Setting | ✔️ | 1.39.x |
#media-session-webrtc | Enable WebRTC actions in Media Session (93.x+) | ✔️ | 1.40.x |
#colr-v1-fonts | COLR v1 Fonts | ✔️ | 1.39.x |
#brave-talk | Enable Brave Talk | ✔️ | 1.40.x |
#brave-adblock-redirect-url | Enable support for $redirect-url filter option for adblock rules | ✔️ | 1.41.96+ |
#throttle-foreground-timers | Throttle Foreground Timers to 30 Hz | ✔️ | 1.41.96+ |
#subframe-shutdown-delay | Add delay to subframe renderer process shutdown | ❌ | 1.41.96+ |
#privacy-review | Privacy Review (93.1.31.39+) | ✔️ | 1.41.96+ |
#omnibox-pedals-batch2 | Omnibox Pedals batch 2 | ❌ | 1.41.96+ |
#ntp-cache-one-google-bar | Cache OneGoogleBar | ❌ | 1.41.96+ |
#force-major-version-to-100 | #force-major-version-to-100 | ❌ | 1.41.96+ |
#enable-payment-request-basic-card | PaymentRequest API 'basic-card' method | ❌ | 1.41.96+ |
#strict-extension-isolation | Strict Extension Isolation | ✔️ | 1.41.96+ |
#enable-tls13-early-data | TLS 1.3 Early Data | ✔️ | 1.41.96+ |
#post-quantum-cecpq2 | TLS Post-Quantum Confidentiality | ✔️ integrated and merged into Chrome 101+. | |
#brave-speedreader | Enable SpeedReader | ✔️ This is now a settings point under Browser Settings since v95+ which you can easily switch. | |
N/A |
Enable Tab Search (the little arrow down icon to search trough tabs) | Chrome 90, to disable it you can use -disable-features=TabSearch , an option to disable it is planned. |
|
#enable-experimental-fling-animation |
Enable experimental fling animation (enabled) | Chrome 91+ | |
#vertical-tabs |
Vertical tabs (enabled) | Implemented in Brave 91+ - Menu allows multiple states, hide on click, on/off etc. | |
#pdf-viewer-update |
PDF Viewer Update (enabled) | Chrome 91+ | |
N/A |
Cookies without SameSite must be secure (enabled) | Chrome 91+ | |
N/A |
SameSite by default cookies (enabled) | Chrome 91+ | |
N/A |
Anonymize local IPs exposed by WebRTC (enabled) | Chrome 91+ | |
N/A |
Show enhanced protection message in security interstitials (enabled) | Chrome 90+ | |
#storage-access-api |
Storage Access API | Chrome 90+ | |
N/A |
Treat risky downloads over insecure connections as active mixed content (enabled) | Chrome 90+, default in 91+ (no visible option) | |
Multiple flags |
Every image lazy loading flag |
Enabled, but caused too much problems | |
N/A |
Load media router component (disabled) | Chrome 89+ | |
N/A |
Force empty CORB and CORS allowlist (enabled) | Chrome 89+ | |
N/A |
Load media router component (disabled) | By default removed by Brave (Chrome 89+) | |
N/A |
Background Push Notifications (disabled) | Push replaced/tunneled(Chrome 89+) | |
N/A |
Enable On-Demand Media Router Extension (disabled) | Chrome 89+ | |
N/A |
Toast Notification Background Task Event Handlers (disabled) | Chrome 89+ | |
N/A |
Enable Share Targets (disabled) | Chrome 89+ | |
#use-sync-sandbox |
Use Chrome Sync Sandbox (disabled) | Brave enforces disabled as default state (metadata). | |
#global-media-controls-for-chromeos |
Global Media Controls for ChromeOS | ChromeOS 90 (default) | |
N/A |
screen-capture (disabled) | Default with Chrome 89+ | |
#scanning-ui |
Scanning UI | Enabled by default in Chrome 90+ | |
#app-service-adaptive-icons |
Adaptive Icons | Replaced in Chrome 90+ | |
#enable-holding-space |
Holding Space API | Replaced with Chrome 90+ | |
#holding-space-previews |
Space Previews | Disabled by default in Chrome 90+ | |
#enhanced_clipboard |
Enhanced Clipboard | Removed with Chrome 89+ | |
#ash-limit-alt-tab-to-active-desk |
Activate Tab limit | Removed with Chrome 88+ | |
#ash-limit-shelf-items-to-active-desk |
N/A | Default in Chrome 90+ (removed, no visible option) | |
#enable-auto-select |
Enable Auto Select | Default integrated since Chrome 89+ | |
#force-preferred-interval-for-video |
Force preferred Internal Video | Default in Chrome 89+ (removed, no visible option) | |
#files-filters-in-recents |
Filter files in Recents | Obsolete with Chrome 89+ | |
#copy-link-to-text |
Copy link to Text | Disabled with Brave 1.31.87 | |
#enable-accessibility-live-caption |
Enable Accessibility Live Caption (disabled) | Broken in Chrome 89, pulls data from Google | |
N/A |
Allow all sites to initiate mirroring (disabled) | Removed with Chrome 88+ | |
N/A |
Enable Share Targets (disabled) | Disabled in Chrome 89+ | |
#turn-off-streaming-media-caching-always | Turn off caching of streaming media to disk (Chrome 92+) | ✔️ | |
#turn-off-streaming-media-caching-on-battery | Turn off caching of streaming media to disk while on battery power. (Chrome 91+) | ✔️ | |
#enable-new-contacts-picker | Enables the new contacts picker | ✔️ | |
#enable-new-photo-picker | Enables the new photo picker | ✔️ | |
#enable-ftp | Enable FTP | FTP support was removed in Chrome 95+. | |
#sync-compromised-credentials | Syncing of Security Issues | ❌ | |
#brave-adblock-default-1p-blocking | Shields first-party network blocking (1.30.27+) | ✔️ | |
#brave-dark-mode-block | Enable dark mode blocking fingerprinting protection (1.30.27+), the settings depends now on Shield settings | ✔️ | |
#omnibox-short-bookmark-suggestions | Omnibox short bookmark suggestions | ❌ | |
#omnibox-tab-switch-suggestions | Omnibox switch to tab suggestions | ❌ (Omnibox calls to Google Backend for Beacon, Statistics etc.) | |
#omnibox-pedal-suggestions | Omnibox Pedal suggestions | ❌ | |
#schemeful-same-site | Schemeful Same-Site | ✔️ | |
#brave-permission-lifetime | Permission Lifetime | ✔️ (91+) | |
#safe-browsing-real-time-url-lookup-enterprise-ga-endpoint | Use the new GA endpoint to perform enterprise real time URL check. | ❌ | |
#clear-cross-browsing-context-group-main-frame-name | Clear window name in top-level cross-browsing-context-group navigation | ✔️ (91.1+) ⚠️ needs further investigation, since the impact is unclear. | |
#passwords-account-storage | Enable the account data storage for passwords | ❌ (88.x+) | |
#brave-ads-custom-notifications | Enable Brave Ads custom notifications | ✔️ | |
#window-naming | Window Naming | ✔️ Setting under More tools - Name Window |
|
#brave-adblock-cname-uncloaking | Enable CNAME uncloaking | ✔️ 91.1.27.36 (This will become obsolete and enabled by default once fully stable and merged into shields directly) | |
#dns-httpssvc | Support for HTTPSSVC records in DNS | ✔️ (needs further investigation) | |
#omnibox-default-typed-navigations-to-https | Omnibox - Use HTTPS as the default protocol for navigations | ✔️ | |
#brave-first-party-ephemeral-storage | First Party Ephemeral Storage (95.0.4638.40+) | ✔️ | |
#enable-unsafe-webgpu-service | Unsafe WebGPU Service | ❌ | |
