CHEF-KOCH
/
Brave-Browser-Hardening
1
0
Fork 0
Code Issues Releases Activity
Hardens Brave Browser to reach its maximum potential. I am not affiliate with Brave Software, Inc. and I do this in my free time and on my own terms.
2 Commits 1 Branch 0 Tags 42 KiB
Go to file
CHEF-KOCH 9b68040a2c Initial bumper 
Welcome back from the dead.
 		2023-02-13 14:59:23 +01:00
README.md Initial bumper 2023-02-13 14:59:23 +01:00

README.md

Additional about:flags changes by CHEF-KOCH (CKTN) to harden Brave Browser

Logo Banner - Credit: ledger.com

Project updates

I'll try to keep this hardening guidance updated as much as I can. The below listed flags configuration/changes and tips are only tested against Windows/Linux & Android, I do not plan to test them against MacOS/iOS!

Introduction

Hardening does not start at choosing the right tools or networks, hardening begins with gathering information to inform yourself and others in order to stay up-to-date so that you can deal with current and upcoming threats. Tools, extensions and Co. are just a workaround until someone build the right system, that starts by voting and supporting the right politicians and organisations. Statement CHEF-KOCH, 1997

The main purpose of this guidance is to inform people about possibilities to enhance Brave Browser without depending on other tools or the Brave Team. You also do not need too rely on other quickly outdated guides on the Internet and hopefully even get a learning effect.

In case you have some questions, you can ask them directly on my official Matrix Server or use the issue ticket feature to open relevant tickets so that we can address new stuff.

Table of contents

[[TOC]]

Important notice: READ this before you start changing some random Browser flags!

Just because there are some flag who promise X does not necessarily mean you should enable/change them, there are possible drawbacks!

  • Browser flags are in general beta and can decrease performance/privacy or even corrupt your entire browser profile, however all mentioned flags here are carefully tested and reviewed before they are mentioned.
  • In case you report some bugs in the official Brave Browser GitHub repository make sure that you use a fresh Browser profile, not any "optimized" one.
  • Some flags (changes) depends on server-side related configuration and platform updates, which means that especially some security based flags only fully work when the server/domain actually supports them.
  • Some flags are OS and platform specific, on older Android or Linux, Windows Builds or Versions they are probably listed under Unavailable, in this case you can, of course not use that flag on your platform.
  • QUIC is disabled due to privacy and fingerprinting concerns - This concern is fixed with Brave, based on Chromium 91.1.27.8 (nightly) and the original proposal got approved as RFC 9000. See here for a security overview. Remaining trackability is covered by Brave AdBlock.
  • Use KeePass (or a fork) instead of the internal password manager. I personally prefer not to work with Browser based password manager/integration. For more information, read here.
  • Voice (Android) search input is disabled due to multiple privacy concerns.
  • Browser based PDF is not changed because I prefer Sumatra PDF (aka offline reading) due to multiple privacy/malware concerns.
  • Omnibox functionality is limited due to multiple privacy concerns. See here for more info.
  • Google's Safe Browsing and other security checks and connections are NOT wanted. The OS has its its own protection mechanism (OS security model + hardening).
  • FLoC is disabled by default in Brave. Chrome users can use uBlock or change it manually via flags.
  • All credential checks are disabled since we do not store passwords within the Brave Browser, instead we use sophisticated tools like KeePass or in general other password managers of your choice.
  • Animations can be slower or entirely fail to load properly due to isolation flags which means the Reward system might be affected and causes you to do several attempts to complete the Reward challenge in order to claim your BATs.

Unresolved issues with the biggest privacy/security impact

You find an overview of all opened privacy related and reported issues directly on the issue tracker (github.com).

☑ indicates that mentioned issue was fully resolved and ☒ that this is something that will not be fixed because it is by designed.

Additional Info:

Please keep in mind that just because there are open issues tickets that this is not necessarily actively abused in the real-world. In lots of cases it is hard to find evidence that theoretically problems are used to directly compromise your security or privacy. Also some of the mentioned issues might be very hard to fix because trying to workaround them can results in unwanted side effects, such as Browser crashes, website breakages etc.

Hardening is not a selling argument

The mass media and some privacy communities wrongfully echo chamber that hardening and applying best practices represent security and privacy, this is an unproven claim. The reason why this is unproven is the fact that the vast majority does not use hardened profiles on a daily bases, there are cases showing that even hardening setups can be compromised, it is a matter of effort. In other words there is no proof that this is enough, what it does is that it potentially reduced the attack surface but this is all. It does not mean you are untouchable or cannot be exploited. Even if you manage to harden everything you still need to take the human factor in consideration, social engineering works really well and can bypass every firewall, every OS or Browser hardening in a matter of time. The Browser acts like a gateway not meant to be a firewall to monitor every data package that goes trough.

