|
||
---|---|---|
README.md |
Additional about:flags changes by CHEF-KOCH (CKTN) to harden Brave Browser
Project updates
I'll try to keep this hardening guidance updated as much as I can. The below listed flags configuration/changes and tips are only tested against Windows/Linux & Android, I do not plan to test them against MacOS/iOS!
Introduction
Hardening does not start at choosing the right tools or networks, hardening begins with gathering information to inform yourself and others in order to stay up-to-date so that you can deal with current and upcoming threats. Tools, extensions and Co. are just a workaround until someone build the right system, that starts by voting and supporting the right politicians and organisations. – Statement CHEF-KOCH, 1997
The main purpose of this guidance is to inform people about possibilities to enhance Brave Browser without depending on other tools or the Brave Team. You also do not need too rely on other quickly outdated guides on the Internet and hopefully even get a learning effect.
In case you have some questions, you can ask them directly on my official Matrix Server or use the issue ticket feature to open relevant tickets so that we can address new stuff.
Table of contents
[[TOC]]
Important notice: READ this before you start changing some random Browser flags!
Just because there are some flag who promise X does not necessarily mean you should enable/change them, there are possible drawbacks!
- Browser flags are in general beta and can decrease performance/privacy or even corrupt your entire browser profile, however all mentioned flags here are carefully tested and reviewed before they are mentioned.
- In case you report some bugs in the official Brave Browser GitHub repository make sure that you use a fresh Browser profile, not any "optimized" one.
- Some flags (changes) depends on server-side related configuration and platform updates, which means that especially some security based flags only fully work when the server/domain actually supports them.
- Some flags are OS and platform specific, on older Android or Linux, Windows Builds or Versions they are probably listed under Unavailable, in this case you can, of course not use that flag on your platform.
QUIC is disabled due to privacy and fingerprinting concerns- This concern is fixed with Brave, based on Chromium 91.1.27.8 (nightly) and the original proposal got approved as RFC 9000. See here for a security overview. Remaining trackability is covered by Brave AdBlock.- Use KeePass (or a fork) instead of the internal password manager. I personally prefer not to work with Browser based password manager/integration. For more information, read here.
- Voice (Android) search input is disabled due to multiple privacy concerns.
- Browser based PDF is not changed because I prefer Sumatra PDF (aka offline reading) due to multiple privacy/malware concerns.
- Omnibox functionality is limited due to multiple privacy concerns. See here for more info.
- Google's Safe Browsing and other security checks and connections are NOT wanted. The OS has its its own protection mechanism (OS security model + hardening).
- FLoC is disabled by default in Brave. Chrome users can use uBlock or change it manually via flags.
- All credential checks are disabled since we do not store passwords within the Brave Browser, instead we use sophisticated tools like KeePass or in general other password managers of your choice.
- Animations can be slower or entirely fail to load properly due to isolation flags which means the Reward system might be affected and causes you to do several attempts to complete the Reward challenge in order to claim your BATs.
Unresolved issues with the biggest privacy/security impact
You find an overview of all opened privacy related and reported issues directly on the issue tracker (github.com).
☑ indicates that mentioned issue was fully resolved and ☒ that this is something that will not be fixed because it is by designed.
Additional Info:
- Working with Flags and background info when they expire (chromium.googlesource.com)
- List of all Flags (source.chromium.org)
- List of all Flags that never expire (source.chromium.org)
Please keep in mind that just because there are open issues tickets that this is not necessarily actively abused in the real-world. In lots of cases it is hard to find evidence that theoretically problems are used to directly compromise your security or privacy. Also some of the mentioned issues might be very hard to fix because trying to workaround them can results in unwanted side effects, such as Browser crashes, website breakages etc.
- ☐ Letterboxing (window size)
- ☐ Crooked Style Sheets Tracking Attacks
- ☐ Cross-device tracking via ultrasonics
- ☐ DRAWN APART - A Device Identification Technique based on Remote GPU Fingerprinting (orenlab.sise.bgu.ac.il), pretty much every Browser is affected by the new attack. For additional details please see getSupportedExtensions in WebGL
- ☐ IPTC meta data in images
- ☐ Intel iGPU sandboxing in Linux does not exists, fixed with latest Chromium commit
- ☐ Resource Timing
- ☐ Retrieving your browsing history through a CAPTCHAs, see here. On Firefox this can be prevented toggling
layout.css.visited_links_enabled
while on Chrome you need to manually clear your Browsing history after the session ended. Mozilla has an article regarding such protection mechanism over here. - ☐ TCP Fast Open (TFO)
- ☐ TLS session resumption tracking
- ☐ There is currently no master password available for saved passwords, which can lead to security and privacy related issues.
- ☐ Trackability of QUIC connections, Brave AdBlock covers some parts except the server configuration part which needs to be implemented into the Browser. Keep in mind that mentioned papers are outdated and do not reflect current final QUIC implementation.