#quiet-notification-prompts | Quieter notification permission prompts | ✔️ | |
#privacy-sandbox-settings | Privacy Sandbox Settings | ✔️ (90.1+) | |
#safety-check-chrome-cleaner-child | Enables the Chrome Cleanup Tool child in safety check. | ❌ (91.x+) |
Android (mobile) Flags
Mobile Security
Flag | Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#block-insecure-private-network-requests | Block insecure private network requests. | ✔️ | unknown |
#brave-ephemeral-storage | Enable Ephemeral Storage | ✔️ | unknown |
#clear-cross-site-cross-browsing-context-group-window-name | Clear window name in top-level cross-site cross-browsing-context-group navigation | ✔️ | unknown |
#disallow-doc-written-script-loads | Block scripts loaded via document.write | ✔️ | unknown |
#enable-site-isolation-for-password-sites | Enable site Isolation for Password Sites | ✔️ | unknown |
#enable-site-per-process | Part of Site isolation | ✔️ | unknown |
#origin-agent-cluster-default | Origin-keyed Agent Clusters by default | ✔️ | 102.x |
#strict-origin-isolation | Strict-Origin-Isolation | ❌ | unknown |
#sync-trusted-vault-passphrase-recovery | Enable sync trusted vault passphrase with improved recovery | ❌ | unknown |
Mobile Privacy
Flag | Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#autofill-enable-sending-bcn-in-get-upload-details | Enable sending billing customer number in GetUploadDetails | ❌ | Enabled if preflights are enabled. |
#autofill-fill-merchant-promo-code-fields | Enable Autofill of promo code fields in forms | ❌ | unknown |
#autofill-parse-merchant-promo-code-fields | Parse promo code fields in forms | ❌ | unknown |
#brave-adblock-cosmetic-filtering-child-frames | Apply cosmetic filtering to frames other than the main frame of a pagn | ✔️ We enforce it for all Shield modes, otherwise it is only activated in aggressive mode. | 103.1.42.74/1.42.74 |
#brave-dark-mode-block | Enable dark mode blocking fingerprinting protection | ✔️ We enforce it for all Shield modes, otherwise it is only activated in aggressive mode. | unknown |
#brave-debounce | Enable debouncing (94.x+) | ✔️ | unknown |
#brave-domain-block-1pes | Enable domain blocking using First Party Ephemeral Storage | ✔️ | unknown |
#continuous-search | Continues Search | ❌ | unknown |
#device-posture | Device Posture API | ❌ | unknown |
#edit-context | EditContext API | ❌ (100.0+) | unknown |
#enable-autofill-credit-card-authentication | Allow using platform authenticators to retrieve server cards | ❌ (87.x+) | unknown |
#enable-commerce-price-tracking | Price Tracking | ❌ Connections to Google and partners + market influence and manipulation. It is better and more privacy-friendly to trust independent retailers and engine-crawlers such as Geizhals, Mindfactory etc. | unknown |
#enable-fenced-frames | Enable the element. | ✔️ with ShadowDOM, on older Android versions prior 9 set this to Enabled otherwise you might get Browser crashes. | unknown |
#enable-generic-sensor-extra-classes | Generic Sensor Extra Classes | ❌ | unknown |
#enable-payment-request-basic-card | PaymentRequest API 'basic-card' method | ❌ | unknown |
#enable-quic | Enable QUIC Protocol | ✔️ (Brave filters controversial APIs) | unknown |
#feed-stamp | Enable StAMP cards in the Feed | ❌ | Default, depends on if you use Feeds or not. |
#font-access | Font Access APIs | ❌ | unknown |
#force-major-version-to-100 | #force-major-version-to-100 | ❌ | unknown |
#incognito-screenshot | Allow Incognito Screenshots | ❌ | unknown |
#large-favicon-from-google | Large favicons from Google | ❌ | unknown |
#omnibox-assistant-voice-search | Omnibox Voice Search Assistant | ❌ | unknown |
#partitioned-cookies | Partitioned Cookies | ✔️ | unknown |
#reduce-user-agent | Reduce User-Agent request header | ✔️ | unknown |
#reduce-user-agent-minor-version | Reduce the minor version in the User-Agent string | ✔️ | unknown |
#related-searches-in-bar | Enables showing Related Searches in the peeking bar. | ❌ disabled to avoid search engine ping backs | unknown |
#wallet-service-use-sandbox | Wallet Services uses Google's Sandbox | ❌Connects to some Google Endpoints. | unknown |
#webxr-incubations | WebXR Incubations | ❌ (92.0+) | unknown |
Mobile PWA
Flag | Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#messages-for-android-pwa-install | PWA Installation Messages UI | ✔️ | disabled |
#pwa-update-dialog-for-name-and-icon | Enable PWA install update dialog for name/icon changes | ✔️ | disabled |
Mobile Performance
Flag | Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#back-forward-cache | Back and forward Cache | ❌ | disabled |
#brave-adblock-cookie-list-default | Treat 'Easylist-Cookie List' as a default list source | ✔️ | disabled |
#canvas-oop-rasterization | Out-of-process 2D canvas rasterization. | ✔️ enable it on Android 10+ | disabled |
#chrome-share-long-screenshot | Long press share screenshot | ❌ | unknown |
#contextual-search-debug | Contextual Search Debug | ❌ | unknown |
#contextual-search-longpress-resolve | N/A | ❌ | unknown |
#contextual-search-translation | N/A | ❌ | unknown |
#durable-client-hints-cache | Persistent client hints | ❌ | unknown |
#enable-drdc | Enables Display Compositor to use a new gpu thread. | ✔️ enable Android 10+ | unknown |
#enable-gpu-rasterization | GPU rasterization | ✔️ enable Android 10+ | unknown |
#enable-instant-start | Instant start | ✔️ | unknown |
#enable-parallel-downloading | Parallel downloading | ✔️ | unknown |
#enable-prerender2 | Prerender2 | ✔️ (90.x+) | unknown |
#enable-throttle-display-none-and-visibility-hidden-cross-origin-iframes | Throttle non-visible cross-origin iframes | ✔️ | unknown |
#restrict-websockets-pool | Restrict WebSockets pool | ✔️ (97.x+) | unknown |
#smooth-scrolling | Smooth Scrolling | ✔️ | unknown |
#throttle-foreground-timers | Throttle Foreground Timers to 30 Hz | ✔️ | unknown |
Mobile Functionality / Usability
Flag | Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#android-picture-in-picture-api | Picture in Picture Web API for Android | ✔️ | unknown |
#brave-adblock-cname-uncloaking | Enable CNAME uncloaking | ✔️ 91.1.27.36 (This will become obsolete and enabled by default once fully stable and merged into shields directly) | unknown |
#brave-adblock-redirect-url | Enable support for $redirect-url filter option for adblock rules | ✔️ | unknown |
#brave-cosmetic-filtering-sync-load) | Enable sync loading of cosmetic filter rules | ✔️ | unknown |
#context-menu-google-lens-chip | Google Lens powered image search for surfaced as a chip below the context menu. | ❌ | unknown |