I am entirely against selling privacy and security as product and the project goal here is not to fool people that hardening is something that is either one or zero. The factors for privacy and security are not products you install or scripts or tools you use. It is a relationship between developer and the community to deal with existent as well as new threats. Giving up control by depending on another unknown third-party who promises you xyz is not what I like to represent here because the overall goal is that mentioned issues getting shown to warn users that there are potential risks involved that you can address on a theoretical level, this means it should be shown in order to fix such problems, not to make profit out of it.

Claiming hardening makes you more secure because 0,1% of all users doing or using it is working with statistics. Statistics that are often flawed because depending on the data, point of view and experience, those can variate a lot. Assuming everything one day gets fixed, hackers still trying to bypass everything, break it or invent new techniques. This is a cat and mouse game without a winner because the web evolves as well as the Browser itself and hardening will always be a part of adapting those changes by workaround potential issues.

I am not a fan of mass advertising that hardening or to apply best practices is enough, what makes more sense is to make people aware of problems, provide some workarounds until it is fixed and then test it to verify if it is actually working as intended or not because even workarounds and fixes can cause additional problems or even new holes.

Energy consumption is not a big priority

As much as I would love putting this point into a bigger consideration I need to clearly say that I cannot do much tests regarding energy consumption in general. Especially not with individual flags and then even do independent tests across multiple OS and Browser builds. This would require me to work and research on this subject in full-time.

There are lots of variables which can and will influence the energy aspect and this is a huge topic which I am not willingly to do on my own.

The only big focus regarding the overall energy consumption is when a flag dramatically decreases battery life or put extra pressure on the CPU and/or GPU that is directly debuggable trough internal tools.

Enforced settings as new defaults

We change mentioned default settings to improve the default behavior in order to reduce possible risks. You can manually unlock stuff you need, which seems more work but it is worth it + you only have to do this once per domain. This basically acts like a firewall for specific things, which is then disabled by default and you need to manually unlock first (see last screenshot to understand what I mean).

Shield Defaults Settings Hardened

Shield Defaults

Normally we do not need to enable the Always use HTTPS option because under Security we enable and enforce to connect always to HTTPS first, however in some cases the option to always connect to HTTPS is hidden unless you enable the option.

Secure Connections

Example Page

Permission Defaults

Shield Defaults

On mobile we can theoretically do the same but there are some downsides, as you can see on the last screenshot, if your screen resolution is below x or you are on a smartphone with limited screen size you cannot see all options, which makes it impossible for you to change or reveal some settings or information. Brave as well as Chrome is aware that this modal dialogue is currently not optimal. That said, I - for now - only suggest doing this on Desktop and on Mobile only enforce the stronger Shield defaults only see first (screenshot).

Brave will not sync those newly set permission defaults. You need to backup your profile manually, this is still the best way to deal with profile corruptions or in case you want to copy your settings to another profile or PC. Permission sync is planned feature.

Why enforce some settings that depending on your global shields settings

We enforce some settings as defaults for various reasons however, some flags and features depending on your global Brave Shield settings for example by default Unlinkable Bouncing is only enable when you set your global Shield setting to aggressive. We override this behavior in case there are some website breakages but and temporarily lowering the shield setting for an specific website without loosing some protection mechanism.

In a nutshell

Privacy and Security related impact of changed Flags

The impact is normally negligible because we often disable controversial APIs or features that are designed by Google. Some other flags are not fingerprintable under normal circumstances because API design evolves and developers are more aware and advocate privacy and security much more than 20 years ago.

Changing flags can make you stand out more but the tested flags are carefully chosen so that the difference is not dramatically noticeable except that some fingerprinting test pages might not actually return an accurate result. You should not rely on only such pages to measure how private our Brave Browser is, it simply gives you an small indication but that is all because some unknown fingerprinting mechanism might exist that are not covered in such tests or even in the wild.

Brave on its own already does a good job but we want to improve it a step further and want to enhance specific behaviors, stuff that is usually explained, linked or a reference was - if possible - provided in this guide.

Utilizing Brave Ad Block, the right-way

The overall amount of trackers are limited. This means that the majority of websites uses Google - among some other - tracking systems. Most popular and even unpopular websites trusting the big tracking players, which means it makes no sense to load filter-lists with 2 trillion entries when 80 Percent of the world uses the same tracking system. You can skip this section if you already block ads via DNS blocker system-wide in your network with AdGuard Home or Pi-Hole and continue with the manual filter-lists we could use, depending on your needs.