- ☐ WebGL Extension farbling
- ☐ Window dimension based fingerprinting
- ☐ Zoom Levels tracking
- ☐ window.Intl.DateTimeFormat() API
- ☒ One Bad Apple Can Spoil Your IPv6 Privacy - IPv6 privacy extension bypass to track users via prefix rotation on ISP end.
- ☒ Some AV products using and inspecting your camera and your lock screen - This is a wont-fix because this is how AVs and their security features work. You manually need to allow Brave to use the camera permission or block/allow the AV to use/not use it.
Hardening is not a selling argument
The mass media and some privacy communities wrongfully echo chamber that hardening and applying best practices represent security and privacy, this is an unproven claim. The reason why this is unproven is the fact that the vast majority does not use hardened profiles on a daily bases, there are cases showing that even hardening setups can be compromised, it is a matter of effort. In other words there is no proof that this is enough, what it does is that it potentially reduced the attack surface but this is all. It does not mean you are untouchable or cannot be exploited. Even if you manage to harden everything you still need to take the human factor in consideration, social engineering works really well and can bypass every firewall, every OS or Browser hardening in a matter of time. The Browser acts like a gateway not meant to be a firewall to monitor every data package that goes trough.
I am entirely against selling privacy and security as product and the project goal here is not to fool people that hardening is something that is either one or zero. The factors for privacy and security are not products you install or scripts or tools you use. It is a relationship between developer and the community to deal with existent as well as new threats. Giving up control by depending on another unknown third-party who promises you xyz is not what I like to represent here because the overall goal is that mentioned issues getting shown to warn users that there are potential risks involved that you can address on a theoretical level, this means it should be shown in order to fix such problems, not to make profit out of it.
Claiming hardening makes you more secure because 0,1% of all users doing or using it is working with statistics. Statistics that are often flawed because depending on the data, point of view and experience, those can variate a lot. Assuming everything one day gets fixed, hackers still trying to bypass everything, break it or invent new techniques. This is a cat and mouse game without a winner because the web evolves as well as the Browser itself and hardening will always be a part of adapting those changes by workaround potential issues.
I am not a fan of mass advertising that hardening or to apply best practices is enough, what makes more sense is to make people aware of problems, provide some workarounds until it is fixed and then test it to verify if it is actually working as intended or not because even workarounds and fixes can cause additional problems or even new holes.
Energy consumption is not a big priority
As much as I would love putting this point into a bigger consideration I need to clearly say that I cannot do much tests regarding energy consumption in general. Especially not with individual flags and then even do independent tests across multiple OS and Browser builds. This would require me to work and research on this subject in full-time.
There are lots of variables which can and will influence the energy aspect and this is a huge topic which I am not willingly to do on my own.
The only big focus regarding the overall energy consumption is when a flag dramatically decreases battery life or put extra pressure on the CPU and/or GPU that is directly debuggable trough internal tools.
Enforced settings as new defaults
We change mentioned default settings to improve the default behavior in order to reduce possible risks. You can manually unlock stuff you need, which seems more work but it is worth it + you only have to do this once per domain. This basically acts like a firewall for specific things, which is then disabled by default and you need to manually unlock first (see last screenshot to understand what I mean).
Normally we do not need to enable the Always use HTTPS option because under Security we enable and enforce to connect always to HTTPS first, however in some cases the option to always connect to HTTPS is hidden unless you enable the option.
On mobile we can theoretically do the same but there are some downsides, as you can see on the last screenshot, if your screen resolution is below x or you are on a smartphone with limited screen size you cannot see all options, which makes it impossible for you to change or reveal some settings or information. Brave as well as Chrome is aware that this modal dialogue is currently not optimal. That said, I - for now - only suggest doing this on Desktop and on Mobile only enforce the stronger Shield defaults only see first (screenshot).
Brave will not sync those newly set permission defaults. You need to backup your profile manually, this is still the best way to deal with profile corruptions or in case you want to copy your settings to another profile or PC. Permission sync is planned feature.
Why enforce some settings that depending on your global shields settings
We enforce some settings as defaults for various reasons however, some flags and features depending on your global Brave Shield settings for example by default Unlinkable Bouncing is only enable when you set your global Shield setting to aggressive. We override this behavior in case there are some website breakages but and temporarily lowering the shield setting for an specific website without loosing some protection mechanism.
In a nutshell
- GPU information is removed in strict mode, in general fingerprint protect depends on several factors which is the reason why we enforce the strongest settings as new defaults.
- Canvas and WebAudio are randomized
- Shield turned off means no protection at all
- The tor approach to make every user look the same has some issues, which is the reason why we fight website breakages with randomization instead. The approach is explained in-depth over here
- Other Browser promise a lot but have weak protections against known fingerprinting attacks
Privacy and Security related impact of changed Flags
The impact is normally negligible because we often disable controversial APIs or features that are designed by Google. Some other flags are not fingerprintable under normal circumstances because API design evolves and developers are more aware and advocate privacy and security much more than 20 years ago.