#context-menu-search-with-google-lens | Google Lens powered image search in the context menu. | ❌ | unknown |
#context-menu-shop-with-google-lens | Google Lens powered image search for shoppable images in the context menu. | ❌ | unknown |
#context-menu-translate-with-google-lens | Google Lens powered image search for translatable images surfaced as a chip under the context menu. | ❌ | unknown |
#continuous-search | Continuous Search | ✔️ | unknown |
#darken-websites-checkbox-in-themes-setting | Darken Websites checkbox in Theme settings | ✔️ | unknown |
#enable-force-dark | Force Dark Mode for Web Contents | ✔️ increase text contrast |
unknown |
#enable-jxl | Enable JXL image format | ✔️ (Chrome 91.1.x+) | unknown |
#enable-quick-action-search-widget-android | Quick Search Widget | ✔️ | unknown |
#google-lens-sdk-intent | Enable the use of the Lens SDK when starting intent into Lens. | ❌ | unknown |
#media-session-webrtc | Enable WebRTC actions in Media Session (93.x+) | ✔️ | unknown |
#messages-for-android-ads-blocked | Ads Blocked Messages UI | ✔️ | unknown |
#messages-for-android-permission-update | Permission Update Messages UI | ✔️ | unknown |
#messages-for-android-reader-mode | Reader Mode Messages UI | ✔️ | unknown |
#page-info-about-this-site | About this Site in Page Info | ✔️ | unknown |
#photo-picker-video-support | Photo Picker Video Support | ✔️ (with animated thumbnails), the option only works on Android 9+ | unknown |
#playback-speed-button | Playback Speed Button | ✔️ | unknown |
#shared-highlighting-v2 | Shared Highlighting 2.0 | ✔️ (Chrome 90.x+) | unknown |
#shopping-list | Shopping List | ❌ can create problems with Sync and working with Bookmarks is a PITA in Chrome in general, hopefully Brave gets a Widget for this one day. | unknown |
#voice-button-in-top-toolbar | Voice Button in Top Toolbar | ❌ The reason why Voice function will never work is that Google prevents using alternative services, so we disable it. | unknown |
Mobile outdated, removed or integrated/replaced
Flag | Name | Disabled since or/and Comment | |
---|---|---|---|
#google-mobile-services-passwords | Google Mobile Services for Passwords | ❌ | unknown |
#post-quantum-cecpq2 | TLS Post-Quantum Confidentiality | ✔️ integrated and merged into Chrome 101+. | |
#enable-tab-grid-layout | Tab Grid Layout | This flag is a leftover, the function was removed from the source code. If you want Grid you need to use 1.35.104 | |
#brave-sync-v2 | Enable Brave Sync v2 | Depends on user choice (opt-in) you manually can set under Settings . |
|
#global-media-controls-for-chromeos | Global Media Controls for ChromeOS | Depends on your Platform, only avbl. in ChromeOS | |
#enable-sharing-page-via-qr-code | Enable sharing page via QR Code | Merged into the Browser (stable). | |
#enable-tls13-early-data | TLS 1.3 Early Data | ✔️ | |
#enable-ftp | Enable FTP | Removed from the source code | |
#brave-adblock-default-1p-blocking | Shields first-party network blocking (1.30.27+) | ✔️ | |
#brave-dark-mode-block | Enable dark mode blocking fingerprinting protection (1.30.27+), the settings depends now on Shield settings | ✔️ | |
#clear-cross-browsing-context-group-main-frame-name | Clear window name in top-level cross-browsing-context-group navigation | ✔️ (91.1+) ⚠️ needs further investigation, since the impact is unclear. | |
#passwords-account-storage | Enable the account data storage for passwords | ❌ (88.x+) | |
#brave-rewards-bitflyer | Enable bitFlyer for Brave Rewards (default) | Will be detected by keyboard/OS language | |
#u2f-security-key-api | Enable the U2F Security Key API | ❌ | |
#cookies-without-same-site-must-be-secure | N/A | ✔️ | |
#legacy-tls-enforced | N/A | ❌ (might break some pages who use "outdated TLS configurations") | |
#omnibox-default-typed-navigations-to-https | N/A | ✔️ | |
#treat-unsafe-downloads-as-active-content | N/A | ✔️ | |
#brave-first-party-ephemeral-storage | First Party Ephemeral Storage (95.0.4638.40+) | ✔️ | |
#safe-browsing-client-side-detection-android | Safe Browsing Client Side Detection on Android | ❌ | |
#omnibox-local-zero-suggest-frcency-ranking | Omnibox Local Zero Suggest Frequency Ranking | ❌ | |
#share-by-default-in-cct | Share by Default | ❌ | |
#enable-accessibility-live-caption | Live Caption | ❌ (90.x+) ⚠️borked | |
#system-keyboard-lock | Experimental system keyboard lock | ❌ (89.x+) | |
#privacy-sandbox-settings | Privacy Sandbox Settings | ✔️ (90.1+) | |
#chrome-share-highlights-android | N/A | ❌ | |
#cookie-deprecation-messages | N/A | ❌ | |
#enable-android-dark-search | Enable Android Dark Search | ✔️ | |
#enable-ephemeral-tab-bottom-sheet | Enable Ephemeral Tab Bottom Sheet | ✔️ Open at half state |
|
#quiet-notification-prompts | Quit Notification Prompts | ✔️ adaptive activation |
|
#read-later | Read Later (Reading List) | ✔️ | |
#share-button-in-top-toolbar | Share Button in Top Toolbar | ❌ | |
#toolbar-iph-android | Toolbar IPH in Android | ❌ | |
#sharing-hub-desktop-app-menu | Desktop Sharing Hub in App Menu | ✔️ (Chrome 91+) | |
#sharing-hub-desktop-omnibox | Desktop Sharing Hub in Omnibox | ✔️ (Chrome 91+) | |
#omnibox-native-voice-suggestions-provider | Omnibox Native Voice Suggestions Provider | ❌ |
Brave only specific flags (not needed to be enforced)
Flag | Name | Info Comment | Default flag state |
---|---|---|---|
#brave-adblock-cosmetic-filtering | Enable cosmetic filtering | Enabled by default even if it only shows "default" | enabled |
#brave-adblock-csp-rules | Enable support for CSP rules | Not need to be enforced (since 1.25.68+) | unknown |
#brave-ads-allowed-to-fallback-to-custom-push-notification-ads | Allow Brave Ads to fallback from native to custom push notifications | This is OS specific and in the future will be obsolete since Brave will detect the OS and then automatically fallback to the legacy system. | unknown |
#brave-decentralized-dns | Enable Decentralized DNS | ✔️ This is now a settings point under Browser Settings since v95+ which you can easily switch. | unknown |
#brave-news | Enable Brave News | Your own decision to enable it or not, it is a global switch. | unknown |
#enable-lens-region-search | Search your screen with Google Lens (93.1.31.39+), since 1.36.112 it is disabled by default. | ❌ | unknown |
#enable-webrtc-hide-local-ips-with-mdns | This is not Brave only specific but there are two ways how Brave handles it, via Shields or Setting | Do not enforce it via flag | unknown |
Other Useful Brave Browser Tips
- Add shortcuts to instantly use a website's search bar directly from Brave's search bar, e.g. youtube, amazon, etc.
