Web Browser

The source material this series draws on covers Firefox with a significant stack of privacy extensions. That approach is not wrong, but it represents a lot of configuration to achieve a baseline that Brave ships with out of the box. Brave is a Chromium-based browser with built-in ad blocking, fingerprint protection, HTTPS upgrades, and tracker blocking that work without any extension installation. For a self-hosted infrastructure setup where minimising attack surface and external dependencies matters, Brave is the more coherent choice.

This page is not an endorsement of every decision Brave Technologies makes as a company. It is an assessment that for this specific use case, on this specific desktop, Brave’s defaults are closer to what is wanted than Firefox’s defaults, and the gap is smaller to close.

Installation

Brave is not in the standard Ubuntu repositories. Install it from the official Brave repository:

sudo curl -fsSLo /usr/share/keyrings/brave-browser-archive-keyring.gpg \
    https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg

echo "deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg] \
    https://brave-browser-apt-release.s3.brave.com/ stable main" | \
    sudo tee /etc/apt/sources.list.d/brave-browser-release.list

sudo apt update
sudo apt install brave-browser

Verify the installation:

brave-browser --version

Initial setup

On first launch, Brave will offer to import bookmarks and settings from other browsers. Skip this for a clean start.

Set Brave as the default browser from the application launcher: search for Default Applications and set the web browser to Brave.

Shields configuration

Brave Shields is the built-in blocking system. It handles ad blocking, tracker blocking, fingerprint protection, and HTTPS upgrades per-site, with a global default. Configure the global defaults first.

Open Settings (hamburger menu or brave://settings), navigate to Shields, and set:

Trackers and ads blocking: Aggressive. The standard setting blocks known trackers. Aggressive also blocks first-party tracking, which is increasingly how ad networks avoid standard blockers. Some sites break at aggressive level, but you can drop individual sites to standard without changing the global setting.

Upgrade connections to HTTPS: Enabled. Replaces HTTP with HTTPS where available, the same function HTTPS Everywhere provided for Firefox.

Block fingerprinting: Standard. This randomises fingerprinting APIs to make your browser harder to track across sites. Strict mode breaks more sites; standard is a reasonable default.

Block cookies: Cross-site only. Blocks third-party cookies while allowing first-party ones. This is the right default for most sites.

Prevent sites from learning my language: Enabled.

Privacy settings

Navigate to Settings > Privacy and Security.

WebRTC IP handling policy: Set to “Disable non-proxied UDP”. This prevents WebRTC from leaking your real IP address when using a VPN or the WireGuard tunnel from the network section.

Use secure DNS: Enable and select a custom provider. Point it at your local Unbound resolver:

https://127.0.0.1/dns-query

If Unbound is not configured with DNS-over-HTTPS (it is not in this series), leave this as the system default. The system resolver is already pointed at Unbound via the network configuration.

Send a “Do Not Track” request: This is largely theatre since most sites ignore it, but enable it for completeness.

Allow privacy-preserving product analytics: Disable. This is Brave’s own telemetry system.

Allow Brave to improve Brave Rewards and Ads: Disable if you are not using Brave Rewards.

Automatically send daily usage ping to Brave: Disable.

Automatically send diagnostic reports: Disable.

Search engine

Navigate to Settings > Search Engine.

Change the default search engine from Brave Search to your preference. The options worth considering:

DuckDuckGo is the established privacy-respecting search engine. Results are good for most queries, and there is no profile building across sessions.

Brave Search is Brave’s own independent search index, not built on Google or Bing results. Worth trying, though coverage is still less comprehensive than DuckDuckGo for niche queries.

Startpage proxies Google search results without your IP or identity being passed to Google. The best result quality of the privacy-focused options.

Remove the default search engines you will not use. In the search engine settings, expand the list and remove Google, Bing, and any others you do not want to offer.

New tab page

Navigate to Settings > New Tab Page.

Disable the Brave News feed, sponsored images, and top sites if you want a minimal new tab page. Set it to a blank page or DuckDuckGo if you prefer a search box on new tabs.