Finding some lists is pretty easy, you can manually search them or use some aggregators who list filter-lists.

By default those filters are already used and enabled by default.

  • Block Origin Filters
  • Brave Android-Specific Rules
  • Brave Social
  • Brave Social Unbreak
  • Brave Specific
  • Brave Unbreak
  • EasyList
  • EasyPrivacy
  • Peter Lowe's Ad and tracking server list
  • SugarCoat Rules
  • URLhaus Malicious URL Blocklist
  • uBlock Origin 2020 Filters
  • uBlock Origin 2021 Filters
  • uBlock Origin filters - Badware risks
  • uBlock Origin filters - Unbreak
  • uBlock Origin filters Privacy
  • uBlock Origin filters Resource abuse

General rules

  • By default without selecting, enabling or subscribing to third-party lists, Brave already blocks some stuff, if you are comfy enough with this, you can stop reading this section.
  • Less is more, everything counts because everything that needs to be loaded ends-up in your RAM or causes the CPU to consume more CPU cycles which can end-up eating more energy and more battery. Good quality filter lists shouldn't have a perceptible effect on browsing performance. The first worry with too many filter lists is undue website breakage.
  • Just because X filter-list has more entries does not mean it is more efficient.
  • Only use lists which are regularity updated and well maintained.

The following steps are on Desktop and Mobile platforms the same, so I do not explicitly mention them.

Go to brave://settings/shields/filters, just type it in the URL bar and it will display the ad-block interface with some options. By default nothing is selected and you have to choose which filters you want to enable or even manually add. Custom filters are being updated every 7 days, which might change in the future. Syncing filter-lists and your custom rules are possible - the flag is #brave-cosmetic-filtering-sync-load, it will get removed in the future and directly integrated and enabled by default once it is reliable enough.

Shields AdBlock.

Additional lists you can enable from the integrated Brave Ad Block page

  • YousList- To block various cosmetic stuff, aka annoyance in additional to above mentioned annoyances list. If you think this list is not enough use Dandelion Sprout's Annoying Banners and Overlays List instead.
  • ONE single language based list, based for your own country.

Now we can improve specific things alias manually subscribing to addition lists, but which one make the most sense... The answer is easy, we want to get rid of additional extensions and hopefully we can archive it by using an additional list that supports the things we need, anti-coinmining, URL-shortener etc.

Optional filter-lists you could add

Additional filter-lists can be useful, for example to get rid of ClearURLs extension, or in case if we already block DNS based ads on our entire network, in this case we might wanna use something directly which only blocks cosmetic stuff. It should be noted that uBlock as well as Brave Ad Block solutions only removing the untouched query parameter given by the original URL, this means they cannot rewrite parts or the original path of clicked URL.

  • AdGuard DNS filter - https://filters.adtidy.org/windows/filters/15.txt
  • Actually Legitimate URL Shortener Tool - https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt
  • First-party trackers host list - https://hostfiles.frogeye.fr/firstparty-only-trackers-hosts.txt - You do not need it if you use DNS based network blocking.
  • EU_US+most_used_ad_and_tracking_networks - https://raw.githubusercontent.com/Kees1958/W3C_annual_most_used_survey_blocklist/master/EU_US%2Bmost_used_ad_and_tracking_networks
  • Social Media Filters, this is totally up to you.
  • You do not need any anti-coinminers, it is normally covered by your language based list which you choose. Adding another one makes no sense because by default we block or optional restrict JavaScript anyway via extension.
  • Block outside intruders breaking into LAN - https://github.com/gwarser/filter-lists/blob/master/lan-block.txt The list will become irrelevant at some point because Brave will at some point block all LAN requests by default starting with Chromium v101+. JS-Restrictor can do exactly the same, benefit in using the JS-Restrictor extension solution is that it is enabled by default and you can create with only two clicks exceptions for a domain.

This is all, you do not need 10+ lists. Well-maintained lists are much more worth than huge lists that die within the first 6-12 months.

Why fingerprinting matters less than you think

Fingerprinting per-see is not an intrinsically problem, which means it only becomes a problem when it makes it possible to render you traceable, particularly across sessions. The main point is to become less traceable - or traceable only with adjustable levels of difficulty - whatever your "fingerpritability" could be.