Changing flags can make you stand out more but the tested flags are carefully chosen so that the difference is not dramatically noticeable except that some fingerprinting test pages might not actually return an accurate result. You should not rely on only such pages to measure how private our Brave Browser is, it simply gives you an small indication but that is all because some unknown fingerprinting mechanism might exist that are not covered in such tests or even in the wild.
Brave on its own already does a good job but we want to improve it a step further and want to enhance specific behaviors, stuff that is usually explained, linked or a reference was - if possible - provided in this guide.
Utilizing Brave Ad Block, the right-way
The overall amount of trackers are limited. This means that the majority of websites uses Google - among some other - tracking systems. Most popular and even unpopular websites trusting the big tracking players, which means it makes no sense to load filter-lists with 2 trillion entries when 80 Percent of the world uses the same tracking system. You can skip this section if you already block ads via DNS blocker system-wide in your network with AdGuard Home or Pi-Hole and continue with the manual filter-lists we could use, depending on your needs.
Finding some lists is pretty easy, you can manually search them or use some aggregators who list filter-lists.
By default those filters are already used and enabled by default.
- Block Origin Filters
- Brave Android-Specific Rules
- Brave Social
- Brave Social Unbreak
- Brave Specific
- Brave Unbreak
- EasyList
- EasyPrivacy
- Peter Lowe's Ad and tracking server list
- SugarCoat Rules
- URLhaus Malicious URL Blocklist
- uBlock Origin 2020 Filters
- uBlock Origin 2021 Filters
- uBlock Origin filters - Badware risks
- uBlock Origin filters - Unbreak
- uBlock Origin filters – Privacy
- uBlock Origin filters – Resource abuse
General rules
- By default without selecting, enabling or subscribing to third-party lists, Brave already blocks some stuff, if you are comfy enough with this, you can stop reading this section.
- Less is more, everything counts because everything that needs to be loaded ends-up in your RAM or causes the CPU to consume more CPU cycles which can end-up eating more energy and more battery. Good quality filter lists shouldn't have a perceptible effect on browsing performance. The first worry with too many filter lists is undue website breakage.
- Just because X filter-list has more entries does not mean it is more efficient.
- Only use lists which are regularity updated and well maintained.
The following steps are on Desktop and Mobile platforms the same, so I do not explicitly mention them.
Go to brave://settings/shields/filters
, just type it in the URL bar and it will display the ad-block interface with some options. By default nothing is selected and you have to choose which filters you want to enable or even manually add. Custom filters are being updated every 7 days, which might change in the future. Syncing filter-lists and your custom rules are possible - the flag is #brave-cosmetic-filtering-sync-load
, it will get removed in the future and directly integrated and enabled by default once it is reliable enough.
Additional lists you can enable from the integrated Brave Ad Block page
YousList
- To block various cosmetic stuff, aka annoyance in additional to above mentioned annoyances list. If you think this list is not enough useDandelion Sprout's Annoying Banners and Overlays List
instead.- ONE single
language based
list, based for your own country.
Now we can improve specific things alias manually subscribing to addition lists, but which one make the most sense... The answer is easy, we want to get rid of additional extensions and hopefully we can archive it by using an additional list that supports the things we need, anti-coinmining, URL-shortener etc.
Optional filter-lists you could add
Additional filter-lists can be useful, for example to get rid of ClearURLs extension, or in case if we already block DNS based ads on our entire network, in this case we might wanna use something directly which only blocks cosmetic stuff. It should be noted that uBlock as well as Brave Ad Block solutions only removing the untouched query parameter given by the original URL, this means they cannot rewrite parts or the original path of clicked URL.
- AdGuard DNS filter -
https://filters.adtidy.org/windows/filters/15.txt
- Actually Legitimate URL Shortener Tool -
https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt
- First-party trackers host list -
https://hostfiles.frogeye.fr/firstparty-only-trackers-hosts.txt
- You do not need it if you use DNS based network blocking. - EU_US+most_used_ad_and_tracking_networks -
https://raw.githubusercontent.com/Kees1958/W3C_annual_most_used_survey_blocklist/master/EU_US%2Bmost_used_ad_and_tracking_networks
Social Media Filters
, this is totally up to you.- You
do not need any anti-coinminers
, it is normally covered by your language based list which you choose. Adding another one makes no sense because by default we block or optional restrict JavaScript anyway via extension. - Block outside intruders breaking into LAN -
https://github.com/gwarser/filter-lists/blob/master/lan-block.txt
The list will become irrelevant at some point because Brave will at some point block all LAN requests by default starting with Chromium v101+. JS-Restrictor can do exactly the same, benefit in using the JS-Restrictor extension solution is that it is enabled by default and you can create with only two clicks exceptions for a domain.
This is all, you do not need 10+ lists. Well-maintained lists are much more worth than huge lists that die within the first 6-12 months.
Why fingerprinting matters less than you think
Fingerprinting per-see is not an intrinsically problem, which means it only becomes a problem when it makes it possible to render you traceable, particularly across sessions. The main point is to become less traceable - or traceable only with adjustable levels of difficulty - whatever your "fingerpritability" could be.