- DO NOT use nightly builds. The logic to use nightly builds to get "things first" is flawed. Often you run into MORE fingerprinting due to bugs and not reviewed stuff than using stable builds. Critical vulnerabilities getting fixed immediately in stable builds anyway.
- Brave is well documented and their Wiki helps a lot.
Export / import Chrome flags (mobile/desktop) via script, see here.- Go to
brave://adblock
(URI also works in Mobile!) and enable following Filters only to maintain the best filtering performance:CJX's Annoyance List
,Easylist-Cookie List - Filter Obtrusive Cookie Notices
,Fanboy Annoyances List
,Fanboy Social List
(optional),uBlock Annoyances List (used with Fanboy Annoyances List)
+ one OPTIONAL language based Easylist (depends on your Region). DO NOT enable more filters, more is not (always) better. - Starting with Chrome 90/91+ Sandboxie Technologies (SBIE Open source) has some issues with Chrome/Chromium/Brave, I do not suggest using it. If you want another isolation layer use a RAM Disk and outsource entirely all temp data into that drive. It has a much better performance than Sandboxie.
- You still can change the User-Agent on mobile with root, it is not advised to change the UA because Brave addressed all UA based concerns.
- How-To start Brave in Incognito Mode, see also here for a more in-depth guidance.
- You can start Brave directly in Tor Mode via
onion
e.g."C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe" onion
, further modes and implementation is been discussed over here. - If Brave Browser blocks your download turn off "Safe Browsing" in the settings. There is also a secret cheat code built into these warnings like "This is not a safe connection" etc. if you type in using your keyboard
thisisunsafe
in all lower case, you can bypass any security warnings. - "Zero-copy rasterizer" and "Disable site isolation" shall be never touched, they causing crashes.
- Some useful start parameters are
--silent-launch
,--tor
and--incognito
, those cmdline params work since 1.29.48 (or higher).
Linux specific Tips
You can create a file called chrome-flags.conf
and put it into $HOME/.config/chrome-flags.conf
, this makes it easier to work with flags without opening the Browser.
Example chrome-flags.conf
shown below.
--disable-features=UseChromeOSDirectVideoDecoder
--disable-gpu-driver-bug-workarounds
--enable-accelerated-2d-canvas
--enable-accelerated-video-decode
--enable-features=VaapiVideoDecoder
--enable-gpu-rasterization
--enable-oop-rasterization
--enable-zero-copy
--ignore-gpu-blocklist
# Borked until Chrome 96
# https://chromiumdash.appspot.com/commit/a4de986102a45e29c3ef596f22704bdca244c26c
# ... and Chrome 98
# https://bugs.chromium.org/p/chromium/issues/detail?id=1236697
#
# Up to you and your preference and device.
# --gpu-testing-vendor-id=0x8086
# --gpu-testing-device-id=0x5917
# --force-device-scale-factor=1.00
# --enable-features=WebUIDarkMode
# --force-dark-mode
- You can enforce the usage of vaapi by default via
brave --enable-oop-rasterization --enable-accelerated-video-decode
. - To enforce Wayland support (Chromium 87+) you can use
brave --enable-features=UseOzonePlatform --ozone-platform=wayland
. In case you get crashes on some Distros, you need to use it together with--disable-gpu
to avoid hard crashes. - SIGSEGV & SIGTRAP error codes in Brave
- No video hardware acceleration available on some pages: Some videos on e.g. YouTube are encoded using AV1 and Brave will use dav1d software decoder for that. But for ones encoded differently, Brave will indeed uses GPU for it if you enabled
--enable-features=VaapiVideoDecoder on
. Override software rendering list
flag can be used to enforce that your GPU will be used (which might be blacklisted otherwise).Enable Mojo Shared Memory Channel
flag can be used to share messages from GPU buffer, which might increase performance a bit.- On Ubuntu based Distros I personally use the following combination for passthrough
--ignore-gpu-blocklist
,--enable-gpu-rasterization
,--enable-zero-copy
,--disable-gpu-driver-bug-workarounds
and--use-gl=desktop
. Keep in mind that rasterization and zero-copy are highly unstable (depends on the OS/distro). - Font rendering can be a PITA, Settings --> Advanced --> System --> Hardware Acceleration is your first starter here.
#enable-gpu-rasterization
+#enable-zero-copy
+#canvas-oop-rasterization
combined can boost the performance on Linux by solid 10 percent, do not enable those flags on other platforms.#enable-skia-renderer
gets rid of log spam on Intel iGPUs.
Default Fonts
By default Brave Browser uses Poppins
and Muli
for the content you see around the web, those mentioned fonts are not the default fonts to render the actual content.
The actual fonts are
- Standard font: Liberation Serif / Times New Roman 16
- Serif font: Liberation Serif / Times New Roman 16
- Liberation Serif Sans-serif font: Liberation / Arial 16
- Sans Fixed-width font: Monospace / Consolas 13
Keep in mind that the list can be different because some Distros do not include mentioned fonts by default. In this case other fonts are the default ones. Font rendering and issues are actually a thing.
My own suggestion is
- Poppin 16
- Poppin 16
- Open Sans 16
- Muli 12
- Set the minimum font size to 6 and not 0 which is a borked default.
There is currently no way to disable font anti-aliasing/font smoothing.
Browser Extensions
In general less is more, which means less memory + attack surface & in terms of speed and fingerprinting.
