diff --git a/Optional-Hardening.md b/Optional-Hardening.md
index 09f9840..b15be4f 100644
--- a/Optional-Hardening.md
+++ b/Optional-Hardening.md
@@ -27,6 +27,21 @@ user_pref("browser.firefox-view.feature-tour", "{\"screen\":\"\",\"complete\":tr
***
+### Public Key Pinning
+[Public Key Pinning](https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning) (PKP) is a tool that boosts the safety of [SSL certificates](https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/) by linking a website to its unique security key. This process ensures that the website you're visiting is real and not fake. PKP stops any attempts to trick your computer into connecting with a fraudulent website.
+
+:warning: Sometimes antivirus software — or some other [source](https://github.com/yokoffing/Betterfox/issues/232#issuecomment-1732346856) — won't let you open websites ([example](https://www.reddit.com/r/firefox/comments/16mlv15/kaspersky_cant_scan_encrypted_connections_with/)).
+
+:bulb: Try browsing with this pref enabled. Unless you experience the aforementioned drawbacks, we recommend you keep this override.
+
+```javascript
+// PREF: enforce certificate pinning
+// [ERROR] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
+user_pref("security.cert_pinning.enforcement_level", 2);
+```
+
+***
+
### Block embedded social posts on webpages
This matches the default behavior of [Strict](https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop#w_strict-enhanced-tracking-protection) Enhanced Tracking Protection.
```javascript
@@ -112,15 +127,25 @@ user_pref("default-browser-agent.enabled", false);
***
-### Public Key Pinning
-[Public Key Pinning](https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning) (PKP) is a tool that boosts the safety of [SSL certificates](https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/) by linking a website to its unique security key. This process ensures that the website you're visiting is real and not fake. PKP stops any attempts to trick your computer into connecting with a fraudulent website.
-
-:warning: Sometimes antivirus software — or some other [source](https://github.com/yokoffing/Betterfox/issues/232#issuecomment-1732346856) — won't let you open websites ([example](https://www.reddit.com/r/firefox/comments/16mlv15/kaspersky_cant_scan_encrypted_connections_with/)).
+### Secure DNS
+Setup and enforce DNS-over-HTTPS (DoH).
+#### 1) Provider
+* Use the provider below for better [threat protection](https://quad9.net/service/threat-blocking/).
+* :star: Create a profile with [NextDNS](https://nextdns.io/?from=xujj63g5) and follow our [configuration guide](https://github.com/yokoffing/NextDNS-Config) for greater protection from ads, trackers, and security threats.
```javascript
-// PREF: enforce certificate pinning
-// [ERROR] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
-user_pref("security.cert_pinning.enforcement_level", 2);
+// PREF: set DoH provider
+user_pref("network.trr.uri", "https://dns.quad9.net/dns-query");
+```
+
+#### 2) Mode
+* `3` has site-exceptions with a nice UI on the error page:
+ * Go to `☰` *→ Settings → Privacy & Security → DNS over HTTPS → Manage Exceptions*
+* :warning: Set to `2` if your workplace or university causes issues with alternative DNS.
+```javascript
+// PREF: enforce DNS-over-HTTPS (DoH)
+user_pref("network.trr.mode", 3);
+user_pref("network.dns.skipTRR-when-parental-control-enabled", false);
```
***
@@ -153,29 +178,6 @@ user_pref("network.http.referer.XOriginPolicy", 1);
***
-### Secure DNS
-Setup and enforce DNS-over-HTTPS (DoH).
-
-#### 1) Provider
-* Use the provider below for better [threat protection](https://quad9.net/service/threat-blocking/).
-* :star: Create a profile with [NextDNS](https://nextdns.io/?from=xujj63g5) and follow our [configuration guide](https://github.com/yokoffing/NextDNS-Config) for greater protection from ads, trackers, and security threats.
-```javascript
-// PREF: set DoH provider
-user_pref("network.trr.uri", "https://dns.quad9.net/dns-query");
-```
-
-#### 2) Mode
-* `3` has site-exceptions with a nice UI on the error page:
- * Go to `☰` *→ Settings → Privacy & Security → DNS over HTTPS → Manage Exceptions*
-* :warning: Set to `2` if your workplace or university causes issues with alternative DNS.
-```javascript
-// PREF: enforce DNS-over-HTTPS (DoH)
-user_pref("network.trr.mode", 3);
-user_pref("network.dns.skipTRR-when-parental-control-enabled", false);
-```
-
-***
-
### Fingerprinting
Fingerprinting is a high [threat model](https://thenewoil.org/en/guides/prologue/threatmodel/) issue that is only [addressed](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) reasonably by Tor.[1](https://youtu.be/5NrbdO4yWek?t=4334) Please use the [Tor Browser](https://www.torproject.org) if your context calls for **anonymity** and not just reasonable **privacy**.^[*what's the difference?*](https://thenewoil.org/en/guides/prologue/secprivanon/)