Security and Passwords
This preferences page provides Pale Moon settings for
various security features and stored passwords.
Warn me when sites try to install add-ons:
Pale Moon will always ask you to confirm installations of add-ons. To
prevent unrequested installation prompts which may lead to accidental
installations, Pale Moon warns you when a website tries to install an
add-on and blocks the installation prompt. To allow installations from
a specific site, click ,
enter the site name, and click . Uncheck this to disable the extra warning
for all sites.
Add-on security level: Pale Moon allows you
to set your desired security level for add-ons. This affects how
blocklist entries are handled:
- Off: No add-ons will be blocked (dangerous)
- None of the add-ons on the blocklist will be blocked. This allows
known-malicious add-ons to be installed and used and is obviously not
recommended. Disabling blocking in this manner is dangerous and should
only be done in testing environments and never for live browsing.
- Low: Block only add-ons with severe security and
stability issues - Only add-ons that are confirmed to be
directly affecting your security, privacy or browser stability will be
blocked. Other add-ons on the blocklist can still be used, even though
you will be warned about them being unsafe.
- Medium: Block all harmful add-ons (default,
recommended) - All add-ons that are known to be harmful to you
or unsuspecting third parties will be blocked and cannot be used.
Add-ons on the blocklist that are known to cause less severe issues
that do not cause harm can still be used, even though you will be
warned about them causing issues.
- High: Block all add-ons with known issues
- All add-ons with an entry on the blocklist will be blocked and cannot
be used, regardless of the severity of the listing.
If you store passwords in the browser, it is strongly recommended that
you set and use a master password.
- Remember passwords for sites: Pale Moon
can securely save passwords you enter in web forms to make it easier to
log on to websites. Clear this checkbox to prevent Pale Moon from
remembering your passwords.
Note: Even with this
checked, you will still be asked whether to save specific passwords for
a site when you first visit it. If you select ,
that site will be added to an exceptions list. To access this list or
to remove sites from it, click the button.
- Automatically fill in log-in details:
When checked, Pale Moon will automatically fill in log-in credentials
in log-in fields if only one entry exists for the site in the password
manager. Please note that this is potentially dangerous and can allow
scripts to abuse this feature for tracking or, at worst, stealing
When not checked (default), clicking on the user name/e-mail/etc. field
will provide you with one or more user names to use for filling in
- Use a master password: Pale Moon can
sensitive information such as saved passwords and certificates by
encrypting them using a master password. If you create a master
password, each time you start a new browsing session, Pale Moon will
ask you to enter the password the first time it needs to access a
certificate or stored password (including when Sync is used).
You can set, change, or remove the master password by checking or
unchecking this option or by
button. If a master password is already set, you will need to enter the
current master password in order to change or remove it, as a security
- You can manage saved passwords and view or delete
individual passwords by clicking the
These settings allow you to control the use of some security protocols:
- Enable Strict Transport
Security (HSTS): This enables or disables the use of HTTP Strict
Transport Security, a mechanism for websites to indicate that browsers
should always connect to them using https (even on first connect). This
is a security vs. privacy trade-off, because it will be possible to
determine which HSTS sites have been visited before when this is
- Enable Certificate Key
Pinning (HPKP): this enables or disables the use of HTTP
Public Key Pinning, which is a security feature that tells a web
client to associate a specific cryptographic public key with a certain
web server to decrease the risk of man-in-the-middle attacks with
forged certificates. HPKP has the potential to lock out users for a
long time if used incorrectly, at which point disabling it in the
browser is the only workaround.
These settings allow you to control whether connections will be
encrypted in the background or not.
These options are transitional technology and aren't particularly
secure in themselves, and as such are not recommended to be used. They
interfere with e.g. in-transit caching of web content and may give you
an incorrectly presented state of the connection. Enabling these
options may expose you to more ways of being tracked, so this is a
privacy concern as well.
- Enable Upgrade Insecure
Requests: This makes the browser send an indicator to all
websites visited that, if available and supported, the website should
send back a content security policy to rewrite all http connections to
https and request resources in pages only over https connections and
potentially redirect the browser to an https version of the page
automatically without using HSTS.
- Enable HTTP Alternative
Services for OE: This makes the browser respond to hidden
encryption offers by the servers visited by establishing connections to
alternative addresses instead of those visible to the user, to retrieve
resources over encrypted connections instead. Because all of this is
hidden from the user, there is no way to verify that the "secure"
resources are also actually authentic.