Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/q1sh101/hifox

Deterministic Firefox hardening: lock, verify, detect drift, isolate
https://github.com/q1sh101/hifox

autoconfig browser-security firefox firefox-hardening flatpak linux privacy shell-script systemd webapp

Last synced: 3 days ago
JSON representation

Deterministic Firefox hardening: lock, verify, detect drift, isolate

Awesome Lists containing this project

README 

          
  


    hifox

  



hifox




  Linux

  Firefox

  Shell



Deterministic Firefox hardening with isolated webapp profiles.



## quickstart



```bash

git clone https://github.com/q1sh101/hifox && cd hifox



# standard Firefox

bash hifox.sh install --standard



# Flatpak Firefox

bash hifox.sh install --flatpak



# hifox is single-target: install refuses if both Firefox targets are present.

# install creates ~/.local/bin/hifox

# launch Firefox once, close it, then launch again

hifox verify  # stops Firefox if drift is detected

hifox status

```



> **Snap Firefox is not supported** because `/snap/firefox` is read-only. Use Mozilla `.deb`, the `/opt/firefox` tarball, or `--flatpak`.



> `HIFOX_LAUNCHER` applies only to terminal launches; menu icons pin the selected target directly.



> Mozilla tarballs under `/opt/firefox` may need an AppArmor profile on Ubuntu 24.04+.



> **Protected media:** Flatpak Firefox is the tested target for DRM/audio/video webapps. Standard Linux Firefox builds vary by distro sandboxing and codec/CDM integration, so Prime Video, Netflix, or Spotify may fail playback even when hifox is deployed correctly.



## what it does



- Locks Firefox prefs with `lockPref()` so extensions, websites, and runtime code cannot override them.

- Stops Firefox when deployed prefs or files drift from the repo.

- Turns Firefox updates into reviewable pref diffs through per-target `generated_pref_dump..txt`.

- Runs webapps as isolated Firefox profiles with per-app unlocks for things like microphone, screen share, or DRM.

- Treats the repo as the source of truth: edit config, save, deploy, verify.



## commands



```text

hifox install <--flatpak|--standard>          save target, deploy, install watchers

hifox deploy                                  sync repo config to Firefox

hifox verify                                  verify live state; stop Firefox on drift

hifox status                                  compare repo state with deployed state

hifox clean                                   remove stale profile remnants

hifox purge [--flatpak|--standard]            delete profile data after confirmation

hifox logs                                    follow deploy and verify logs

hifox watch install|remove|status             manage systemd file watchers

hifox install-systemconfig                    register Flatpak systemconfig extension

```



Before install creates the `hifox` command, use `bash hifox.sh `.



## files



```text

config/global_lockprefs.cfg                   global Firefox lockPrefs

config/policies.json                          Firefox policy controls

config/user.js                                per-profile canary marker

config/autoconfig.js                          bootstrap loader for autoconfig.cfg

config/generate_pref_dump.cfg                 Firefox pref dump generator

config/generated_pref_dump..txt       per-target reviewed Firefox runtime dump

config/hifox.css                              default profile homepage CSS

webapp/shared/webapp.cfg                      shared webapp runtime behavior

webapp/shared/webapp.css                      webapp chrome CSS

webapp//prefs.cfg                       per-webapp permission overrides

```



## reference



- [ARCHITECTURE.md](docs/ARCHITECTURE.md) - full system map.

- [Screenshot](docs/screenshot.png)

- [MIT License](LICENSE)