Browser Fingerprinting Explained: See Yours and Every Signal Websites Use to Track You
Browser fingerprinting is how websites identify you without cookies, without a login, and without needing permission. Every time your browser opens a page, it leaks dozens of small details about your device — your screen, your GPU, your fonts, your audio stack, your TLS handshake — and together those details form an identifier unique enough to track you across sessions, across sites, and across cookie wipes.
This is an example of your browser fingerprint represented as 8 emojis that stays the same across every browser on the same device:
That is the simple version. Real tracking fingerprints pull from dozens of signals at once, and the combination becomes stable and granular enough to re-identify most visitors across sessions. This post walks through every layer of browser fingerprinting — what it is, what gets collected, how the specific techniques (canvas, WebGL, audio, fonts, TLS) work, and what actually defends against it.
What is browser fingerprinting?
Browser fingerprinting is a stateless tracking technique that identifies you by reading dozens of small details about your browser and hardware — screen, GPU, fonts, audio stack, TLS handshake — and combining them into an identifier unique enough to recognize you across cookie wipes, private windows, and even VPNs.
Unlike cookies, it does not store anything on your device. The fingerprint is generated by combining your device’s hardware traits with your system preferences, and it is designed to be difficult to spoof — changing signals individually tends to break websites. You get the same fingerprint whether you are in Chrome, Firefox, Safari, or Edge on the same desktop.
How does browser fingerprinting work?
Browser fingerprinting works by running a script that reads dozens of properties from your browser — canvas rendering output, WebGL renderer strings, AudioContext quirks, installed fonts, screen dimensions, timezone, language, TLS handshake — and hashing them into a single identifier. Each property is low-entropy on its own, but the combination is unique enough to single out an individual device. The script does not need permission to run, does not store anything on your device, and produces the same identifier on every visit.
Here is the list of data used to build the basic fingerprint above:
At this level the technique is not sophisticated. It can tell a website what kind of device you are on, but since the basic signals only produce around 10,000 unique combinations, they are not enough to single you out of a user base.
The full fingerprint: what tracking-focused sites collect
Once a site starts pulling more signals, the resolution goes up fast. A full fingerprint looks like this:
Below is what a tracking script can read from your browser right now — grouped the same way real fingerprinting libraries collect it. Every row is read live from your device. The canvas hash and the font probe are exactly the techniques described later in this article:
Show full fingerprint signals▶
Unless you are actively spoofing these, they change rarely. A browser update or a display-settings change might shift one or two values, but the core identifier stays stable enough for websites to re-recognize you across updates, resets, and cookie wipes.
The deep fingerprint: 100+ parameters used by ad networks and anti-bot systems
High-traffic sites and anti-bot vendors go further. They combine dozens of low-entropy signals and a handful of high-entropy ones into a composite identifier:
Some of the signals used:
- Screen resolution and device pixel ratio
- Audio capabilities (AudioContext)
- Mathematical computation quirks
- Timezone and daylight saving behavior
- Language and Accept-Language headers
- Installed browser plugins
- System preferences (dark mode, reduced motion, forced colors)
- Available fonts
- WebGL renderer and GPU vendor strings
- Canvas rendering output
- Hardware concurrency (CPU core count) and
deviceMemory - User-Agent and Client Hints
navigator.webdriverand other automation flags- Battery status (where still exposed)
- Pointer and touch support
Each individual signal is low-entropy on its own. Combined, they push the fingerprint close to unique.
Canvas fingerprinting
Canvas fingerprinting is the single largest source of entropy in a modern fingerprint. It works by rendering graphics and hashing the pixel output.
A script creates an invisible <canvas> element, draws a test image — usually a line of text, a few shapes, sometimes a gradient or a shadow — and then reads the canvas back as a pixel array. The resulting pixels depend on your GPU model, your graphics driver, your font rendering stack, the OS-level subpixel smoothing, and the browser’s compositor. Tiny differences in any of those produce tiny differences in the output. Hash the pixels and you get an identifier that is nearly unique per device.