And there are 2 ways to try to reach this goal
- The static way
- The dynamic way
In the static (or often called low entropy) way, the user or you can try to display the same fingerprint than many others people. In that sense, being seen as unique is bad. The best way to achieve this "low entropy" goal is to use the Tor Browser on the Tor network. No Brave hardening, no Firefox Browser hardening with thousands of configuration changes, simply and pure Tor Browser because it provides much more than configuration changes and the best way is that each and every user uses the exact same fingerprint.
In the dynamic (or high entropy) way, you try to becomes "someone else" for each browser sessions, eg for each browsing session, you (ideally) try to change all your browser's displayed characteristics. In this case, being seen as unique is not a problem. At the contrary, it's something desirable: That a test site achieves to correlate you cross session, and so, achieves to see you as not unique, simply means that your attempts to becomes "someone else" for each session miserably failed and that you are traceable cross session (at least by this precise test site, and by any other site using the same tracking techniques). This way is the path that eg Brave developers are trying to take, this is also what you do if you harden other Browsers like Firefox, Edge etc.
In the real-world we have limited amount of possibilities to fingerprint users, this means most stuff heavily relies on JavaScript, CSS and so on. Developing counter-measures for this is possible, but since we enforce by default to disable JavaScript which already lower attacks by around 98%, the rest are some small tricks that abuses some weaknesses that are fixable more or less easily. There might be considerable small stuff which cannot be fixed but that never leads to leaks that can identify you, your browsing habits or connect other dots.
The most important stuff is listed above and is on the to-do regarding fingerprinting. None of the open issues are enough to truly expose you even if someone gets all of the remaining entropy that is currently not covered by Braves Shield. Most people just use the fingerprinting argument to bypass restrictions.
Do not use portable Browsers
Using portable Browsers has lots of security and privacy implications.
- In most cases the official Browser developer(s) do not provide any officially build, because of that people tend to use unofficial portable Browser repacks. Not often those repacks are done by fans and not experts and can possible contain tracking ads, Trojans, IP-grabbers etc.
- There is no verification, since you use unofficial Browser repacked versions you cannot verify anything yourself. Even if you use some repacks that are open source, you cannot verify something because the installer or the browser itself might be signed with different signatures that does not match the ones from the original manufacturer.
- No support, unofficial repack versions might not be approved nor directly supported from official site. This means they can be outdated after a short while, you already download an outdated version or the integrated update mechanism will fail because the updater depends on a service who check and delivers the actual update. Epic, MS etc Store will also not updating any portable versions.
- Running your Browser and profile on an unprotected drive that everyone can freely access is a privacy and security nightmare. There exist tools to quickly read out your Cookies, passwords and more, usually those tool need admin rights to access protected folders but if the profile folder is unprotected you can even read our or steal the database or the entire profile without admin rights. The internal protection regarding database passwords is weak and easy to crack in seconds, the Browser typically has no master password for the database as well as a Browser startup password check.
- You can workaround some of mentioned problems with a RamDrive or third-party Sandbox but the underlying issue is that it is overall by default easier for an attacker to extract, infect or compromise your Browser profile. Keep in mind that sandboxing trough external third-party apps can also be critical because the sandbox tool can be vulnerable or causes the Browser to crash because the Browser typically updates much more frequently that the sandbox tool needs to address. Another problem is that such workarounds might also require that such software is installed on the host, which needs admin rights. I am not aware of a sandbox solution that protects at low-level without admin rights, because this is what the OS requests to access inner rings.
How Brave Browser handles Cookies
Brave Browser is very well documented. Besides the source code and the wiki entries we have several good articles for beginners on how Brave actually handles the Cookie part.
- Ephemeral Storage + Test. This is the quinquevalent to Firefox Dynamic First-Party Isolation (dFPI) and Total Cookie Protection mechanism.
- Insight about how cookies are handled
Desktop Flags
The official Brave release schedule can be found over here, the archive is here.
- There is currently no plan to release a Brave Browser version for SmartTV, which means there is nothing to change or optimize on such platforms.
- Below enabled / disabled flags recommendation means you should, if you like to harden Brave Browser further, use the advise to change the default flag state.
