Security and Passwords

This preferences page provides Pale Moon settings for various security features and stored passwords.


Warn me when sites try to install add-ons: Pale Moon will always ask you to confirm installations of add-ons. To prevent unrequested installation prompts which may lead to accidental installations, Pale Moon warns you when a website tries to install an add-on and blocks the installation prompt. To allow installations from a specific site, click Exceptions…, enter the site name, and click Allow. Uncheck this to disable the extra warning for all sites.

Add-on security level: Pale Moon allows you to set your desired security level for add-ons. This affects how blocklist entries are handled:

  • Off: No add-ons will be blocked (dangerous) - None of the add-ons on the blocklist will be blocked. This allows known-malicious add-ons to be installed and used and is obviously not recommended. Disabling blocking in this manner is dangerous and should only be done in testing environments and never for live browsing.
  • Low: Block only add-ons with severe security and stability issues - Only add-ons that are confirmed to be directly affecting your security, privacy or browser stability will be blocked. Other add-ons on the blocklist can still be used, even though you will be warned about them being unsafe.
  • Medium: Block all harmful add-ons (default, recommended) - All add-ons that are known to be harmful to you or unsuspecting third parties will be blocked and cannot be used. Add-ons on the blocklist that are known to cause less severe issues that do not cause harm can still be used, even though you will be warned about them causing issues.
  • High: Block all add-ons with known issues - All add-ons with an entry on the blocklist will be blocked and cannot be used, regardless of the severity of the listing.


If you store passwords in the browser, it is strongly recommended that you set and use a master password.
  • Remember passwords for sites: Pale Moon can securely save passwords you enter in web forms to make it easier to log on to websites. Clear this checkbox to prevent Pale Moon from remembering your passwords.
    Note: Even with this checked, you will still be asked whether to save specific passwords for a site when you first visit it. If you select Never for This Site, that site will be added to an exceptions list. To access this list or to remove sites from it, click the Exceptions… button.
  • Automatically fill in log-in details: When checked, Pale Moon will automatically fill in log-in credentials in log-in fields if only one entry exists for the site in the password manager. Please note that this is potentially dangerous and can allow scripts to abuse this feature for tracking or, at worst, stealing credentials.
    When not checked (default), clicking on the user name/e-mail/etc. field will provide you with one or more user names to use for filling in log-in details.
  • Use a master password: Pale Moon can protect sensitive information such as saved passwords and certificates by encrypting them using a master password. If you create a master password, each time you start a new browsing session, Pale Moon will ask you to enter the password the first time it needs to access a certificate or stored password (including when Sync is used).
    You can set, change, or remove the master password by checking or unchecking this option or by clicking the Change Master Password… button. If a master password is already set, you will need to enter the current master password in order to change or remove it, as a security measure.
  • You can manage saved passwords and view or delete individual passwords by clicking the Saved Passwords… button.

Security protocols

These settings allow you to control the use of some security protocols:
  • Enable Strict Transport Security (HSTS): This enables or disables the use of HTTP Strict Transport Security, a mechanism for websites to indicate that browsers should always connect to them using https (even on first connect). This is a security vs. privacy trade-off, because it will be possible to determine which HSTS sites have been visited before when this is enabled.
  • Enable Certificate Key Pinning (HPKP): this enables or disables the use of HTTP Public Key Pinning, which is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of man-in-the-middle attacks with forged certificates. HPKP has the potential to lock out users for a long time if used incorrectly, at which point disabling it in the browser is the only workaround.

Opportunistic Encryption

These settings allow you to control whether connections will be encrypted in the background or not.
These options are transitional technology and aren't particularly secure in themselves, and as such are not recommended to be used. They interfere with e.g. in-transit caching of web content and may give you an incorrectly presented state of the connection. Enabling these options may expose you to more ways of being tracked, so this is a privacy concern as well.
  • Enable Upgrade Insecure Requests: This makes the browser send an indicator to all websites visited that, if available and supported, the website should send back a content security policy to rewrite all http connections to https and request resources in pages only over https connections and potentially redirect the browser to an https version of the page automatically without using HSTS.
  • Enable HTTP Alternative Services for OE: This makes the browser respond to hidden encryption offers by the servers visited by establishing connections to alternative addresses instead of those visible to the user, to retrieve resources over encrypted connections instead. Because all of this is hidden from the user, there is no way to verify that the "secure" resources are also actually authentic.
Site and contents © 2009-2020 Moonchild Productions - All rights reserved
Pale Moon is subject to the following licensing.
Policies: Cookies - User Content - Privacy.