The differences are invisible to the human eye. Two computers can render the same canvas command and produce images that look identical, but the hash values will differ by several bytes. The Tor Project has called canvas “the single largest fingerprinting threat browsers face today.”
Naive defenses randomize the canvas output by injecting noise into the pixel array. This is why serious detection scripts now do consistency checks: they render the same canvas twice and compare hashes. If the two reads differ, you are clearly using a randomization-based anti-fingerprinting tool, which is itself a strong signal. Random noise makes you more detectable, not less. Stable per-profile spoofing — a plausible fingerprint that stays the same on repeated reads — is the approach that actually works.
WebGL fingerprinting
WebGL takes canvas fingerprinting further by probing the GPU directly. A script creates a WebGLRenderingContext, queries the renderer and vendor strings, reads back shader compilation behavior, and runs a 3D render whose pixel output depends on GPU microarchitecture.
The highest-value WebGL signals are the unmasked vendor and renderer strings, which return things like "NVIDIA Corporation" and "NVIDIA GeForce RTX 3080/PCIe/SSE2". Those two strings alone eliminate most of the possible device space. Combined with the shader-rendering fingerprint, WebGL gives a per-GPU identifier that is very hard to fake without breaking something.
Anti-detect browsers have to spoof WebGL at the engine level, not just by overriding the JavaScript API. Surface-level overrides (navigator.webdriver = undefined, a patched getParameter()) fail consistency checks because the actual rendered pixels still match the real GPU. The only reliable approach is to replace the rendering pipeline itself or to hook lower in the stack.
Audio fingerprinting
The Web Audio API exposes an AudioContext that can be used to generate and process sound. Fingerprinting scripts do not play the audio — they construct a signal, pass it through a series of audio nodes (oscillator, compressor, analyser), and then read the output buffer. The output depends on your CPU’s floating-point behavior, your audio stack, and the browser’s DSP implementation.
Like canvas, the output is stable for a given device and highly variable across devices. Like canvas, it is trivial to defeat with random noise and trivial to detect that random noise. Audio fingerprinting is quieter in public discussion but present on most major anti-bot systems.
Font fingerprinting
Your installed fonts are a surprisingly high-entropy signal. There are two ways to read them:
- JavaScript font enumeration. A script measures how wide a string renders in a known-missing font, then re-measures it in each candidate font. If the measurements differ, the font is installed. Run this for a list of a few hundred candidates and you have a full font inventory.
- Canvas-based font detection. The canvas technique above doubles as a font probe: if a requested font is missing, the fallback glyph is rendered instead, which changes the pixel output.
Your font list reflects your operating system, your locale, and every design tool, office suite, or language pack you have installed. Two devices with the same OS and browser but different font lists produce clearly different fingerprints.
TLS fingerprinting: the layer below the browser
Fingerprinting does not stop at the browser. When your browser opens a TLS (HTTPS) connection, the handshake itself reveals a unique combination of cipher suites, supported extensions, elliptic curves, signature algorithms, and ALPN values. That combination is called the ClientHello, and its hashed form is known as a JA3 or JA4 fingerprint.
TLS fingerprints matter because they happen before any JavaScript runs. A site does not have to wait for your browser to execute a canvas draw — it can classify the connection during the handshake and serve you a challenge page if it does not like what it sees. Real Chrome and real Firefox have known, recognizable ClientHello signatures. Python’s requests library, curl, Node.js fetch, and even Playwright driving a real browser can end up with subtly different TLS fingerprints that give them away.
The important consequence: you cannot fix TLS fingerprinting from inside a JavaScript patch, an extension, or a developer-tools override. It lives below the browser, at the network stack. Spoofing it requires either a custom TLS library or a proxy layer that terminates and re-originates the connection with the right fingerprint.
What about IP address, cookies, and port scanning?
A few related tracking techniques show up adjacent to fingerprinting and are worth addressing.
IP address and geolocation. It is easy to guess your approximate location from your IP
Cookies. Still in use, still declining. Firefox and Safari block third-party cookies by default. Chrome has been slow-walking deprecation. Many privacy-respecting analytics tools like Simple Analytics skip cookies entirely and work from request patterns, which also removes the need for a consent popup in the EU and California. The industry has not stopped using cookies, but it has largely stopped relying on them for persistent cross-site identification — which is exactly why fingerprinting filled the gap.