Desktop Security
Flag | Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#block-insecure-private-network-requests | Block insecure private network requests | ✔️ | unknown |
#brave-domain-block | Enable domain blocking | ✔️ | unknown |
#brave-ephemeral-storage | Enable Ephemeral Storage | ✔️ | unknown |
#clear-cross-site-cross-browsing-context-group-window-name | Clear window name in top-level cross-site cross-browsing-context-group navigation | ✔️ | unknown |
#disallow-doc-written-script-loads | Block scripts loaded via document.write | ✔️ | unknown |
#enable-isolated-sandboxed-iframes | Isolated sandboxed iframes | ✔️ | unknown |
#enable-webview-tag-site-isolation | Site isolation for tags | ✔️ | Default, which is disabled. Added in 1.44.8/104.0.5112.69. |
#origin-agent-cluster-default | Origin-keyed Agent Clusters by default | ✔️ | 102.x |
#strict-origin-isolation | Strict-Origin-Isolation | ❌ | unknown |
#sync-trusted-vault-passphrase-recovery | Enable sync trusted vault passphrase with improved recovery. | ❌ | unknown |
#u2f-security-key-api | Enable the U2F Security Key API | ❌ | unknown |
#web-sql-access | Allows access to WebSQL APIs | ❌ | 103.x / 1.40.x |
Desktop Privacy
Flag | Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#autofill-enable-sending-bcn-in-get-upload-details | Enable sending billing customer number in GetUploadDetails | ❌ | Enabled if preflights are enabled. |
#autofill-fill-merchant-promo-code-fields | Enable Autofill of promo code fields in forms | ❌ | unknown |
#autofill-parse-merchant-promo-code-fields | Parse promo code fields in forms | ❌ | unknown |
#brave-adblock-cosmetic-filtering-child-frames | Apply cosmetic filtering to frames other than the main frame of a page | ✔️ We enforce it for all Shield modes, otherwise it is only activated in aggressive mode. | 103.1.42.74 |
#brave-dark-mode-block | Enable dark mode blocking fingerprinting protection | ✔️ We enforce it for all Shield modes, otherwise it is only activated in aggressive mode. | unknown |
#brave-debounce | Enable debouncing (94.x+) | ✔️ we enforce it | unknown |
#brave-domain-block-1pes | Enable domain blocking using First Party Ephemeral Storage | ✔️ | unknown |
#brave-extension-network-blocking | Enable extension network blocking | ✔️ (91+) | unknown |
#device-posture | Device Posture API | ❌ | unknown |
#disable-process-reuse | Disable subframe process reuse | ✔️ | unknown |
#edit-context | EditContext API | ❌ (100.0+) | unknown |
#enable-accessibility-live-caption | Live Caption | ❌ (90.x+) ⚠️borked | unknown |
#enable-autofill-credit-card-authentication | Allow using platform authenticators to retrieve server cards | ❌ (87.x+) | unknown |
#enable-fenced-frames | Enable the element. | ✔️ with ShadowDOM | unknown |
#enable-generic-sensor-extra-classes | Generic Sensor Extra Classes | ❌ | unknown |
#enable-quic | Experimental QUIC protocol | ✔️ Needed for HTTP3/DoQ, now known as RFC 9000 | unknown |
#enable-webusb-device-detection | Automatic detection of WebUSB-compatible devices | ❌ we already disable WebUSB but the detection still sends a beacon | unknown |
#extensions-menu-access-control | Extensions Menu Access Control | ✔️ | unknown |
#font-access | Font Access APIs | ❌ | unknown |
#omnibox-dynamic-max-autocomplete | Omnibox Dynamic Max Autocomplete | ❌ (causes lags if enabled / 5+) | unknown |
#omnibox-rich-autocompletion-promisin | Omnibox Rich Autocompletion Promising | ❌ | unknown |
#partitioned-cookies | Partitioned Cookies | ✔️ | unknown |
#reduce-user-agent | Reduce User-Agent request header | ✔️ | unknown |
#reduce-user-agent-minor-version | Reduce the minor version in the User-Agent string | ✔️ | unknown |
#system-keyboard-lock | Experimental system keyboard lock | ❌ (89.x+) | unknown |
#webxr-incubations | WebXR Incubations | ❌ (92.0+) | unknown |
Desktop Performance
Benchmarks against Edge and Firefox are pretty much useless. There are multiple reasons why, please see below:
- Synthetic benchmarks might not reflect real-world performance because a normal website is not a benchmark suite, other factors can here the individual and subjective Browser performance.
- Brave’s blocking and privacy protections require a fixed amount of additional work per page and frame. This means that Brave will do worse in synthetic benchmarks than other browsers (since Brave’s privacy protections won’t be useful in benchmark tests), but will do better on real world sites.
- Firefox and Edge do not have any integrated ad-blocker, they use safe-browsing, which is also included in all Chromium based Browsers and enabled by default.
- Firefox and Edge do not include any crypto wallets.
- Brave reduces the page load performance cost of its ad-blocker.
- Benchmarks, are often outdated pretty fast. At best this is a snapshot of the current state but every Browser evolves, fixes stuff etc.
