It allows active content to run only from trusted sites, and protects against cross site scripting and clickjacking attacks. Once installed, open the preferences (Menu button – Add-ons – Extensions – NoScript – Preferences) and tweak as desired. My preferred non-default options are:
- General – Temporarily allow top-level sites by default: Enabled for base 2nd level domains.
- General – Allow sites opened through bookmarks: Enabled.
- Whitelist: I review the sites that are approved by default and delete those I don’t need.
- Embeddings: Forbid Flash and Silverlight. Don’t forbid @font-face.
- Notifications: Disable “show message about blocked scripts” and “display the release notes on updates”.
The above settings provide what I find to be a good balance between security and usability, but every use case is different. For additional security, consider:
- General – Temporarily allow top-level sites by default: Disabled.
- Embeddings: Forbid @font-face.
For increased usability (e.g. for public access kiosks or to protect irresponsible users from themselves), consider:
- Appearance – Status bar label: Disable, to discourage end users from monkeying around with the settings