Local port scanning. A few years ago it was common for websites to probe ports on your local machine by sending requests to localhost:PORT, which could tell them whether you had Discord (6463–6472), Skype (23399), Viber (4303), Microsoft Teams (3478–3481), and dozens of other apps installed. Since June 9, 2025, Google Chrome requires websites to request permission via a prompt before scanning the local network. Firefox is following. This technique is on its way out.
How to protect yourself from browser fingerprinting
Most advice on this topic is wrong. Here is what actually works, in order of how much it helps.
What does not work
- Incognito mode. Private browsing clears local state when you close the window. It does not change any fingerprint signal. A site that fingerprinted you in a normal window will recognize you in incognito immediately. Anti-Detect Browser vs VPN vs Incognito goes deeper on this.
- VPNs. A VPN hides your IP and your approximate location. That is one signal. Your canvas, WebGL, audio, fonts, timezone, language, and TLS fingerprint all still match the device behind the VPN. A site that fingerprints you through a VPN will recognize you as the same user when you connect directly later.
- User-Agent switchers and fingerprinting extensions. These patch surface-level JavaScript APIs. They do not change the canvas output, the WebGL renderer strings, the audio stack, or the TLS handshake. Worse, extensions themselves are a fingerprintable signal — a browser with three privacy extensions installed has a distinct behavior that marks you as someone trying to hide.
- Randomization. Rotating your canvas hash on every read, or randomizing your user agent on every request, breaks consistency. Websites detect the inconsistency and flag you as suspicious. Brave’s per-session randomization and Firefox’s
privacy.resistFingerprintingboth fall into this trap: they are visible specifically because they are trying to hide.
What actually works
- Tor Browser. Tor’s approach is the inverse of randomization: make every Tor user look identical by shipping a locked-down Firefox build with a uniform screen size, font list, and everything else. Against fingerprinting, it is the strongest defense available. The catch: Tor is only useful for anonymous browsing. You cannot log into your personal accounts through it without immediately giving up the anonymity, and many sites block Tor exit nodes. Download it at torproject.org for pure anonymous browsing.
- A real anti-detect browser with consistent per-profile spoofing. Instead of trying to hide, you present each website with a plausible, stable fingerprint that is different from your real one and different from the fingerprint of every other profile you own. Each profile spoofs canvas, WebGL, audio, fonts, timezone, and the rest with internally consistent values — a Windows user agent gets a Windows GPU and a Windows font list, not a random mix. This is the only approach that lets you log into multiple accounts, pass consistency checks, and still not get cross-linked.
Donut Browser does the second one. It is open source under AGPL-3.0 and lets you create unlimited local profiles with unique fingerprints that spoof 50+ parameters each with consistent values rather than random noise. It collects zero telemetry and supports per-profile proxies and VPN configs so the network layer matches the spoofed device. If you want the long version of why fingerprint consistency matters more than randomness, read 12 Anti-Detect Browser Mistakes.
How to test your browser fingerprint
A few free tools will tell you exactly how identifiable your browser is right now:
- EFF Cover Your Tracks (formerly Panopticlick) — tests tracker protection and fingerprint uniqueness against the EFF’s dataset.
- AmIUnique — shows which specific attributes make you unique and compares against millions of stored fingerprints.
- BrowserLeaks — section-by-section breakdown of every leak (WebRTC, canvas, WebGL, audio, fonts, TLS).
- Pixelscan — consistency-focused checker; tells you whether your fingerprint is internally coherent or shows the classic signs of a spoofing tool.
- CreepJS — the hardest test. Runs dozens of consistency checks and lie detectors; passing it is a serious bar.
Running your normal browser through these is educational. Running an anti-detect profile through them is the only way to know whether the spoofing actually holds up.
Frequently asked questions
Can you block browser fingerprinting entirely?