And there are 2 ways to try to reach this goal

  • The static way
  • The dynamic way

In the static (or often called low entropy) way, the user or you can try to display the same fingerprint than many others people. In that sense, being seen as unique is bad. The best way to achieve this "low entropy" goal is to use the Tor Browser on the Tor network. No Brave hardening, no Firefox Browser hardening with thousands of configuration changes, simply and pure Tor Browser because it provides much more than configuration changes and the best way is that each and every user uses the exact same fingerprint.

In the dynamic (or high entropy) way, you try to becomes "someone else" for each browser sessions, eg for each browsing session, you (ideally) try to change all your browser's displayed characteristics. In this case, being seen as unique is not a problem. At the contrary, it's something desirable: That a test site achieves to correlate you cross session, and so, achieves to see you as not unique, simply means that your attempts to becomes "someone else" for each session miserably failed and that you are traceable cross session (at least by this precise test site, and by any other site using the same tracking techniques). This way is the path that eg Brave developers are trying to take, this is also what you do if you harden other Browsers like Firefox, Edge etc.

In the real-world we have limited amount of possibilities to fingerprint users, this means most stuff heavily relies on JavaScript, CSS and so on. Developing counter-measures for this is possible, but since we enforce by default to disable JavaScript which already lower attacks by around 98%, the rest are some small tricks that abuses some weaknesses that are fixable more or less easily. There might be considerable small stuff which cannot be fixed but that never leads to leaks that can identify you, your browsing habits or connect other dots.

The most important stuff is listed above and is on the to-do regarding fingerprinting. None of the open issues are enough to truly expose you even if someone gets all of the remaining entropy that is currently not covered by Braves Shield. Most people just use the fingerprinting argument to bypass restrictions.

Do not use portable Browsers

Using portable Browsers has lots of security and privacy implications.

  • In most cases the official Browser developer(s) do not provide any officially build, because of that people tend to use unofficial portable Browser repacks. Not often those repacks are done by fans and not experts and can possible contain tracking ads, Trojans, IP-grabbers etc.
  • There is no verification, since you use unofficial Browser repacked versions you cannot verify anything yourself. Even if you use some repacks that are open source, you cannot verify something because the installer or the browser itself might be signed with different signatures that does not match the ones from the original manufacturer.
  • No support, unofficial repack versions might not be approved nor directly supported from official site. This means they can be outdated after a short while, you already download an outdated version or the integrated update mechanism will fail because the updater depends on a service who check and delivers the actual update. Epic, MS etc Store will also not updating any portable versions.
  • Running your Browser and profile on an unprotected drive that everyone can freely access is a privacy and security nightmare. There exist tools to quickly read out your Cookies, passwords and more, usually those tool need admin rights to access protected folders but if the profile folder is unprotected you can even read our or steal the database or the entire profile without admin rights. The internal protection regarding database passwords is weak and easy to crack in seconds, the Browser typically has no master password for the database as well as a Browser startup password check.
  • You can workaround some of mentioned problems with a RamDrive or third-party Sandbox but the underlying issue is that it is overall by default easier for an attacker to extract, infect or compromise your Browser profile. Keep in mind that sandboxing trough external third-party apps can also be critical because the sandbox tool can be vulnerable or causes the Browser to crash because the Browser typically updates much more frequently that the sandbox tool needs to address. Another problem is that such workarounds might also require that such software is installed on the host, which needs admin rights. I am not aware of a sandbox solution that protects at low-level without admin rights, because this is what the OS requests to access inner rings.

How Brave Browser handles Cookies

Brave Browser is very well documented. Besides the source code and the wiki entries we have several good articles for beginners on how Brave actually handles the Cookie part.

🔝 Back to top 🔝

Desktop Flags

The official Brave release schedule can be found over here, the archive is here.

  • There is currently no plan to release a Brave Browser version for SmartTV, which means there is nothing to change or optimize on such platforms.
  • Below enabled / disabled flags recommendation means you should, if you like to harden Brave Browser further, use the advise to change the default flag state.

Desktop Security

Flag Name Enabled (✔️) / Disabled () or/and Comment Default flag state
#block-insecure-private-network-requests Block insecure private network requests ✔️ unknown
#brave-domain-block Enable domain blocking ✔️ unknown
#brave-ephemeral-storage Enable Ephemeral Storage ✔️ unknown
#clear-cross-site-cross-browsing-context-group-window-name Clear window name in top-level cross-site cross-browsing-context-group navigation ✔️ unknown
#disallow-doc-written-script-loads Block scripts loaded via document.write ✔️ unknown
#enable-isolated-sandboxed-iframes Isolated sandboxed iframes ✔️ unknown
#enable-webview-tag-site-isolation Site isolation for tags ✔️ Default, which is disabled. Added in 1.44.8/104.0.5112.69.
#origin-agent-cluster-default Origin-keyed Agent Clusters by default ✔️ 102.x
#strict-origin-isolation Strict-Origin-Isolation unknown
#sync-trusted-vault-passphrase-recovery Enable sync trusted vault passphrase with improved recovery. unknown
#u2f-security-key-api Enable the U2F Security Key API unknown
#web-sql-access Allows access to WebSQL APIs 103.x / 1.40.x

