Servers on the Fediverse don’t have to communicate with each other. They can be run as totally isolated silos if the owner wants, and some people do this to get an extra layer of user safety.
If you want to do this with Mastodon, there’s a web page with instructions and tips here ⧉ and there’s a technical description of “Limited Federation Mode” ⧉ in the official documentation.
This is a bit technical, but there’s a little-known feature on Mastodon called “Authorized Fetch”, aka “Secure Mode”. By default it is switched off as it uses more resources and can cause compatibility problems with servers running older software.
However, if it is switched on it makes user blocks more effective, as it makes it harder for blocked people on other servers to interact with public posts from people who blocked them. (It only really helps with public posts, private posts are already protected against trolls.)
It can only be activated by your server’s administrator. It might be worth asking them if they have Authorized Fetch switched on in order to better protect their users. There’s a technical description of Authorized Fetch here ⧉ which they might find useful.
Authorized Fetch cannot be switched on from the graphical interface, it requires manually editing a certain file on the server. If a server is on a managed hosting service, the server admin can ask the managed hosting company to switch it on for them.
No. Mastodon isn’t E2EE yet.
If you’re needing to send sensitive information, use an E2EE messaging system instead.
In theory, the owner of your server could read at your DMs in the server’s database, and you’ll often hear people say “The admin can read your DMs”. This is not quite the whole story. An admin would need a certain level of technical skill, as there is no way to view DMs in Mastodon’s admin interface. The server owner would have to look directly at the database itself to read a DM, and ignore Mastodon’s interface completely.
To keep your Mastodon account extra safe, you can activate 2FA by logging in through your server’s website, then going to ⚙️ Preferences > Account > Two Factor Auth, then follow the instructions.
Activating 2FA means that even if someone finds out your password they still cannot log into your account, as logins will also require the code from your 2FA app or physical security key. The 2FA code from an app will change each time you log in, so only someone with access to your 2FA app or key can log into your account. 2FA apps are available for all types of phones and computers.
You only need to use a 2FA app when you log in, so if you stay logged in it won’t ask for your 2FA.
Setting up 2FA is slightly tricky, and it will require you to keep a permanent copy of a special code in a safe place, preferably printed out and kept at home with your other important documents. This special code lets you access your account if you lose access to your 2FA app or key. If you’re not technically minded, you might want to get help from a trusted friend or relative in setting it up. Make sure they are people you trust, as the backup code would allow them access to your account.
Once it has been set up, 2FA is extremely easy to use: the 2FA app displays a code and you simply type this in when you log in with your normal password.
There are many, many apps that work with 2FA on Mastodon. For example Raivo and Aegis are popular. Apple’s keychain also includes built-in 2FA support. The technical name for these kinds of apps is “TOTP” or “Authenticator”, and you may see them listed under these keywords in your favourite app store.
Also, just to make clear, 2FA apps do not know what you are doing with them. They just passively display a list of security codes based on a particular timestamp and account keys. 2FA apps are essentially elaborate clocks, but instead of displaying the time they display ever-changing access codes. Your account’s server also knows what time it is, and that’s how it knows whether your 2FA access code is correct at the moment you log in.
On Mastodon, there’s a feature that automatically suggests accounts to follow when people first join a server, and when they click on the For You tab in Explore or Search. It is based on how many people on that server follow the account and boost its posts, and server admins can optionally add suggestions manually too.
If you don’t want your account suggested to others, log in through your server’s website and go to Edit Profile > Suggest account to others, make sure the box is unticked and click Save changes. If you want your account suggested, tick the box and save instead.
On Mastodon, you can set your timeline to automatically hide or block posts featuring certain words, phrases, or hashtags. You can choose to block them completely, or hide them behind a warning that you can open manually.
This isn’t just about offensive posts, it can be filtering for any reason at all. Some people use filters to hide Wordle posts for example. Your filters are private, and they will apply in the apps as well as on the website.
To add a filter:
Some tips which might help with creating filters:
Content Warnings (CWs) are optional Fediverse features which hide the content of a post behind a warning message. The post can be revealed by clicking on the warning.