Browser fingerprinting cannot be blocked entirely without breaking the web. Every fingerprinting signal is also used for legitimate purposes — canvas for rendering, WebGL for graphics, audio for sound, fonts for typography. Blocking them means pages stop working. The practical choice is between uniform fingerprints (Tor’s approach), consistent spoofed fingerprints (anti-detect browsers), and giving up.
Does incognito mode prevent browser fingerprinting?
Incognito mode does not prevent browser fingerprinting. It clears cookies and history when you close the window, but your canvas output, GPU, fonts, audio stack, and TLS fingerprint stay identical between incognito and normal windows — they come from your hardware and your OS, not your browser session.
Does a VPN protect me from browser fingerprinting?
A VPN does not protect you from browser fingerprinting. It hides your IP address but leaves the other 50+ signals — canvas, WebGL, audio, fonts, timezone, TLS handshake — completely unchanged. A website can still identify you across VPNs by your browser fingerprint alone.
What is the difference between browser fingerprinting and cookies?
The main difference between browser fingerprinting and cookies is that cookies are stored data while fingerprints are read in real time. Cookies sit on your device and can be deleted. Browser fingerprinting reads properties of your device and browser that you cannot easily change. Clearing cookies does nothing to your fingerprint.
How accurate is browser fingerprinting?
Browser fingerprinting is accurate enough to re-identify most visitors across sessions. The EFF’s Panopticlick research found that around 84% of browsers produce a fingerprint unique within their dataset, and modern fingerprinting libraries combining canvas, WebGL, audio, fonts, and TLS reach near-uniqueness on standard desktop devices. Accuracy drops slightly on mobile, where hardware diversity is lower.
Which browser has the best fingerprinting protection?
Tor Browser has the strongest fingerprinting protection of any mainstream browser because it ships a locked-down Firefox build with uniform screen size, font list, and disabled high-entropy APIs — making every Tor user look identical. Brave and Firefox with privacy.resistFingerprinting offer partial protection through randomization, but consistency checks can detect those defenses. Chrome, Edge, and Safari provide no meaningful fingerprinting protection by default.
How long does a browser fingerprint last?
A browser fingerprint typically lasts months to years on the same device. Most fingerprint signals — GPU, screen resolution, font list, audio stack, hardware concurrency — only change when you upgrade your hardware, change OS settings, or install new fonts. A browser update may shift one or two values, but the core identifier stays stable enough for sites to re-recognize you across cookie wipes and resets.
Can I see my own browser fingerprint?
You can see your own browser fingerprint using free tools that read the same signals tracking scripts use. The interactive panels earlier in this article show ~30 fingerprint values read from your device right now. For deeper inspection, BrowserLeaks, AmIUnique, EFF Cover Your Tracks, Pixelscan, and CreepJS display every parameter websites can read and tell you how unique your fingerprint is.
Is browser fingerprinting legal?
Browser fingerprinting is legal in most jurisdictions but regulated. In the EU, the GDPR treats fingerprinting as personal-data processing and requires a legal basis (typically consent). Enforcement is weak in practice — most major sites fingerprint without meaningful consent. In the US there is no federal equivalent; California’s CPRA covers some cases.
Why does my fingerprint matter if I am not doing anything wrong?
Your fingerprint matters because it is how cross-site profiles are built. The same identifier that marks you on a news site marks you on a shopping site, a flight-booking site, an insurance quote page, and any third-party ad network embedded in them. Those profiles drive differential pricing, manipulated quotes, and retargeting you cannot opt out of by clearing cookies. “I have nothing to hide” is a separate argument from “I want strangers building a cross-site dossier of everything I do.”
Further reading
If you want to go deeper into specific parts of the stack:
- 12 Anti-Detect Browser Mistakes (And How to Fix Them) — the practical configuration side.
- Anti-Detect Browser vs VPN vs Incognito — when each tool applies.
- Why Donut Browser Doesn’t Collect Any Telemetry — why auditable privacy tools matter.
- Free Open-Source Anti-Detect Browsers: The Honest 2026 List — the very short list of real options.
Have questions? Email me at [email protected].