🔝 Back to top 🔝

Desktop Privacy

Flag Name Enabled (✔️) / Disabled () or/and Comment Default flag state
#autofill-enable-sending-bcn-in-get-upload-details Enable sending billing customer number in GetUploadDetails Enabled if preflights are enabled.
#autofill-fill-merchant-promo-code-fields Enable Autofill of promo code fields in forms unknown
#autofill-parse-merchant-promo-code-fields Parse promo code fields in forms unknown
#brave-adblock-cosmetic-filtering-child-frames Apply cosmetic filtering to frames other than the main frame of a page ✔️ We enforce it for all Shield modes, otherwise it is only activated in aggressive mode. 103.1.42.74
#brave-dark-mode-block Enable dark mode blocking fingerprinting protection ✔️ We enforce it for all Shield modes, otherwise it is only activated in aggressive mode. unknown
#brave-debounce Enable debouncing (94.x+) ✔️ we enforce it unknown
#brave-domain-block-1pes Enable domain blocking using First Party Ephemeral Storage ✔️ unknown
#brave-extension-network-blocking Enable extension network blocking ✔️ (91+) unknown
#device-posture Device Posture API unknown
#disable-process-reuse Disable subframe process reuse ✔️ unknown
#edit-context EditContext API (100.0+) unknown
#enable-accessibility-live-caption Live Caption (90.x+) ⚠️borked unknown
#enable-autofill-credit-card-authentication Allow using platform authenticators to retrieve server cards (87.x+) unknown
#enable-fenced-frames Enable the element. ✔️ with ShadowDOM unknown
#enable-generic-sensor-extra-classes Generic Sensor Extra Classes unknown
#enable-quic Experimental QUIC protocol ✔️ Needed for HTTP3/DoQ, now known as RFC 9000 unknown
#enable-webusb-device-detection Automatic detection of WebUSB-compatible devices we already disable WebUSB but the detection still sends a beacon unknown
#extensions-menu-access-control Extensions Menu Access Control ✔️ unknown
#font-access Font Access APIs unknown
#omnibox-dynamic-max-autocomplete Omnibox Dynamic Max Autocomplete (causes lags if enabled / 5+) unknown
#omnibox-rich-autocompletion-promisin Omnibox Rich Autocompletion Promising unknown
#partitioned-cookies Partitioned Cookies ✔️ unknown
#reduce-user-agent Reduce User-Agent request header ✔️ unknown
#reduce-user-agent-minor-version Reduce the minor version in the User-Agent string ✔️ unknown
#system-keyboard-lock Experimental system keyboard lock (89.x+) unknown
#webxr-incubations WebXR Incubations (92.0+) unknown

🔝 Back to top 🔝

Desktop Performance

Benchmarks against Edge and Firefox are pretty much useless. There are multiple reasons why, please see below:

  • Synthetic benchmarks might not reflect real-world performance because a normal website is not a benchmark suite, other factors can here the individual and subjective Browser performance.
  • Braves blocking and privacy protections require a fixed amount of additional work per page and frame. This means that Brave will do worse in synthetic benchmarks than other browsers (since Braves privacy protections wont be useful in benchmark tests), but will do better on real world sites.
  • Firefox and Edge do not have any integrated ad-blocker, they use safe-browsing, which is also included in all Chromium based Browsers and enabled by default.
  • Firefox and Edge do not include any crypto wallets.
  • Brave reduces the page load performance cost of its ad-blocker.
  • Benchmarks, are often outdated pretty fast. At best this is a snapshot of the current state but every Browser evolves, fixes stuff etc.
Flag Name Enabled (✔️) / Disabled () or/and Comment Default flag state
#brave-federated Enables local data collection for notification ad timing (brave-federated) 1.43.50/104.1.43.50 Beta (default which is enabled)
#back-forward-cache Back and forward Cache unknown
#brave-adblock-cookie-list-default Treat 'Easylist-Cookie List' as a default list source ✔️ unknown
#brave-rewards-verbose-logging Enable Brave Rewards verbose logging enabled by default since 1.25.68+ unknown
#brave-rewards-webui-panel Use WebUI Rewards Panel ✔️ 1.43.53/104.0.5112.69
#durable-client-hints-cache Persistent client hints unknown
#enable-parallel-downloading Parallel downloading ✔️ unknown
#enable-prerender2 Prerender2 ✔️ (90.x+) unknown
#enable-throttle-display-none-and-visibility-hidden-cross-origin-iframes Throttle non-visible cross-origin iframes ✔️ unknown
#enable-vulkan Use Vulkan as the graphics backend. ✔️ On Linux either Vulkan or raw draw, if you enable both it will prefer raw draw to avoid compatibility issues. unknown
#restrict-websockets-pool Restrict WebSockets pool ✔️ (97.x+) unknown
#subframe-shutdown-delay Add delay to subframe renderer process shutdown unknown

