Tor Browser comes with carefully designed security settings that balance privacy with usability. Understanding these settings helps you choose the right level of protection for different situations. This guide explains each option and when to use it.

The Three Security Levels

Click the shield icon near the address bar to access security settings. Tor offers three levels, each with different trade-offs between security and convenience.

Standard (Default)

This is how Tor Browser starts. All website features work, including JavaScript, images, fonts, and videos. Most sites display normally. You get the full web experience while still routing through Tor.

Standard mode provides good privacy for general browsing. Your IP address is hidden, your connection is encrypted, and tracking is blocked. For reading news, searching, and casual browsing, this level works fine.

The downside is that JavaScript and other active content can potentially be exploited. If someone finds a vulnerability in Firefox or Tor Browser, active content could reveal your real IP address or other identifying information. For most threats, Standard mode is sufficient. For targeted attacks by sophisticated adversaries, it's not enough.

Safer (Increased Protection)

This mode disables JavaScript on non-HTTPS sites. Many fonts are blocked. Some math symbols and images might not display. Audio and video need clicking before they play instead of auto-playing.

The web looks and behaves differently in Safer mode. Animations stop working. Some site layouts break. Interactive features fail. But your security improves significantly because you're blocking the most common attack vectors.

Use Safer mode when you need better protection but still want most sites to function. It's a good middle ground for accessing .onion sites you don't fully trust, browsing forums, or visiting sites in riskier categories.

Safest (Maximum Protection)

JavaScript is disabled everywhere, even on HTTPS sites. Only static content displays. Many sites won't work at all. No videos, no animations, no interactive features. Just text and images.

Safest mode is for high-risk situations. Use it when accessing sensitive information, handling cryptocurrency, or doing anything where anonymity is critical. Accept that many sites will be unusable.

Even simple sites might break in unexpected ways. Form submissions might fail. Navigation menus might not work. This is intentional. The restrictions protect you from sophisticated attacks that exploit web technologies.

When to Use Each Level

Standard mode: Regular browsing, reading news, general research, accessing legitimate services with HTTPS. Most of your Tor usage probably fits here.

Safer mode: Visiting new .onion sites, browsing forums with user-generated content, accessing sites without HTTPS, any situation where you're slightly suspicious. This should be your default for dark web browsing.

Safest mode: Handling cryptocurrency, accessing markets (educational purposes only), submitting sensitive information, any activity where your anonymity is absolutely critical. This is your insurance policy.

You can change security levels at any time. Try browsing at a higher level. If a site doesn't work, decide whether you really need to visit it or if you can lower the security temporarily. Good practice is staying at Safer by default and only lowering to Standard when necessary.

NoScript Settings

Tor Browser includes NoScript, a powerful tool that controls what scripts run on websites. At Standard security level, NoScript runs in the background but doesn't block much. At Safer and Safest, it blocks aggressively.

Understanding the Interface

Click the NoScript icon (a small "S" shape) to see what's being blocked on the current page. You'll see a list of sources trying to run scripts. Each can be allowed temporarily or permanently.

Don't just click "Allow" on everything. Read what's being blocked. Many blocked sources are third-party trackers or advertising networks. Allowing them defeats much of Tor's privacy protection.

Temporary vs Permanent Permissions

Temporary permissions last until you close Tor Browser. Use these for sites you're visiting once and don't plan to return to. Your choices don't persist between sessions.

Permanent permissions are remembered. Only use these for sites you fully trust and visit regularly. Even then, consider whether you really need JavaScript enabled for that site.

Common NoScript Scenarios

Site won't load at all: Check NoScript. The site probably needs scripts from its own domain. Allow those temporarily and reload.

Login doesn't work: Many login forms require JavaScript. Allow scripts from the main domain, try logging in, then revoke permission if you won't need to log in again.

Media player shows but won't play: Video players need JavaScript. Decide if watching that video is worth enabling scripts.

Important: Allowing JavaScript on suspicious sites can compromise your anonymity. If NoScript is blocking something, there's probably a good reason. Think carefully before allowing scripts, especially on .onion sites you don't fully trust.

HTTPS-Only Mode

Tor Browser automatically tries to upgrade all connections to HTTPS. This adds encryption between you and the website, even though your connection to Tor is already encrypted.

If a site doesn't support HTTPS, you'll see a warning. Consider whether you really need to visit that site. Unencrypted connections can be monitored at the exit node, defeating part of Tor's protection.

You can temporarily bypass the HTTPS requirement, but do this rarely and only for sites that can't possibly harm you. Never enter passwords or sensitive information on HTTP sites.

Circuit Display and Management

Click the onion icon to see your current circuit - the path your connection takes through Tor. You'll see three nodes: entry (guard), middle, and exit.

