A comprehensive browser hardening solution that hardens stays with your browser even after you leave idarti.com Inspired by Mullvad Browser's privacy-first approach, Katarakt provides multi-layered protection through client-side service workers and edge security on Cloudflare and Google Cloud.
- Architecture
- Screenshots
- Features
- Quick Start
- Configuration Export
- API Endpoints
- Mullvad Browser Alignment
- Development
- Contributing
- License
- Support the Project
┌─────────────────────────────────────────────────────────────────┐
│ USER BROWSER │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Katarakt Service Worker │ │
│ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │
│ │ │Fingerprin│ │ WebRTC │ │ Tracker │ │ Script │ │ │
│ │ │Protection│ │ Block │ │ Blocker │ │ Analyzer │ │ │
│ │ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │ │
│ └─────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ CLOUDFLARE EDGE │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Katarakt Edge Worker │ │
│ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │
│ │ │ Bot │ │ WAF │ │ DDoS │ │ Header │ │ │
│ │ │Detection │ │ Rules │ │ Protect │ │ Hardening│ │ │
│ │ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │ │
│ └─────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ GOOGLE CLOUD BACKEND │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────────┐ │
│ │ Cloud Armor │ │ Threat │ │ Security Command Center │ │
│ │ Policy │ │Intelligence │ │ (Monitoring) │ │
│ └─────────────┘ └─────────────┘ └─────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘Main dashboard showing protection modules and security status
Real-time threat monitoring with live activity graph
Comprehensive security statistics and threat logs
- Fingerprint Resistance: Spoofs canvas, WebGL, audio context, and hardware signatures
- WebRTC Leak Prevention: Blocks local IP address exposure
- Tracker Blocking: Blocks 100+ known tracking domains
- Cryptominer Detection: Identifies and blocks browser-based mining scripts
- HTTPS Enforcement: Automatic upgrade of insecure connections
- Referrer Sanitization: Limits cross-origin referrer data
- Script Analysis: Real-time detection of malicious JavaScript patterns
| Vector | Protection Method |
|---|---|
| Canvas | Noise injection + getImageData spoofing |
| WebGL | Parameter spoofing + readPixels blocking |
| Audio | Oscillator/Analyser interception |
| Navigator | hardwareConcurrency, deviceMemory, platform normalized |
| Plugins | Empty array returned, |
| Screen | Resolution/colorDepth normalized, |
| Timezone | UTC spoofing |
| Battery | API blocked |
| Network Info | API blocked |
| Performance.now | Precision reduced (Spectre mitigation) |
| Text Metrics | Values rounded |
| ClientRects | Values rounded |
| Speech Synthesis | getVoices returns empty |
- Bot Detection: Multi-signal bot identification and blocking
- Security Headers: Comprehensive header hardening (CSP, HSTS, X-Frame-Options)
- Request Filtering: Blocks requests to known malicious endpoints
- DDoS Mitigation: Rate limiting and challenge pages
- Fingerprint Injection: Adds client-side fingerprint protection scripts
- Cloud Armor: WAF rules and DDoS protection
- Threat Intelligence: Real-time threat feed integration
- Security Command Center: Centralized monitoring and alerting
- Audit Logging: Complete request audit trail
| Module | Description | Default |
|---|---|---|
| Fingerprinting | Spoofs browser fingerprint vectors | Enabled |
| WebRTC | Prevents IP leak through WebRTC | Enabled |
| Tracking | Blocks known trackers and analytics | Enabled |
| Cookies | Partitions cookies per first-party | Enabled |
| Network | DNS-over-HTTPS, referrer hardening | Enabled |
| JavaScript | Limits dangerous browser APIs | Disabled* |
*JavaScript hardening may break some sites; enable with caution.
# Install wrangler CLI
npm install -g wrangler
# Login to Cloudflare
wrangler login
# Deploy the worker
cd katarakt
wrangler deployPoint your domain to the Cloudflare Worker:
security.yourdomain.com -> katarakt-security.workers.dev# Build container
docker build -t gcr.io/PROJECT_ID/katarakt-backend .