Flag | Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#brave-federated | Enables local data collection for notification ad timing (brave-federated) | ❌ | 1.43.50/104.1.43.50 Beta (default which is enabled) |
#back-forward-cache | Back and forward Cache | ❌ | unknown |
#brave-adblock-cookie-list-default | Treat 'Easylist-Cookie List' as a default list source | ✔️ | unknown |
#brave-rewards-verbose-logging | Enable Brave Rewards verbose logging | ❌ enabled by default since 1.25.68+ | unknown |
#brave-rewards-webui-panel | Use WebUI Rewards Panel | ✔️ | 1.43.53/104.0.5112.69 |
#durable-client-hints-cache | Persistent client hints | ❌ | unknown |
#enable-parallel-downloading | Parallel downloading | ✔️ | unknown |
#enable-prerender2 | Prerender2 | ✔️ (90.x+) | unknown |
#enable-throttle-display-none-and-visibility-hidden-cross-origin-iframes | Throttle non-visible cross-origin iframes | ✔️ | unknown |
#enable-vulkan | Use Vulkan as the graphics backend. | ✔️ On Linux either Vulkan or raw draw, if you enable both it will prefer raw draw to avoid compatibility issues. | unknown |
#restrict-websockets-pool | Restrict WebSockets pool | ✔️ (97.x+) | unknown |
#subframe-shutdown-delay | Add delay to subframe renderer process shutdown | ❌ | unknown |
Desktop Functionality / Usability
Flag | Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#brave-adblock-cname-uncloaking | Enable CNAME uncloaking | ✔️ 91.1.27.36 (This will become obsolete and enabled by default once fully stable and merged into shields directly) | unknown |
#brave-cosmetic-filtering-sync-load) | Enable sync loading of cosmetic filter rules | ✔️ | unknown |
#chrome-whats-new-ui | Show Chrome What's New page at brave://whats-new (93.x+) |
❌ | unknown |
#enable-force-dark | Force Dark Mode for Web Contents | ✔️ increase text contrast |
unknown |
#enable-jxl | Enable JXL image format | ✔️ (Chrome 91.1.x+) | unknown |
#extensions-menu-access-control | Extensions Menu Access Control | ❌ disabled, we enforce it to enabled | |
#extension-workflow-justification | Extension request justification (93.x+) | ✔️ | unknown |
#force-color-profile | Force color profile | ✔️scRBG or HDR (if your Monitor supports HDR enable the HDR option) | unknown |
#forced-colors | Forced Colors | ✔️ | unknown |
#history-journeys-omnibox-action | History Journeys Omnibox Action | ✔️ (Chrome 97+) | unknown |
#history-journeys | History Journeys | ✔️ (Chrome 98+) | unknown |
#page-info-history-desktop | Page info history | ✔️ (Chrome 97+) | unknown |
#quick-commands | Quick Commands | ✔️ | Default (Disabled) |
#scrollable-tabstrip | Tab Scrolling | ✔️ (tabs shrink to a medium width) | unknown |
Desktop Scrolling
Flag | Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#smooth-scrolling | Smooth Scrolling | ✔️ | unknown |
Desktop PWA
Flag | Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#enable-desktop-pwas-launch-handler | Desktop PWA launch handler | ✔️ | disabled |
#enable-desktop-pwas-sub-apps | Desktop PWA Sub Apps | ✔️ | disabled |
#enable-desktop-pwas-tab-strip-settings | Desktop PWA tab strips settings | ✔️ | disabled |
#enable-desktop-pwas-web-bundles | Desktop PWAs Web Bundles | ✔️ | disabled |
#enable-desktop-pwas-window-controls-overlay | Desktop PWA Window Controls Overlay | ✔️ | disabled |
Desktop Brave Reader Mode / Speedreader
Flag | Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#enable-reader-mode | Enable Reader Mode | ✔️ Enabled available in settings (we enforce it, optional) | disabled |
Android (mobile) Flags
Mobile Security
Flag | Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#block-insecure-private-network-requests | Block insecure private network requests. | ✔️ | disabled |
#brave-ephemeral-storage | Enable Ephemeral Storage | ✔️ | depends on Shields setting |
#clear-cross-site-cross-browsing-context-group-window-name | Clear window name in top-level cross-site cross-browsing-context-group navigation | ✔️ | unknown |
#disallow-doc-written-script-loads | Block scripts loaded via document.write | ✔️ | disabled |
#enable-site-isolation-for-password-sites | Enable site Isolation for Password Sites | ✔️ | disabled |
#enable-site-per-process | Part of Site isolation | ✔️ | disabled |
#origin-agent-cluster-default | Origin-keyed Agent Clusters by default | ✔️ | 102.x |
#strict-origin-isolation | Strict-Origin-Isolation | ❌ | unknown |
#sync-trusted-vault-passphrase-recovery | Enable sync trusted vault passphrase with improved recovery | ❌ | unknown |
#web-sql-access | Allows access to WebSQL APIs | ❌ | 103.x / 1.40.x |
Mobile Privacy
Flag | Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#autofill-enable-sending-bcn-in-get-upload-details | Enable sending billing customer number in GetUploadDetails | ❌ | Enabled if preflights are enabled. |
