How to get a high privacy score: a practical hardening checklist for 2026

This is the practical, prioritised checklist for cutting your browser's tracking and fingerprinting exposure in 2026. It is ordered from highest impact to lowest, tells you which popular tweaks are a waste of time, and explains the central trade-off that decides which strategy is right for you. Work down the list, re-test on privacyscore.dev as you go, and stop where the cost outweighs the benefit for your threat model.

First, the trade-off that governs everything: blend in or lock down

There are two coherent privacy strategies and they pull in opposite directions.

  • Blending in means looking identical to a huge crowd of other users so you are not individually identifiable. The Tor Browser is the purest example: everyone running it presents nearly the same fingerprint, so no single user stands out. Aggressive, unusual customisation breaks this, because a rare configuration is itself a fingerprint.
  • Locking down means blocking, spoofing, and disabling as much as possible. This stops a lot of data collection but can make you more unique, because few people have your exact set of blocked APIs and extensions.

The mistake is mixing them incoherently: piling on extensions and spoofers while expecting to blend in. Decide which model you are following. For most people the realistic answer is a privacy-respecting mainstream browser configured sensibly (locking down the worst offenders) and accepting that they are not trying to be invisible, only un-profitable to track. If you genuinely need anonymity, use Tor Browser unmodified and follow the blend-in model strictly.

Priority 1: Browser choice and configuration (highest impact)

Your browser is the foundation; no extension fixes a bad base. In rough order of out-of-the-box privacy for non-anonymity use cases, strong choices in 2026 include Firefox configured for stricter protection, and Chromium forks built around privacy defaults. A vanilla Chrome install with default settings is the weakest starting point because of its tracking surface and ecosystem.

  • Set tracking protection to its strictest mode the browser offers without breaking your essential sites.
  • Turn off features that phone home or personalise: search suggestions that send keystrokes, "improve the browser" telemetry, and ad-personalisation toggles.
  • Keep the browser updated. Outdated builds both carry security holes and stand out as a fingerprint.
  • Resist the urge to install a wall of extensions or change dozens of obscure settings; each unusual choice adds fingerprint entropy.

Priority 2: Block third-party cookies and cross-site trackers

Third-party cookies and tracker scripts are still the workhorse of cross-site profiling. This is the highest-impact, lowest-cost single change.

  • Block all third-party cookies in your browser settings. Nearly every browser supports this and the breakage in 2026 is minimal because the web has been preparing for their deprecation for years.
  • Install one reputable content blocker, uBlock Origin being the standard recommendation, which blocks tracker domains and scripts using maintained filter lists. One good blocker does more than five mediocre ones.
  • Enable your browser's built-in tracker list as well; the two layers complement each other.

Why this ranks so high: third-party cookies are what let an advertiser recognise you on site A, then again on unrelated site B, and join the two into a browsing profile. Blocking them severs that link directly. A content blocker goes further by preventing the tracker's script from loading at all, so it never gets the chance to read or set anything, and as a side effect pages load faster and use less data because you are not downloading the tracking and ad payloads. The reason to run exactly one blocker rather than several is that a single well-maintained filter list already covers the overwhelming majority of known trackers, while stacking multiple blockers mostly adds breakage, conflicts, and fingerprintable behaviour without catching meaningfully more.

Priority 3: Reduce fingerprinting surface

Once cookies are handled, fingerprinting is the harder problem because it needs no stored identifier. Realistic mitigations:

  • Use a browser with built-in fingerprinting resistance (Firefox's resistFingerprinting, or the randomisation that some Chromium forks apply to canvas and similar APIs). These either standardise or perturb the values that scripts read.
  • Do not maximise customisation. Custom fonts, unusual window sizes, and exotic settings each narrow you down. Counterintuitively, a more "default" browser is often harder to fingerprint uniquely.
  • Be aware that the only near-complete defence for fingerprinting is the blend-in model of Tor Browser. For mainstream browsing you are reducing, not eliminating, the surface.

The fingerprinting and tracker-surface portion of your privacyscore.dev result is the part that moves most when you change browser and enable resistance features, so re-test after this step to see the effect.