Extension | Comment |
---|---|
Behave! | Monitors and warns if a web page performs DNS Rebinding attacks to Private IPs, accesses Private IPs and allows Port Scans (among other features). |
Bypass Paywalls alternative Bypass Paywalls for Chrome Clean | Bypass annoying article PayWalls. |
CSS Exfil Protection | Guard your browser against CSS Exfil attacks (will be obsolete with Chrome 102+). |
Demodal | A browser extension that blocks modals and overlays. It can be used in additional to uBlock or Braves Ad-Block to bypass eg. Paywalls and other modals which are hard to block via uBO or heavily rely on static filterlists. |
Extension source viewer | View source code of Chrome extensions, Firefox addons or Opera extensions (crx/nex/xpi) from the Chrome web store and elsewhere. |
JShelter alias JS-Restrictor | Extension for increasing security and privacy level of the user. |
Keyboard Privacy | Prevents behavioral profiling by randomizing the rate at which characters reach the DOM (will be obsolete with Chrome 92+!). |
Old Reddit Redirect | Alternative via script, I prefer the script! Or you use Redirector 👇. |
Redirector | The add-on lets you create redirects for specific webpages, e.g. always redirect http://bing.com to http://startpage.com |
Session Buddy | Manage Browser Tabs and Bookmarks easily. |
Tabs Session Manager | WebExtensions for restoring and saving window / tab states. |
Terms of Service; Didn’t Read | Ranks website terms & privacy policies from very good Class A to very bad Class E. |
uBlacklist | Blocks specific sites from appearing in Google search results. |
zwBlocker | An extension that helps spot zero-width characters. |
Optional Browser Extensions (some suggestions for specific needs)
Extension | Comment |
---|---|
Acid Tabs | Auto-Grouping your Tabs easily. |
Old Brave Dark Theme | Workaround some dark mode issues. |
CheaperThan. Amazon | Snipe Amazon deals. |
ClearURLs | Until merged with Brave adblock (needs syntax changes in Braves AdBlock). Merged in 1.30.84. |
Consent-O-Matic | Automatic handling of GDPR consent forms. |
Copy Guard | A browser extension to prevent copy hijacking. It can be useful if you want a feedback. |
Enhancer for YouTube | Improve some YouTube features. |
Export links of all extensions | Export your list of extensions. |
External Application Button | Useful if you want to add YouTube-DL to right-click menu. |
Fake news debunker by InVID & WeVerify | AI to detect fake news. |
FastForward | Don't waste your time with compliance. FastForward automatically skips annoying link shortener. |
Grammar and Spell Checker — LanguageTool | Spellchecking is integrated into the Brave Browser (might not work on all websites. |
Header Editor | An extension which can modify the request, include request headers, response headers, redirect requests, and cancel requests. |
JShelter | Browser extension to mitigate potential threats from JavaScript. |
Kee - Password Manager | Helper extension for KeePass. |
Metamask | The MetaMask browser extension enables browsing Ethereum blockchain enabled websites. |
MyJDownloader Browser Extension | Only relevant if you use/work with JDownloader2. |
Reddit Enhancement Suite | Some Reddit tweaks. |
Search by Image | reverse Image Search utility. |
Shodan alternative (Open Source) Country Flag & Website Info | IP info, Whois and more for visited domain (website). |
SponsorBlock for YouTube | Skip sponsor ads on YouTube. |
Tampermonkey | Make sure to opt-out of telemetry! There are alternatives but they do not work as well as TM. TM needs #enable-javascript-harmony & #enable-experimental-web-platform-features for some features (default disabled in Brave), only activate it if absolutely necessary. |
The Commenter | Check for comments on the web. |
Tomato Clock | Egg timer for your Browser. |
VectorDraw - Paint on Tab | Pain on tabs, useful if you do some videos and want to show something. |
Web Scrobbler | Web Scrobbler helps online music listeners to scrobble their playback history. |
WebWormhole | WebWormhole lets you send files from one place to another. |
YouTube Dislike Count which doesn't need external API call | Userscript solution which works without any external API, an extension but with external calls is available here. |
papers-with-video | Add a video icon to the paper title on arxiv.org if a conference video exists for the paper. |
vidIQ Vision for YouTube | YouTube statistics (needs login for advance functions!) |
Browser Extensions you do NOT need
Extension | Comment |
---|---|
Barrier | Already integrated into Brave Shields. |
Canvas Blocker | Brave randomize the fingerprint, depending on your Shield settings (brave.com). |
Canvas Fingerprint Defender | ↑ |
CanvasFingerprintBlock | ↑ |
ChromeGalvanizer | Harden your browser against extension backdoors and exploits. Brave includes hardening already by default. |
Cookie-AutoDelete | Set shield defaults to never allow Cookies and only unlock Cookies when needed, ensure "clear browser data on exit" and cookies are enabled in Brave's settings. |
Decentraleyes | Decentraleyes is practically abandonware with little to no impact and outdated resources. The benefit cannot be proven in the real-world because CDNs update very often, due to security fixes, performance etc. using hardcoded and old libraries can make you more vulnerable. |
Disconnect | Useless, integrated into Braves filter-lists. |
Ghostery (ghostery.com) | Brave Ad Block does the same. ↑ |
HTTPS Everywhere | Integrated into Brave Shields (support.brave.com). |
LAN-port-scan forbidder | Browser extension to protect private network. You can archive same with a Lan blocking filterlist + Browser restricts specific ports already by default. |
LocalCDN | Integrated into Brave Shields, lots of CDNs and Endpoints getting tunneled. |
NoScript | Not needed, you archive same with Brave shield or uBlock (if you know how to work with custom filters). |
Privacy Badger | Privacy Badger does same as uBO/Brave Adblock, the "AI" based function (learning) got disabled by default due to metadata (privacy) concerns. It can also easily be detected (adtechmadness.wordpress.com). |
Privacy Possum | Integrated into Brave Shields. |
Trace | Partially integrated into Shields, not all features. |
uBlock Origin | Only needed if you are an advance user because Brave Adblock constantly evolves together with uBlock and new features getting adopted and integrated. |
Parcourstest
Here are the tests the Browser (Desktop/Mobile) needs to pass. This needs to be done so that we know the flag/changes we done do not influence (negatively) the Browser in a way we do not want. Privacytests.org provides a solid but not perfect overview of what is currently covered with the DEFAULT Brave Browser settings and shield settings. Test results variate a lot with changed shield settings as well as changed flags and settings.
This is my own test ground. You can verify studies that are always opt-in only via Griffin, the website Brave Variations basically check and verifies given flags and studies and you can exanimate what is currently activated or what is inactive. Griffin is not spyware, it is designed to review the current staging process as well as to review quickly stuff like upcoming features test and the roll-out process.
- All:
brave://interstitials/
must pass (contains all sub-resources to test security, privacy etc.), however there ae bunch of tests that you can ignore based on our recommendations e.g. Safe Browsing. - Performance: Input lag test (basro.github.io), needs to pass 90+ Hz check (your monitor/device needs to support it) on some Android ROMs you need to enforce the refresh rate manually (androidcentral.com) (or use an app (forum.xda-developers.com) and unlock fps (forum.xda-developers.com))
- Privacy: Browser IP leak (browserleaks.com), needs to pass in Tor + Incognito mode
- Privacy: Cloaked CNAMEs check against a real world website e.g. https://publicwww.com/websites/EA_data/ Brave shields must block
https://seomon.com/piwik/matomo.js
. - Browser platform test: Web Platform Tests (web-platform-tests.org), needs to pass
- Privacy: FLoC (github.com), needs to pass (check against a website which supports it e.g. https://web.archive.org/)
- Security: Schemeflood (schemeflood.com), needs to fully pass.