#autofill-fill-merchant-promo-code-fields | Enable Autofill of promo code fields in forms | ❌ | unknown |
#autofill-parse-merchant-promo-code-fields | Parse promo code fields in forms | ❌ | unknown |
#brave-dark-mode-block | Enable dark mode blocking fingerprinting protection | ✔️ We enforce it for all Shield modes, otherwise it is only activated in aggressive mode. | unknown |
#brave-adblock-cosmetic-filtering-child-frames | Apply cosmetic filtering to frames other than the main frame of a pagn | ✔️ We enforce it for all Shield modes, otherwise it is only activated in aggressive mode. | 103.1.42.74 |
#brave-debounce | Enable debouncing (94.x+) | ✔️ | unknown |
#brave-domain-block-1pes | Enable domain blocking using First Party Ephemeral Storage | ✔️ | unknown |
#continuous-search | Continues Search | ❌ | unknown |
#device-posture | Device Posture API | ❌ | unknown |
#edit-context | EditContext API | ❌ (100.0+) | unknown |
#enable-autofill-credit-card-authentication | Allow using platform authenticators to retrieve server cards | ❌ (87.x+) | unknown |
#enable-commerce-price-tracking | Price Tracking | ❌ Connections to Google and partners + market influence and manipulation. It is better and more privacy-friendly to trust independent retailers and engine-crawlers such as Geizhals, Mindfactory etc. | unknown |
#enable-fenced-frames | Enable the element. | ✔️ with ShadowDOM, on older Android versions prior 9 set this to Enabled otherwise you might get Browser crashes. | unknown |
#enable-generic-sensor-extra-classes | Generic Sensor Extra Classes | ❌ | unknown |
#enable-payment-request-basic-card | PaymentRequest API 'basic-card' method | ❌ | unknown |
#enable-quic | Enable QUIC Protocol | ✔️ (Brave filters controversial APIs) | unknown |
#feed-stamp | Enable StAMP cards in the Feed | ❌ | Default, depends on if you use Feeds or not. |
#font-access | Font Access APIs | ❌ | unknown |
#force-major-version-to-100 | #force-major-version-to-100 | ❌ | unknown |
#incognito-screenshot | Allow Incognito Screenshots | ❌ | unknown |
#large-favicon-from-google | Large favicons from Google | ❌ | unknown |
#omnibox-assistant-voice-search | Omnibox Voice Search Assistant | ❌ | unknown |
#partitioned-cookies | Partitioned Cookies | ✔️ | unknown |
#reduce-user-agent | Reduce User-Agent request header | ✔️ | unknown |
#reduce-user-agent-minor-version | Reduce the minor version in the User-Agent string | ✔️ | unknown |
#related-searches-in-bar | Enables showing Related Searches in the peeking bar. | ❌ disabled to avoid search engine ping backs | unknown |
#wallet-service-use-sandbox | Wallet Services uses Google's Sandbox | ❌Connects to some Google Endpoints. | unknown |
#webxr-incubations | WebXR Incubations | ❌ (92.0+) | unknown |
Mobile PWA
Flag | Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#messages-for-android-pwa-install | PWA Installation Messages UI | ✔️ | Default |
#pwa-update-dialog-for-name-and-icon | Enable PWA install update dialog for name/icon changes | ✔️ | Default |
Mobile Performance
Flag | Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#back-forward-cache | Back and forward Cache | ❌ | unknown |
#brave-adblock-cookie-list-default | Treat 'Easylist-Cookie List' as a default list source | ✔️ | unknown |
#canvas-oop-rasterization | Out-of-process 2D canvas rasterization. | ✔️ enable it on Android 10+ | unknown |
#chrome-share-long-screenshot | N/A | ❌ | unknown |
#contextual-search-debug | Contextual Search Debug | ❌ | unknown |
#contextual-search-longpress-resolve | N/A | ❌ | unknown |
#contextual-search-translation | N/A | ❌ | unknown |
#durable-client-hints-cache | Persistent client hints | ❌ | unknown |
#enable-drdc | Enables Display Compositor to use a new gpu thread. | ✔️ enable it on Android 10+ | unknown |
#enable-gpu-rasterization | GPU rasterization | ✔️ enable it on Android 10+ | unknown |
#enable-instant-start | Instant start | ✔️ | unknown |
#enable-parallel-downloading | Parallel downloading | ✔️ | unknown |
#enable-prerender2 | Prerender2 | ✔️ (90.x+) | unknown |
#enable-throttle-display-none-and-visibility-hidden-cross-origin-iframes | Throttle non-visible cross-origin iframes | ✔️ | unknown |
#restrict-websockets-pool | Restrict WebSockets pool | ✔️ (97.x+) | unknown |
#smooth-scrolling | Smooth Scrolling | ✔️ | unknown |
#throttle-foreground-timers | Throttle Foreground Timers to 30 Hz | ✔️ | unknown |
Mobile Functionality / Usability
Flag | Name | Enabled (✔️) / Disabled (❌) or/and Comment | Default flag state |
---|---|---|---|
#android-picture-in-picture-api | Picture in Picture Web API for Android | ✔️ | unknown |
#brave-adblock-cname-uncloaking | Enable CNAME uncloaking | ✔️ 91.1.27.36 (This will become obsolete and enabled by default once fully stable and merged into shields directly) | unknown |