# Push to registry
docker push gcr.io/PROJECT_ID/katarakt-backend
# Deploy to Cloud Run
gcloud run services replace google-cloud-run.yamlThe index.html can be served from:
- Cloudflare Pages
- Google Cloud Storage + CDN
- Any static hosting service
Katarakt can export browser hardening configurations:
curl https://your-worker.workers.dev/api/export/userjs > user.jsPlace in your Firefox profile directory.
curl https://your-worker.workers.dev/api/export/policies > policies.jsonDeploy via enterprise management or manually.
| Endpoint | Method | Description |
|---|---|---|
/api/health |
GET | Health check |
/api/status |
GET | Protection status |
/api/export/userjs |
GET | Export Firefox config |
/api/export/policies |
GET | Export Chrome policies |
/api/report |
POST | Submit threat report |
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-origin
Content-Security-Policy: [comprehensive policy]Katarakt implements security settings directly from the Tor Browser / Mullvad Browser source code review (gitlab.torproject.org issue #40783). Key configurations include:
privacy.resistFingerprinting: true
privacy.resistFingerprinting.letterboxing: true
privacy.firstparty.isolate: truenetwork.dns.disablePrefetch: true
network.dns.disablePrefetchFromHTTPS: true
network.predictor.enabled: false
network.proxy.allow_bypass: false
network.trr.mode: 3 (DNS-over-HTTPS only)
network.http.http3.enabled: falsemedia.peerconnection.enabled: false
media.peerconnection.ice.default_address_only: true
media.peerconnection.ice.no_host: truedom.enable_resource_timing: false
dom.enable_event_timing: false
dom.netinfo.enabled: false
dom.battery.enabled: false
dom.vr.enabled: false
dom.webaudio.enabled: false
dom.webmidi.enabled: falsedom.textMetrics.actualBoundingBox.enabled: false
dom.textMetrics.baselines.enabled: false
gfx.offscreencanvas.domain-enabled: falsetoolkit.telemetry.enabled: false
toolkit.telemetry.unified: false
toolkit.telemetry.archive.enabled: false
datareporting.healthreport.uploadEnabled: false
app.shield.optoutstudies.enabled: false
messaging-system.rsexperimentloader.enabled: falsenetwork.cookie.cookieBehavior: 5
privacy.partition.network_state: true
privacy.partition.serviceWorkers: truesecurity.ssl.require_safe_negotiation: true
security.ssl.enable_false_start: false
security.cert_pinning.enforcement_level: 2The full configuration exports 150+ hardened preferences aligned with the Tor Project's privacy research.
When enabled, the service worker continues monitoring even after the page closes:
- Maintains protection across tabs
- Tracks cumulative statistics
- Sends periodic threat reports
- Can be disabled at any time
Katarakt is designed with privacy as a core principle:
- No personal data collection
- No third-party analytics
- Threat reports contain only aggregate statistics
- All processing happens locally or on your own infrastructure
# Local development with wrangler
wrangler dev
# Run the frontend locally
npx serve .
# Test the service worker
# Open Chrome DevTools > Application > Service Workerskatarakt/
├── index.html # Main SPA dashboard
├── cloudflare-worker.js # Edge security worker
├── katarakt-worker.js # Browser service worker
├── wrangler.toml # Cloudflare deployment config
├── google-cloud-run.yaml # GCP deployment config
└── README.md # This fileContributions welcome! Areas of interest:
- Additional fingerprinting vectors to protect
- New tracker/cryptominer patterns
- Browser-specific optimizations
- Mobile browser support
- Integration with additional cloud providers
MIT License - Use freely, protect the web.
- Security configurations inspired by Mullvad Browser
- Tor Project's research on browser fingerprinting
- Cloudflare Workers platform
- Google Cloud Security infrastructure
Katarakt - Bringing strength to DOM, one request at a time.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
█ █
█ "In the flood of data, █
█ we are the cataract █
█ that filters evil." █
█ █
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀If you find Katarakt useful, consider supporting its development:
| Currency | Address |
|---|---|
| Bitcoin (BTC) | bc1qazmag6xrffm6p9yxxs5wzq93wqds0jd7wj0zkq |
| Ethereum (ETH) | 0x3F66535A08A0A268008F7634ec8cF4f3678C3c2F |