🔝 Back to top 🔝

Desktop Functionality / Usability

Flag Name Enabled (✔️) / Disabled () or/and Comment Default flag state
#brave-adblock-cname-uncloaking Enable CNAME uncloaking ✔️ 91.1.27.36 (This will become obsolete and enabled by default once fully stable and merged into shields directly) unknown
#brave-cosmetic-filtering-sync-load) Enable sync loading of cosmetic filter rules ✔️ unknown
#chrome-whats-new-ui Show Chrome What's New page at brave://whats-new (93.x+) unknown
#enable-force-dark Force Dark Mode for Web Contents ✔️ increase text contrast unknown
#enable-jxl Enable JXL image format ✔️ (Chrome 91.1.x+) unknown
#extensions-menu-access-control Extensions Menu Access Control disabled, we enforce it to enabled
#extension-workflow-justification Extension request justification (93.x+) ✔️ unknown
#force-color-profile Force color profile ✔️scRBG or HDR (if your Monitor supports HDR enable the HDR option) unknown
#forced-colors Forced Colors ✔️ unknown
#history-journeys-omnibox-action History Journeys Omnibox Action ✔️ (Chrome 97+) unknown
#history-journeys History Journeys ✔️ (Chrome 98+) unknown
#page-info-history-desktop Page info history ✔️ (Chrome 97+) unknown
#quick-commands Quick Commands ✔️ Default (Disabled)
#scrollable-tabstrip Tab Scrolling ✔️ (tabs shrink to a medium width) unknown

🔝 Back to top 🔝

Desktop Scrolling

Flag Name Enabled (✔️) / Disabled () or/and Comment Default flag state
#smooth-scrolling Smooth Scrolling ✔️ unknown

🔝 Back to top 🔝

Desktop PWA

Flag Name Enabled (✔️) / Disabled () or/and Comment Default flag state
#enable-desktop-pwas-launch-handler Desktop PWA launch handler ✔️ disabled
#enable-desktop-pwas-sub-apps Desktop PWA Sub Apps ✔️ disabled
#enable-desktop-pwas-tab-strip-settings Desktop PWA tab strips settings ✔️ disabled
#enable-desktop-pwas-web-bundles Desktop PWAs Web Bundles ✔️ disabled
#enable-desktop-pwas-window-controls-overlay Desktop PWA Window Controls Overlay ✔️ disabled

🔝 Back to top 🔝

Desktop Brave Reader Mode / Speedreader

Flag Name Enabled (✔️) / Disabled () or/and Comment Default flag state
#enable-reader-mode Enable Reader Mode ✔️ Enabled available in settings (we enforce it, optional) disabled

🔝 Back to top 🔝

Android (mobile) Flags

Mobile Security

Flag Name Enabled (✔️) / Disabled () or/and Comment Default flag state
#block-insecure-private-network-requests Block insecure private network requests. ✔️ disabled
#brave-ephemeral-storage Enable Ephemeral Storage ✔️ depends on Shields setting
#clear-cross-site-cross-browsing-context-group-window-name Clear window name in top-level cross-site cross-browsing-context-group navigation ✔️ unknown
#disallow-doc-written-script-loads Block scripts loaded via document.write ✔️ disabled
#enable-site-isolation-for-password-sites Enable site Isolation for Password Sites ✔️ disabled
#enable-site-per-process Part of Site isolation ✔️ disabled
#origin-agent-cluster-default Origin-keyed Agent Clusters by default ✔️ 102.x
#strict-origin-isolation Strict-Origin-Isolation unknown
#sync-trusted-vault-passphrase-recovery Enable sync trusted vault passphrase with improved recovery unknown
#web-sql-access Allows access to WebSQL APIs 103.x / 1.40.x