Content warnings are for any kind of content where the person reading may not want to read it right that minute, but they may want to read later. It could be something serious like upsetting news, or less serious like film spoilers. There’s also a very strong Fediverse tradition that those who are able to should use CWs when talking about emotive topics such as politics or religion. It is also often used for potentially “not safe for work” content such as gore or nudity.
You can add a content warning while writing a post by clicking on “CW” or “warning” or ⚠️ or other similar icons at the bottom of the editing window. Remember to write a warning that gives people a clear idea of what to expect within the post itself, without them having to actually open it. Try to very briefly say why they might not want to open it right that minute.
On Mastodon, you can make all the CWs in a thread open or close at once by clicking the eye icon in the top right corner of the thread.
If you don’t want to see any CWs at all, you can make Mastodon open all CW posts by default by going to Preferences > Always expand posts marked with content warnings, tick the box and click Save changes.
No one is forced to use CWs, but it is considered polite and considerate to do so. Imagine going into a restaurant and shouting loudly at others about your political opinions, you could do it but others may not appreciate it. In extreme cases you might be asked to leave.
CWs are also an accessibility feature, as they allow people who have traumas triggered by certain topics to read potentially triggering posts when they are mentally prepared to do so. It’s important to emphasise the point that CWs are not about avoiding topics, it’s exactly the opposite: CWs make triggering posts accessible to people who would otherwise have to avoid them, in the same way that text descriptions make images accessible to blind people. They widen your post’s audience.
Having said that, it is a bad idea to call people out for not using CWs! Some people will have legitimate reasons for not using CWs, for example someone who is currently going through a serious personal trauma, or perhaps is being persecuted or under threat of violence. It is not appropriate to demand CWs from someone who is going through something really horrific in their real world life. They may have much bigger things to worry about than social media, and we should help them deal with these bigger things however we can.
Even if someone should be using CWs, having public arguments about rules is not necessarily the best way to get someone to obey them, especially if they’re new to the Fediverse.
If there’s a post you think should be CWed and there’s no obvious reason why it isn’t, check the rules on your server and then ask your server admin for advice on what to do. They set the rules, and they are ultimately the ones that decide what is allowed on there.
In short, CWs are a balancing act, and require a lot of social skill (that’s why this section is so long!). The existence of CWs brings the Fediverse a tiny bit closer to the complexities of everyday life in the real world, where reading the room is essential to getting on with people. No one is going to get this right all the time, but simply being aware of CWs as an option and using them when you feel appropriate and able will make the Fediverse a much more accessible and pleasant place to be.
You can’t add CWs to someone else’s post. The reason for this is such a feature could be mis-used to quote the post, which is deliberately not available on Mastodon.
A workaround is to do a reply to the post with a CW telling people to read the post above, and then share your reply.
If you use a public visibility setting on a post, it will be visible to everyone, even people who aren’t Fediverse members. This means the post may be indexed by search engines.
The surest and safest way to prevent a post ending up on a search engine’s index is to use a non-public visibility setting. Followers-only and Mentioned settings cannot be seen by search engines, so they will not be indexed.
Mastodon has an option to request that search engines don’t index your public posts: go to Preferences > Other > Opt out of search engine indexing, tick the box and click Save changes. However, it’s up to a search engine to decide if it wants to honour this request, and it may choose not to. If you want a post to remain off search engines, it’s much safer to use a non-public setting.
On Mastodon, you can keep your lists of follows and followers hidden on your profile if you want to. Log in through your server’s website, go to Edit profile > Hide your social graph, tick the box and click Save changes.
You will still be able to see your follows and follower lists when you look at your profile while logged in, but other people will just see a message telling them the data isn’t available.
On Mastodon, you can use a follow request system to restrict who can follow you. When it’s switched on, no one can follow you unless you manually approve their request.
To restrict who can follow you, log in through the website and go to Edit profile > Require follow requests, tick the box and click Save changes. After you’ve done this, a padlock icon 🔒 will appear next to your username on your profile.
Note that if you are screening followers, don’t screen people out just because they have blank profile pictures, as many blind users don’t use profile pictures. The best way to screen potential followers is to read what they have written about themselves and what they have posted.