- Privacy: Font Fingerprinting test (amiunique.org), see here (github.com)
- Privacy: window.Intl.DateTimeFormat() API (developer.mozilla.org), see here (github.com)
- Privacy: Dark Mode detection (github.com), needs to pass
- Privacy:
Clear Data on Exit
must be enabled and enforced by default - Privacy: HSTS fingerprinting (github.com), needs to pass, read how it works (usenix.org) and how to protect yourself (webkit.org) - Shields set to "aggressive" & cookies blocked (by default must be enabled)
- Privacy: Do Not Track must be disabled (default), its useless (boingboing.net) and enabling it results in more fingerprinting (w3.org)
- Privacy: Cover your Tracks (coveryourtracks.eff.org), needs to pass (fonts and GL / canvas fingerprints randomized) - The site is misleading, because it can only detect a unique fingerprint within your session. You can test this if you try running the test and making note of the actual fingerprint ID, after that, restart your browser and run the test again. Compare the two fingerprint IDs. If they're the same, your fingerprint is persisting across sessions, which is problematic. The website doesn't show you your actual fingerprint ID, so you have to go to browserleaks.com/canvas (browserleaks.com) and scroll down to the "Your Fingerprint" section, and you'll see your fingerprint ID (signature).
- Privacy: 3rd party cookie bypass (xsid-demo.glitch.me), needs to pass ("Block third-party cookies" must be enabled [default]).
- Privacy: Does your browser have TablesNG? (tablesng.com), do not need to pass because the fingerprint vector for this is none existing. But it indicates if your flag with TablesNG worked or not (only interesting for nightly users).
- Privacy: SameSite 🍪 sandbox (samesite-sandbox.glitch.me), needs to pass
- Privacy: is-chrome-100-yet.glitch.me (is-chrome-100-yet.glitch.me) must return: NO which is always the case because we never use not enforce
#force-major-version-to-100
. - Functionality: webcamtests (webcamtests.com), Webcam Test Web Utility must show a picture in case you use and plugged in your webcam. Since we blocked the webcam permission by default, you need to unlock that permission first for the website. Do not add an general exclusion to the permission page. This then also tests if it really blocks the cam permission or not each time we revisit the page.
- Security: XSinator – XS-Leak Browser Test Suite (xsinator.com), needs to pass, this will not happen this year but this is a long-time goal.
- Security (optional): To check if the HTTPS-Upgrade option is functional you can visit http://https-everywhere.badssl.com. But we do not need it since we use the - Always use HTTPS option. However, on Android you can only, for whatever reasons enable always use HTTPS if the upgrade option is checked.
- Query filter test for debouncing (fmarier.org). Instructions are given on the website, the debouncing redirection blocks HTTPS Everywhere but I do not suggest using it since it is EOL.
- Social widgets and logins must work (fmarier.github.io), the results depends on default settings and if you on top of that enabled all disabled embeds and logins for services that are disabled.
- WebRTC canvas test (jsfiddle.net) must minimum show 3 blocked elements.
- Optional: SafeBrowsing test must work (testsafebrowsing.appspot.com/) make sure that Safe Browsing (via Brave Proxy) works for all the listed items. The test is irrelevenat for us and only listed for those who are intersted because we disable Safe Browsing entirely.
- The audio fingerprint page (audiofingerprint.openwpm.com) must be block all trackers because we enforce aggressively block trackers & ads, otherwise the page should let fingerprints trough to avoid website breakages.
- Debouncing rules should run without any problem (dev-pages.brave.software), assuming you have some own defined via regex.
- ETag on Page2 (hinternesch.com), must be random but not the same across Browser restarts.
Official Test:
The official Brave QA Test Pages are here (dev-pages.brave.software).
Obsolete test pages:
- https://mixed-script.badssl.com/
- https://https-everywhere.badssl.com/
Brave Browser FAQ
- The official onion URL is
https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion/
. - Brave Team answered to wrong accusations (reddit.com), see here (reddit.com) for more details. Especially Firefox fanboys cannot accept the competition (ebin.city) even after they got proven wrong (news.ycombinator.com) they do not even edit their article.
- Brave forces rival browser 'Braver' to change its name (decrypt.co), the Browser was always behind Chromium (un-googled, Brave,... and is now "dead")
- Brave has its own alternative to Firefox's Total Cookie Protection with Ephemeral Site Storage (brave.com)
- Brave: Opt-In Data Collection (support.brave.com) & Brave Telemetry Explained (brave.com)
- IPFS Support in Brave (brave.com)
- Uphold Privacy Policy (used by Brave Rewards) (uphold.com)
Brave VPN FAQ
- The minimum required Android version is 8.
- Brave and Guardian Team Up Again to Integrate the Brave Android Browser with Guardian Firewall + VPN (brave.com).
- Guide on how to unlock the VPN (github.com) - Does not work on Linux, as those flags are platform depending.
- Brave VPN (guardianapp.com) is based on The Guardian VPN - 9,99 per month.
- Brave wants 4,99 Dollars per month but with less servers you can choose from compared to what Guardian offers and only limited up to 100Mbps.
- Turning VPN on automatically triggers DoH to avoid DNS leaks (github.com).
Brave Talk FAQ
- Brave Talk for Google Calendar (chrome.google.com), see official announce.
- Differences between Jitsi and Brave Talk (reddit.com).
- You can access Brave Talk (brave.com) via sidebar (needs to be enabled) or via official URL directly: talk.brave.com.
- Why do I need to enable Rewards to use Brave Talk? For the no-cost option, enabling Brave Rewards helps Brave to cover the costs of video infrastructure. There is an alternative option available, you can subscribe to Brave Premium for a cost ($7 USD/month).
- Bmeet – Command line to create Brave talk meetings (npmjs.com).
Brave Rewards FAQ
- What personal information can users discover through one of my creator channels? (bravefaq.com)
- Brave Rewards, depending on your country simply counts as income, which means it is NOT tax free (koinly.io).
- Claiming Rewards on Mobile requires SafetyNet to pass (ruqqus.com) and depends on Google Play Services. If you never pass SafetyNet you will not be able to claim your BAT and you might be flagged by the system which means you will never see any ads.
- I got some BAT and cannot verify my wallet (country not supported etc.). Create a publisher's account and connect your YouTube, Reddit or a website. Then tip yourself. You'll lose 10% of your BAT in the process, but it's better than losing everything.