🔝 Back to top 🔝

Mobile Privacy

Flag Name Enabled (✔️) / Disabled () or/and Comment Default flag state
#autofill-enable-sending-bcn-in-get-upload-details Enable sending billing customer number in GetUploadDetails Enabled if preflights are enabled.
#autofill-fill-merchant-promo-code-fields Enable Autofill of promo code fields in forms unknown
#autofill-parse-merchant-promo-code-fields Parse promo code fields in forms unknown
#brave-dark-mode-block Enable dark mode blocking fingerprinting protection ✔️ We enforce it for all Shield modes, otherwise it is only activated in aggressive mode. unknown
#brave-adblock-cosmetic-filtering-child-frames Apply cosmetic filtering to frames other than the main frame of a pagn ✔️ We enforce it for all Shield modes, otherwise it is only activated in aggressive mode. 103.1.42.74
#brave-debounce Enable debouncing (94.x+) ✔️ unknown
#brave-domain-block-1pes Enable domain blocking using First Party Ephemeral Storage ✔️ unknown
#continuous-search Continues Search unknown
#device-posture Device Posture API unknown
#edit-context EditContext API (100.0+) unknown
#enable-autofill-credit-card-authentication Allow using platform authenticators to retrieve server cards (87.x+) unknown
#enable-commerce-price-tracking Price Tracking Connections to Google and partners + market influence and manipulation. It is better and more privacy-friendly to trust independent retailers and engine-crawlers such as Geizhals, Mindfactory etc. unknown
#enable-fenced-frames Enable the element. ✔️ with ShadowDOM, on older Android versions prior 9 set this to Enabled otherwise you might get Browser crashes. unknown
#enable-generic-sensor-extra-classes Generic Sensor Extra Classes unknown
#enable-payment-request-basic-card PaymentRequest API 'basic-card' method unknown
#enable-quic Enable QUIC Protocol ✔️ (Brave filters controversial APIs) unknown
#feed-stamp Enable StAMP cards in the Feed Default, depends on if you use Feeds or not.
#font-access Font Access APIs unknown
#force-major-version-to-100 #force-major-version-to-100 unknown
#incognito-screenshot Allow Incognito Screenshots unknown
#large-favicon-from-google Large favicons from Google unknown
#omnibox-assistant-voice-search Omnibox Voice Search Assistant unknown
#partitioned-cookies Partitioned Cookies ✔️ unknown
#reduce-user-agent Reduce User-Agent request header ✔️ unknown
#reduce-user-agent-minor-version Reduce the minor version in the User-Agent string ✔️ unknown
#related-searches-in-bar Enables showing Related Searches in the peeking bar. disabled to avoid search engine ping backs unknown
#wallet-service-use-sandbox Wallet Services uses Google's Sandbox Connects to some Google Endpoints. unknown
#webxr-incubations WebXR Incubations (92.0+) unknown

🔝 Back to top 🔝

Mobile PWA

Flag Name Enabled (✔️) / Disabled () or/and Comment Default flag state
#messages-for-android-pwa-install PWA Installation Messages UI ✔️ Default
#pwa-update-dialog-for-name-and-icon Enable PWA install update dialog for name/icon changes ✔️ Default

🔝 Back to top 🔝

Mobile Performance

Flag Name Enabled (✔️) / Disabled () or/and Comment Default flag state
#back-forward-cache Back and forward Cache unknown
#brave-adblock-cookie-list-default Treat 'Easylist-Cookie List' as a default list source ✔️ unknown
#canvas-oop-rasterization Out-of-process 2D canvas rasterization. ✔️ enable it on Android 10+ unknown
#chrome-share-long-screenshot N/A unknown
#contextual-search-debug Contextual Search Debug unknown
#contextual-search-longpress-resolve N/A unknown
#contextual-search-translation N/A unknown
#durable-client-hints-cache Persistent client hints unknown
#enable-drdc Enables Display Compositor to use a new gpu thread. ✔️ enable it on Android 10+ unknown
#enable-gpu-rasterization GPU rasterization ✔️ enable it on Android 10+ unknown
#enable-instant-start Instant start ✔️ unknown
#enable-parallel-downloading Parallel downloading ✔️ unknown
#enable-prerender2 Prerender2 ✔️ (90.x+) unknown
#enable-throttle-display-none-and-visibility-hidden-cross-origin-iframes Throttle non-visible cross-origin iframes ✔️ unknown
#restrict-websockets-pool Restrict WebSockets pool ✔️ (97.x+) unknown
#smooth-scrolling Smooth Scrolling ✔️ unknown
#throttle-foreground-timers Throttle Foreground Timers to 30 Hz ✔️ unknown