#brave-adblock-redirect-url | Enable support for $redirect-url filter option for adblock rules | ✔️ | unknown |
#brave-cosmetic-filtering-sync-load) | Enable sync loading of cosmetic filter rules | ✔️ | unknown |
#context-menu-google-lens-chip | Google Lens powered image search for surfaced as a chip below the context menu. | ❌ | unknown |
#context-menu-search-with-google-lens | Google Lens powered image search in the context menu. | ❌ | unknown |
#context-menu-shop-with-google-lens | Google Lens powered image search for shoppable images in the context menu. | ❌ | unknown |
#context-menu-translate-with-google-lens | Google Lens powered image search for translatable images surfaced as a chip under the context menu. | ❌ | unknown |
#continuous-search | Continuous Search | ✔️ | unknown |
#darken-websites-checkbox-in-themes-setting | Darken Websites checkbox in Theme settings | ✔️ | unknown |
#enable-force-dark | Force Dark Mode for Web Contents | ✔️ increase text contrast |
unknown |
#enable-jxl | Enable JXL image format | ✔️ (Chrome 91.1.x+) | unknown |
#enable-quick-action-search-widget-android | Quick Search Widget | ✔️ | unknown |
#google-lens-sdk-intent | Enable the use of the Lens SDK when starting intent into Lens. | ❌ | unknown |
#media-session-webrtc | Enable WebRTC actions in Media Session (93.x+) | ✔️ | unknown |
#messages-for-android-ads-blocked | Ads Blocked Messages UI | ✔️ | unknown |
#messages-for-android-permission-update | Permission Update Messages UI | ✔️ | unknown |
#messages-for-android-reader-mode | Reader Mode Messages UI | ✔️ | unknown |
#page-info-about-this-site | About this Site in Page Info | ✔️ | unknown |
#photo-picker-video-support | Photo Picker Video Support | ✔️ (with animated thumbnails) | unknown |
#playback-speed-button | Playback Speed Button | ✔️ | unknown |
#shared-highlighting-v2 | Shared Highlighting 2.0 | ✔️ (Chrome 90.x+) | unknown |
#shopping-list | Shopping List | ❌ can create problems with Sync and working with Bookmarks is a PITA in Chrome in general, hopefully Brave gets a Widget for this one day. | unknown |
#voice-button-in-top-toolbar | Voice Button in Top Toolbar | ❌ The reason why Voice function will never work is that Google prevents using alternative services, so we disable it. | unknown |
Brave only specific flags (not needed to be enforced)
Flag | Name | Comment | Default flag state |
---|---|---|---|
#brave-adblock-cosmetic-filtering | Enable cosmetic filtering | Enabled by default even if it only shows "default" | unknown |
#brave-adblock-csp-rules | Enable support for CSP rules | Not need to be enforced (since 1.25.68+) | unknown |
#brave-ads-allowed-to-fallback-to-custom-push-notification-ads | Allow Brave Ads to fallback from native to custom push notifications | This is OS specific and in the future will be obsolete since Brave will detect the OS and then automatically fallback to the legacy system. | unknown |
#brave-decentralized-dns | Enable Decentralized DNS | ✔️ This is now a settings point under Browser Settings since v95+ which you can easily switch. | unknown |
#brave-news | Enable Brave News | Your own decision to enable it or not, it is a global switch. | unknown |
#enable-lens-region-search | Search your screen with Google Lens (93.1.31.39+), since 1.36.112 it is disabled by default. | ❌ | unknown |
#enable-webrtc-hide-local-ips-with-mdns | This is not Brave only specific but there are two ways how Brave handles it, via Shields or Setting | Do not enforce it via flag | unknown |
Default Fonts
By default Brave Browser uses Poppins
and Muli
for the content you see around the web, those mentioned fonts are not the default fonts to render the actual content.
The actual fonts are
- Standard font: Liberation Serif / Times New Roman 16
- Serif font: Liberation Serif / Times New Roman 16
- Liberation Serif Sans-serif font: Liberation / Arial 16
- Sans Fixed-width font: Monospace / Consolas 13
Keep in mind that the list can be different because some Distros do not include mentioned fonts by default. In this case other fonts are the default ones. Font rendering and issues are actually a thing.
My own suggestion is
- Poppin 16
- Poppin 16
- Open Sans 16
- Muli 12
- Set the minimum font size to 6 and not 0 which is a borked default.
There is currently no way to disable font anti-aliasing/font smoothing.
Reference for the Brave vs. Browser X discussion
- Browser Startup Comparison (netmeister.org) and Braves own inspection (brave.com)
- Browser privacy analyzed (tcd.ie) [pdf]
- Goggles: Democracy dies in darkness, and so does the Web (brave.com) [pdf]
- How to find the most secure browsers (onlinesecurityworld.com)
- Mozilla's position on specific web standards (mozilla.github.io)
- The Security Architecture of the Chromium Browser (seclab.stanford.edu)
- Update on Brave’s Ongoing Direct Mail Marketing Campaign (reddit.com)