The previous device limit from 4 devices (community.brave.com) will be removed starting with Brave 1.38.x. A workaround to bypass limits seems to link your Brave Desktop to Gemini, and your phone brave browser to uphold. However this requires from you that you work with both services.Brave Rewards linking limits are going to be removed after the May payout (github.com).- If you format your PC/Smartphone you loose your BAT because they are temporarily stored on local machine until sync grabs it.
- If you see 0.00 BAT (while you actually have some BATs) wait, the sync might be confused, no need to panic! Waiting or restarting your Browser can help in this case.
- In case you see no Ads at all while you actually enabled it, make sure you check this article (community.brave.com) first.
- Most Rewards settings in the Browser requires a Browser restart, Brave currently has no warning or info popup for this implemented. But if you switch for example the
Default cryptocurrency wallet
option you need to restart your Brave Browser. Most problems can be solved by just restarting the Browser. - Rewards are borked on Arch Linux based Distros, which seems to be a Wayland problem (github.com).
- The lack of Brave Rewards on iOS is thanks to Apple's App Store rules, see here (brave.com) why.
- Verifying your (Uphold/Gemini) Wallet requires minimum 15 BAT (reduced from previously 25).
- You can change the ads window position, just click and hold on the window while it appears and then you can drag it to another position.
- You can obtain growth statistics for BAT here (basicattentiontoken.org), monthly growth statistics are disclosed here (bravebat.info).
- At the End of Every Month Your Bat Rewards Stats Reset (github.com)
- BAT is a cryptocurrency you get from Brave Rewards (basicattentiontoken.org)
- Custom tipping amount (reddit.com) can freely adjusted (for now) on Desktop only.
- Gemini Now Provides an Integrated Crypto Experience for Brave Users (gemini.com)
- How can I add my other Crypto Wallets to Brave? (support.brave.com)
- No more 5 BAT payout minimum for Creators (ruqqus.com).
- The browser Brave pays its 42 million users 70% of the revenue it generates from ads they see. Brave compensates them in its own “Basic Attention Tokens,” which they can redeem for currency or use to tip their favorite sites. Users report earning $5 to $10 monthly, according to a Brave spokeswoman (wsj.com).
- The new Gemini User Wallet in Brave Rewards lets users seamlessly redeem and move their BAT. (video) (vimeo.com), for text only announce, check this out (brave.com).
I can't claim my BAT!?
Try disabling any VPN/Proxy/SOCKS. In case you're on Android you need SafetyNet to pass, you can try to bypass it via Magisk (android.gadgethacks.com). If you cannot claim your reward disable your VPN/Proxy and restart (relaunch) your Browser. Keep in mind that toggling VPN, Proxies, Tor, Shadowsocks etc. might results that your account gets flagged automatically by the system, this means you do not see any ads anymore once this is done. You can ask in the forum to remove the flag from your account but if they notice you constantly toggle such systems you might even get banned. The flagging system is in place to avoid fraud and not to censor someone.
Brave News FAQ
- Brave News basically acts like an RSS-Feed gateway in which you can choose from existent news feed or add your own. Unless other services there are no trackers involved.
- News feature is enabled by default with build 1.36.105 and higher.
Brave Wallet FAQ
You can see the Wallet implementation progress here (github.com).
- Brave Wallet’s source code (github.com) is available under an Open Source license, unlike other popular web 3.0 extensions.
- Default currency and crypto conversion display settings. (planned)
- Full native NFT support, including owned NFT discovery, an NFT catalog, and the addition of NFT asset values in your portfolio. (planned)
- If you install MetaMask, then the default wallet will actively change to MetaMask. If you’re a user of the old Crypto Wallets extension in Brave (a fork of MetaMask), then the first thing to know is that you can switch back to the old wallet in brave://settings/wallet by changing your default wallet back to Crypto Wallets.
- Live Market data for most asset (including non EVM based assets) (planned)
- Support for more blockchains (planned)
Brave Search FAQ
Brave needs to fix mentioned points otherwise I cannot suggest using it as private alternative. Until then you could use Qwant, Presearch or other [listed alternatives (chef-koch.bearblog.dev)]](https://chef-koch.bearblog.dev/privacy-tools-list-by-chef-koch/#metasearch-engines).
- Brave Search removed the Beta tag in the Search Settings. The Website itself remains beta for now.
- FAKE URL:
h̷t̷t̷p̷s̷:̷/̷/̷b̷r̷a̷v̷e̷s̷e̷a̷r̷c̷h̷.̷c̷o̷m̷/̷
and the real URL is:https://search.brave.com
. - Amazon is used as their Certificate Authority.
- Brave Search is currently not displaying any ads in their Beta period, but the free version of Brave Search will soon be ad-supported. Brave Search will offer an ad-free premium version in the near future, it is unclear if you can, similar like with Talk, use your Rewards to unlock the premium version or not.
- Brave access your IP address upon your visit to determine your location and better serve you ads. While they claim to not store IP addresses, unlike DDG and Startpage, they do read your full IP address which is not private.
- Brave uses Amazon Cloudfront as their CDN, meaning all traffic passes through Amazon servers. CDNs itself are controversial and violating GDPR according to Munich State Court, but this does not that mean CDNs in general are not illegal (news.ycombinator.com).
- Starting with Brave Browser v1.26.67+ you can set the search engine to Brave Search. Since 1.34.x Brave was added officially in the list.
- You get locally based search results if you change the location settings on search.brave.com and save cookies under
brave://settings/cookies
, you must check that "Sites that can always use cookies" is selected for the website. This is a web limitation and not Braves fault, without cookies no new content can be indexed to show the actual results. - Brave !bangs (support.brave.com)
- Brave Removes Google as its Default Search Engine (brave.com). Braves own search engine region selection depends on your location (github.com).
- Brave Search Premium is 3$ a month (account.brave.com), Brave intends to implement Brave Rewards into Brave Search sometime in mid 2022. If you pay premium you "Get a cleaner view on all results pages", which means those that don't won't get cleaner page results.
- Brave Search Uses Click Data in Search Ranking Algorithm (seroundtable.com)
- Brave Search censorship (web.archive.org) - original source (imgur.com) - is even worse than Google Search censorship (wikipedia.org). Months later Brendan Eich says that thy do not censor (twitter.com), It should be noted that Brave Search is still in Beta stage as time of writing this.
- Brave Search requires you to solve a Captcha behind a VPN or Tor (imgur.com)
- Brave Search (brave.com) is still beta, which means that since October 2021, Brave Search was declared the default search engine for the Brave browser users in the US, Canada, UK (replacing Google Search), France (replacing Qwant) and Germany (replacing DuckDuckGo and Ecosia).
- Brave Search uses as fallback other search engine providers if not enough results are found (search.brave.com).
- Hyperweb for iOS lets you choose the default search engine provider (apps.apple.com).
- You can customize the Braves Search Engine and disable the real human results view in the Search Engine Settings.
- The search engine itself is not open source (old.reddit.com).
- Brave Search Results Independence (search.brave.com).