Passwords and autofill

Brave has a built-in password manager. For this setup, KeePassXC handles credentials and the KeePassXC browser extension is the right integration point. Do not use Brave’s built-in password manager alongside KeePassXC, as the two will conflict.

Navigate to Settings > Autofill and Passwords:

• Offer to save passwords: Disable
• Sign in automatically: Disable
• Payment methods: Disable saving and autofill
• Addresses: Disable saving and autofill

Extensions

Brave handles most of what Firefox extensions were doing in the source material natively. The extensions worth adding are a short list.

KeePassXC Browser

The KeePassXC browser integration extension connects Brave to the local KeePassXC instance for credential autofill.

Install from the Chrome Web Store (Brave supports Chrome extensions):

https://chromewebstore.google.com/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk

After installing, open KeePassXC, go to Settings > Browser Integration, enable it, and add Brave as a connected browser. The extension will prompt to connect on first use.

uBlock Origin

Despite Brave’s built-in blocking being strong, uBlock Origin adds additional filter list support and more granular control per site. Worth installing for the ability to use custom filter lists.

https://chromewebstore.google.com/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm

After installing, open the uBlock Origin dashboard and enable additional filter lists: EasyPrivacy, Malware domains, and the uBlock filters - Annoyances list are all worth enabling beyond the defaults.

LocalCDN

The modern replacement for Decentraleyes. Intercepts requests to content delivery networks and serves local copies of common JavaScript libraries, reducing tracking and improving load times.

https://chromewebstore.google.com/detail/localcdn/njdfdhgcmkockofmCanicmkfeibkmkml

Extensions to avoid

Several extensions from the source material are either deprecated or redundant with Brave:

• HTTPS Everywhere: Brave handles this natively. The extension is discontinued.
• Privacy Badger: Brave Shields covers this. Running both creates unnecessary overhead.
• Self-Destructing Cookies: Abandoned. Use Brave’s cookie controls instead.

Trusting your internal CA

Services running on your internal network use TLS certificates signed by your own Certificate Authority, built in the CA section of this series. Brave, like all Chromium-based browsers, uses the system certificate store on Linux. Adding your root CA to the system trust store makes it trusted in Brave automatically.

If you have not already added the root CA:

sudo cp /path/to/your-root-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Restart Brave after updating the certificate store. Internal services should now load without certificate warnings.

Verify by visiting an internal HTTPS service and checking the padlock. The certificate chain should show your root CA as the issuer.

XMPP protocol handler

The source material covers registering an XMPP protocol handler in Firefox via about:config. In Brave, this is done differently since there is no equivalent config page for custom protocol handlers.

Register XMPP links at the system level instead. Create a desktop entry for your XMPP client (KDE Plasma uses xdg-open for protocol handling):

xdg-mime default your-xmpp-client.desktop x-scheme-handler/xmpp

Replace your-xmpp-client.desktop with the actual desktop file name for your XMPP client. Brave will then defer xmpp:// links to the system handler rather than trying to handle them internally.

Security verification

After configuration, verify the browser is behaving as expected:

TLS capabilities: Visit https://www.howsmyssl.com/ to check TLS client configuration. The result should show TLS 1.3 support and no known vulnerabilities.

DNS leak test: With the WireGuard VPN connected, visit https://dnsleaktest.com/ and run the extended test. All DNS servers shown should be your internal resolver or the VPN exit point, not your ISP’s resolvers.

WebRTC leak test: Visit https://browserleaks.com/webrtc and verify no local IP addresses are exposed. The “Disable non-proxied UDP” setting from earlier handles this.

Fingerprint baseline: Visit https://coveryourtracks.eff.org/ and run the test. Brave with fingerprint protection enabled should show strong protection.

Brave Rewards and the BAT cryptocurrency integration are entirely optional and off by default. Nothing in this setup requires them. If you are not interested in the Brave Rewards system, leave it disabled and it will not affect the browser’s behaviour in any way.