Priority 4: DNS and network

Even with a clean browser, the network layer leaks where you go and exposes your IP.

  • Enable encrypted DNS (DNS over HTTPS or DNS over TLS). This stops your ISP and network from reading your DNS lookups in plaintext. Most browsers and operating systems support DoH natively now; pick a resolver with a clear no-logging policy.
  • Use a VPN done right when you need to hide your IP and location from sites, or shield traffic on untrusted Wi-Fi. "Done right" means a reputable, audited provider you pay for, not a free VPN that monetises your traffic. Understand that a VPN moves trust from your ISP to the VPN operator; it does not make you anonymous and does not stop fingerprinting.
  • If your threat model is genuine anonymity rather than "don't profile me", a VPN is not enough and you should be using Tor, per the blend-in strategy.

One frequently missed detail: enabling encrypted DNS in your browser only protects the lookups the browser makes. Other applications on your device, and sometimes the operating system itself, may still send DNS in plaintext to the network's default resolver, leaking the domains you visit. Setting encrypted DNS at the operating-system level rather than only in the browser closes that gap. Be aware too that DNS over HTTPS hides the lookup from your ISP but reveals it to the resolver you chose, so the choice of a trustworthy, audited, no-logging resolver is the substance of the protection, not the protocol alone.

Priority 5: Storage hygiene

Cleaning up persistent state limits long-term linking.

  • Set the browser to clear cookies and site data on close, with an allow-list for the few sites you want to stay logged into.
  • Periodically clear local storage and cached data, which can carry quasi-identifiers.
  • Use container or profile isolation (Firefox Multi-Account Containers, or separate browser profiles) to keep, for example, your work, shopping, and personal identities from sharing cookies and being correlated.

Priority 6: Email and link defences

Tracking does not stop at the browser. Close the inbox gap too:

  • Block remote images by default in your mail client so tracking pixels cannot fire and report your open, IP, and device.
  • Use per-sender email aliases so a leaked or sold address cannot be tied back to your primary identity and can be disabled individually.
  • Before clicking wrapped links, inspect or strip the tracking redirector so the click is not logged against you.

Priority 7: Extensions, and the risk of too many

Extensions are double-edged. The right few help; a pile of them hurts.

  • Add: one content blocker (uBlock Origin), and optionally a single privacy utility you actually understand. That is usually enough.
  • Avoid installing many overlapping privacy extensions. Each one adds fingerprintable behaviour, can conflict with the others, and expands the code that has deep access to your browsing. A rare combination of extensions is itself a strong identifier.
  • Vet every extension: check the publisher, permissions, and update history. A malicious or abandoned extension is a bigger privacy risk than the trackers it claims to stop.

What NOT to bother with

Some popular tweaks are ineffective or counterproductive, and chasing them wastes effort and can lower your real privacy:

  • User-Agent spoofing. Faking your browser string is easily detected through other signals and often makes you more unique, since real builds and spoofed builds rarely match perfectly across every check.
  • Random one-off fingerprint spoofers that change a single value (e.g. a fake screen size) while leaving everything else real. Inconsistent values are a red flag that fingerprinters specifically look for.
  • Relying on incognito/private mode for protection. It clears local data only; it does not change your IP, your fingerprint, or what your ISP and the websites see.
  • Free VPNs as a privacy measure. Many log and sell traffic, the opposite of the goal.
  • Endless about:config tinkering for marginal gains. Beyond the well-documented hardening flags, obscure changes mostly add uniqueness without meaningful protection.

A realistic finish line

You do not need to be invisible to have a high privacy score; you need to be unprofitable and unremarkable to track. For most people the winning configuration is: a privacy-respecting browser on its strict setting, third-party cookies blocked, one good content blocker, fingerprinting resistance on, encrypted DNS, storage cleared on close with sensible exceptions, a paid reputable VPN when the situation calls for it, and the inbox locked down. That stack closes the high-impact holes while keeping the web usable.

Measure as you go. Run privacyscore.dev before you start, after the cookie and tracker step, and again after switching browser and enabling fingerprinting resistance. Watching the score move tells you which changes earned their keep for your setup, and where you have hit the point of diminishing returns and should stop.