Brave Translation FAQ
- Brave currently has no translation engine and they cannot use Googles without violating their terms of service, which results in placeholders and incompatibility with the Google Translate extension. Same goes for Voice btw.
- Official website will be
translate.brave.com
. - The API might be the same as Vivaldi, Lingvanex (lingvanex.com).
Brave - Ask me anything (AMA) (sorted from newest to oldest)
- AMA with Annie Lee, Brave CMO, on Brave Talk (Mar. 22, 2022) (talk.brave.com)
- Upcoming Brave Wallet AMA with Brian Bondy (CTO & Co-founder), Douglas Daniel (Front-End Engineer), James Mudgett (Sr. Director, Wallet), & Luke Mulks (VP, BizDev) from Brave - November 18, 2021 (reddit.com)
- I'm Peter Snyder, Senior Privacy Researcher and Director of Privacy at Brave. (reddit.com)
- Brave CTO, and IPFS Lead: AMA about IPFS in Brave and the Decentralized Web (reddit.com)
- Reddit AMA with Brendan Eich on Brave Browser (reddit.com)
- Transcript of AMA with Brendan Eich, CEO of Brave, BAT, Creator of JavaScript (reddit.com)
Brave Stories explained
Brave Referral Story
The whole story got a lot of attention, however it always was misleading and spread to gain clicks. The matter was resolved after 7-8 hours and pushed within 12 hours as commit. The actual update got released within 24 hours. Some users had to wait 48 hours because this is how the distribution system handles and delivers updates to avoid huge pressure on the server or hit GitHub limitations.
“That being said, I think there was a lot of misunderstanding of the situation. There was no privacy harm to users, and what was being done is similar to how most, if not all, browsers interact with search engines, to receive referral cash. Using DDG in Firefox, to give one example, tells DDG the query came from Firefox the "FFAB", or, guessing, "Firefox Address Bar"…”
“…The user was never able to be tracked, the site wasn't able to learn anything additional about you, etc.”
Later in 2020 the referral program was shut down (brave.com).
Reference for the Brave vs. Browser X discussion
- Browser Startup Comparison (netmeister.org) and Braves own inspection (brave.com)
- Browser privacy analyzed (tcd.ie) [pdf]
- Firefox and Chromium (madaidans-insecurities.github.io)
- Goggles: Democracy dies in darkness, and so does the Web (brave.com) [pdf]
- How to find the most secure browsers (onlinesecurityworld.com)
- Mozilla's position on specific web standards (mozilla.github.io)
- The Security Architecture of the Chromium Browser (seclab.stanford.edu)
- Update on Brave’s Ongoing Direct Mail Marketing Campaign (reddit.com)
Why does Brave consume more RAM than Chrome
- Brave currently contains over 250k code changes compared to Chrome, which adds a lot of more features such as ad-blocking, Rewards, Wallet integration and more. Brave is not only yet another Chromium fork and adds a lot of unique features.
- You can reduce the overall memory footprint by disabling hardware acceleration and disable to let run Brave in the background. Both options are enabled by default. You find the options under
brave://settings/system
. Disabling Brave News also reduces the memory usage. - The Brave Team as well as the Chrome team constantly working on lowering the overall memory footprint, however while adding more and more features and dependencies this is a challenging task.
- On some systems Brave comes preinstalled with an extension called Plasma Integration, it is enabled by default. If you do not use the GTK+ theme + search for e.g. Kwin or KRunner you can disable or uninstall it.
Aggressive trolling because Brave uses the word ”Privacy”
Especially some Firefox people or shall I say loyal fans trolling (wikipedia.org) Brave Browser and their Developer Team since practically day one because of the marketing slogan - ”privacy browser”. This is harsh as well as based because no Browser ever will be perfect in this regard. Privacy is not an on or off switch and needs continuously inspection, maintenance and changes to adopt and respond to new problems. Those smear campaigns come often from uneducated people that are not even developers themselves, such people tend to cherry pick some leaks or open issue tickets and claim the Browser is not as private as advertised to make the Browser look worse than others. This is a pointless effort because you find on every single Browser some open issue tickets, Tor Browser, Firefox, all of them have always some open issue tickets regarding privacy. This is not how FOSS works and this is no measurement instrument as "privacy index". The Brave Team puts a lot of time and research into privacy related problems, same like Firefox and the Tor Browser Project.
Another strategy is to spread fake forks to smear Brave (aur.archlinux.com), even after I reported it to Brave and the Arch Team via Tweet, such disrespectful forks continue to stay online. Not only is this deformation it also exposes how based people are against any competition.
Brave Browser is de facto privacy respecting and does by default more than any other Browser on the market, this is done by including a lot of ideas and privacy respecting changes directly into the Brave Browser. In every other Browser you need to work with extensions or configuration changes to come even remotely close to Brave Browser. I do not see how the troll argumentation holds that Brave fails regarding privacy, it is offering a solid ground with the arguably best default out-of-the-box configuration.
If you goal is to become nearly anonymous then use Tor Browser, the Brave Team clearly communicated this since day one on their website.
Story about Dissenter
A fake story with false background information, see Brave legally threatens Brave fork trying to remove adds (bitgrum.com).
In April 2019, Dissenter was removed from the Firefox Add-ons website and the Chrome Web Store for violation of their policies that causes the creation of the Dissenter web browser.
Source (discourse.mozilla.org)
Actual why this really was removed:
- Alt-Right ‘parasites’ fork Brave Browser, replace BAT with BTC (micky.com.au)
- Dissenter (web browser) (everipedia.org)
- Gab Network and Dissenter (en.wikipedia.org)
- No one disputes the fact that Gab’s founder has the right to fork Brave. We just don’t think nazis add value to anything, including code bases (customerservant.com)
- What happened to Dissenter (reddit.com)
Using Brave's “Private Window with Tor” could get you fired
There are several stories that you can get fired if you use Tor the problem is that there are industries where compliance requires all work-related communications be logged and monitored.
This is a general problem and not related to Tor or Brave Browser, it is about what you agreed with in your employment contract. Make sure you check this before you attempt using Tor in general.
Story about Braver Fork
The story was mainly about Trademark (trademarks.justia.com) violation and not about replacing ads, the Team never asked or contacted Brave to ask for permission to begin with. Also you need to do some legal proceeding because GitHub does not take content offline without any court order or trademark confirmation.
Contradiction regarding Privacy Communities
Brave contradicts themselves with weird statements regarding supporting privacy related communities or not. This is not positive nor negative, just weird.
"Brave doesn't want to be associated with privacy focused groups" (web.archive.org) while Peter Snyder (brave.com) is backing GPC (brave.com) along with DuckDuckGo (spreadprivacy.com), Mozilla (blog.mozilla.org), Disconnect (blog.disconnect.me), Abine (abine.com) and the EFF (eff.org).
Personal Note
I do not work for Brave nor do I get paid for writing any of this. The intention/motivation behind this guide is to harden Brave Browser for maximum performance, security, privacy and make it even more awesome than it already is.