When to Request New Circuit

Site won't load: A new circuit might route through different nodes that aren't blocked or overloaded.

Extremely slow connection: Sometimes you get unlucky with slow nodes. A new circuit might be faster.

Site shows you're in wrong country: The exit node determines what country websites think you're from. New circuit changes your apparent location.

After visiting sensitive site: Getting a new circuit prevents linking your activities across sites, though Tor does this automatically between unrelated sites.

New Identity

Different from a new circuit, "New Identity" closes all tabs and clears all cookies and site data. Use this when you want to completely separate your current session from your previous one.

New Identity makes it look like a completely different person started using Tor Browser. There's no connection to what you were doing before. Use it when switching between activities you want to keep completely separate.

Window Size and Screen Resolution

Tor Browser opens in a standard size to make all users look identical. Don't resize or maximize the window. Your screen resolution and window size can be used to identify you (browser fingerprinting).

If the small window bothers you, increase your screen zoom instead of resizing. Press Ctrl and + (Cmd and + on Mac) to make content larger while keeping the standard window size.

Extensions and Add-ons

Don't install any. Tor Browser comes with everything you need built in. Extensions can leak information about you, break Tor's protection, and make you unique (easier to fingerprint).

Every extension you add makes you more identifiable. Tor's protection depends on everyone looking the same. Extensions ruin this uniformity.

If you think you need an extension, there's probably a better way to do what you want. Ask in Tor community forums before installing anything.

Private Browsing Mode

Tor Browser is always in private browsing mode. You don't need to enable it. Everything is automatically cleared when you close the browser.

Bookmarks and saved passwords are the only things that persist. This is intentional - you need some persistence for usability. Everything else disappears.

About:Config Advanced Settings

Type "about:config" in the address bar to access Firefox's advanced settings. Hundreds of options control detailed browser behavior.

Don't change these unless you know exactly what you're doing. Tor Browser's developers carefully configured these settings for optimal privacy. Random changes can break your anonymity or security.

The Tor Project maintains documentation of which settings are safe to change. If you're curious about a setting, research it first. When in doubt, leave it alone.

Connection Settings

Most people never need to touch these, but they're useful in specific situations.

Bridges

If Tor is blocked in your country or network, bridges help you connect. Configure these at startup by selecting "Tor is censored in my country."

Different bridge types work better in different situations. Obfs4 bridges are most common and work in many censored regions. If one type doesn't work, try another.

Proxy Settings

Tor can route through a proxy before connecting to the Tor network. This is rarely needed unless you're in a very restrictive environment.

Don't confuse this with using a VPN with Tor. Proxy settings here are for connecting to Tor, not for your browsing once connected.

Update Settings

Tor Browser checks for updates automatically. Always install updates when prompted. They fix security vulnerabilities that could compromise your anonymity.

Updates download through Tor, so they're private. The process takes longer than regular browser updates but ensures nobody can see you're updating Tor Browser.

Best Practices for Settings Management

Start at Safer security level and only lower it when necessary. This trains you to browse with higher security and shows you which sites really need lower settings.

Keep a text file of sites that require Standard mode. This helps you remember which sites legitimately need JavaScript and which you're lowering security for out of convenience.

Periodically review your NoScript permanent permissions. You probably allowed some sites months ago that you don't visit anymore. Clean them out.

Don't obsess over perfect settings. Using Tor with default settings is much better than not using Tor at all. These tweaks are optimizations, not requirements.

Settings That Don't Exist (And Why)

You can't change the user agent string. Everyone uses the same one to prevent fingerprinting.

You can't easily change which country your exit node is in. Controlling exit location can compromise anonymity.

You can't permanently disable JavaScript globally while keeping it on specific sites easily. The security levels are designed this way deliberately.

These limitations exist for good reasons. They prevent you from making choices that would harm your anonymity even if they seem convenient.

Mobile Differences

Tor Browser for Android has most of the same settings as desktop. The security levels work identically. NoScript is included.

Some settings are harder to access on mobile. Circuit display works the same way. The overall experience is similar but adapted for touchscreens.

iOS has limitations because Apple restricts how browsers work. The official Onion Browser for iOS does its best but can't provide identical protection to Tor Browser on desktop.

Learning Through Experimentation

The best way to understand these settings is using them. Try browsing at Safest level for a session. See what breaks and what still works.

Compare how the same site looks at different security levels. This shows you exactly what each level blocks.

Check your circuit regularly while browsing. Watch how it changes for different sites. This demystifies how Tor works.

Settings aren't set-and-forget. You'll adjust them based on what you're doing. That's normal and expected. The key is making conscious choices rather than clicking without thinking.