🔝 Back to top 🔝

Mobile Functionality / Usability

Flag Name Enabled (✔️) / Disabled () or/and Comment Default flag state
#android-picture-in-picture-api Picture in Picture Web API for Android ✔️ unknown
#brave-adblock-cname-uncloaking Enable CNAME uncloaking ✔️ 91.1.27.36 (This will become obsolete and enabled by default once fully stable and merged into shields directly) unknown
#brave-adblock-redirect-url Enable support for $redirect-url filter option for adblock rules ✔️ unknown
#brave-cosmetic-filtering-sync-load) Enable sync loading of cosmetic filter rules ✔️ unknown
#context-menu-google-lens-chip Google Lens powered image search for surfaced as a chip below the context menu. unknown
#context-menu-search-with-google-lens Google Lens powered image search in the context menu. unknown
#context-menu-shop-with-google-lens Google Lens powered image search for shoppable images in the context menu. unknown
#context-menu-translate-with-google-lens Google Lens powered image search for translatable images surfaced as a chip under the context menu. unknown
#continuous-search Continuous Search ✔️ unknown
#darken-websites-checkbox-in-themes-setting Darken Websites checkbox in Theme settings ✔️ unknown
#enable-force-dark Force Dark Mode for Web Contents ✔️ increase text contrast unknown
#enable-jxl Enable JXL image format ✔️ (Chrome 91.1.x+) unknown
#enable-quick-action-search-widget-android Quick Search Widget ✔️ unknown
#google-lens-sdk-intent Enable the use of the Lens SDK when starting intent into Lens. unknown
#media-session-webrtc Enable WebRTC actions in Media Session (93.x+) ✔️ unknown
#messages-for-android-ads-blocked Ads Blocked Messages UI ✔️ unknown
#messages-for-android-permission-update Permission Update Messages UI ✔️ unknown
#messages-for-android-reader-mode Reader Mode Messages UI ✔️ unknown
#page-info-about-this-site About this Site in Page Info ✔️ unknown
#photo-picker-video-support Photo Picker Video Support ✔️ (with animated thumbnails) unknown
#playback-speed-button Playback Speed Button ✔️ unknown
#shared-highlighting-v2 Shared Highlighting 2.0 ✔️ (Chrome 90.x+) unknown
#shopping-list Shopping List can create problems with Sync and working with Bookmarks is a PITA in Chrome in general, hopefully Brave gets a Widget for this one day. unknown
#voice-button-in-top-toolbar Voice Button in Top Toolbar The reason why Voice function will never work is that Google prevents using alternative services, so we disable it. unknown

🔝 Back to top 🔝

Brave only specific flags (not needed to be enforced)

Flag Name Comment Default flag state
#brave-adblock-cosmetic-filtering Enable cosmetic filtering Enabled by default even if it only shows "default" unknown
#brave-adblock-csp-rules Enable support for CSP rules Not need to be enforced (since 1.25.68+) unknown
#brave-ads-allowed-to-fallback-to-custom-push-notification-ads Allow Brave Ads to fallback from native to custom push notifications This is OS specific and in the future will be obsolete since Brave will detect the OS and then automatically fallback to the legacy system. unknown
#brave-decentralized-dns Enable Decentralized DNS ✔️ This is now a settings point under Browser Settings since v95+ which you can easily switch. unknown
#brave-news Enable Brave News Your own decision to enable it or not, it is a global switch. unknown
#enable-lens-region-search Search your screen with Google Lens (93.1.31.39+), since 1.36.112 it is disabled by default. unknown
#enable-webrtc-hide-local-ips-with-mdns This is not Brave only specific but there are two ways how Brave handles it, via Shields or Setting Do not enforce it via flag unknown

🔝 Back to top 🔝

Default Fonts

By default Brave Browser uses Poppins and Muli for the content you see around the web, those mentioned fonts are not the default fonts to render the actual content.

The actual fonts are

  • Standard font: Liberation Serif / Times New Roman 16
  • Serif font: Liberation Serif / Times New Roman 16
  • Liberation Serif Sans-serif font: Liberation / Arial 16
  • Sans Fixed-width font: Monospace / Consolas 13

Keep in mind that the list can be different because some Distros do not include mentioned fonts by default. In this case other fonts are the default ones. Font rendering and issues are actually a thing.

My own suggestion is

  • Poppin 16
  • Poppin 16
  • Open Sans 16
  • Muli 12
  • Set the minimum font size to 6 and not 0 which is a borked default.

There is currently no way to disable font anti-aliasing/font smoothing.

🔝 Back to top 🔝

Reference for the Brave vs. Browser X discussion

🔝 Back to top 🔝