Browser Fingerprinting Explained: See Yours and Every Signal Websites Use to Track You
Browser fingerprinting is a tracking technique that identifies you without cookies, logins, or permission by reading dozens of small details about your browser and device (screen, GPU, fonts, audio stack, timezone, TLS handshake) and combining them into an identifier unique enough to recognize you across sites and sessions. Because that identifier is computed fresh from your hardware and settings on every visit, clearing cookies, opening a private window, or switching on a VPN does not change it.
This is an example of your browser fingerprint represented as 8 emojis that stays the same across every browser on the same device:
That is the simple version. Real tracking fingerprints pull from dozens of signals at once, and the combination becomes stable and granular enough to re-identify most visitors across sessions. This post walks through every layer of browser fingerprinting: what it is, what gets collected (with your own live values), how the specific techniques (canvas, WebGL, audio, fonts, TLS) work, and what actually defends against it.
What is browser fingerprinting?
Browser fingerprinting is a stateless tracking technique: a script reads dozens of small details about your browser and hardware, screen, GPU, fonts, audio stack, TLS handshake, and combines them into an identifier unique enough to recognize you across cookie wipes, private windows, and even VPNs. Unlike cookies, it does not store anything on your device, so there is nothing to delete.
The fingerprint combines your device’s hardware traits with your system preferences, and it is designed to be difficult to spoof; changing signals individually tends to break websites. You get the same fingerprint whether you are in Chrome, Firefox, Safari, or Edge on the same desktop.
That fingerprint is how cross-site profiles get built. The same identifier that marks you on a news site marks you on a shopping site, a flight-booking site, an insurance quote page, and any third-party ad network embedded in them. Those profiles drive differential pricing, manipulated quotes, and retargeting you cannot opt out of by clearing cookies.
How does browser fingerprinting work without cookies?
Browser fingerprinting works by running a script that reads dozens of properties from your browser, canvas rendering output, WebGL renderer strings, AudioContext quirks, installed fonts, screen dimensions, timezone, language, TLS handshake, and hashing them into a single identifier. Each property is low-entropy on its own, but the combination is unique enough to single out an individual device. The script does not need permission to run, does not store anything on your device, and produces the same identifier on every visit.
Here is the list of data used to build the basic fingerprint above:
At this level the technique is not sophisticated. It can tell a website what kind of device you are on, but since the basic signals only produce around 10,000 unique combinations, they are not enough to single you out of a user base.
What data does a full browser fingerprint collect?
Once a site starts pulling more signals, the resolution goes up fast. A full fingerprint looks like this:
Below is what a tracking script can read from your browser right now, around 30 values grouped the same way real fingerprinting libraries collect them. Every row is read live from your device. The canvas hash and the font probe are exactly the techniques described later in this article:
Show full fingerprint signals▶
Unless you are actively spoofing these, they change rarely. A browser update or a display-settings change might shift one or two values, but the core identifier stays stable enough for websites to re-recognize you across updates, resets, and cookie wipes.
Which signals do ad networks and anti-bot systems fingerprint?
High-traffic sites and anti-bot vendors go further than the full fingerprint above. They combine dozens of low-entropy signals and a handful of high-entropy ones into a composite identifier built from 100+ parameters:
Some of the signals used:
- Screen resolution and device pixel ratio
- Audio capabilities (AudioContext)
- Mathematical computation quirks
- Timezone and daylight saving behavior
- Language and Accept-Language headers
- Installed browser plugins
- System preferences (dark mode, reduced motion, forced colors)
- Available fonts
- WebGL renderer and GPU vendor strings
- Canvas rendering output
- Hardware concurrency (CPU core count) and
deviceMemory - User-Agent and Client Hints
navigator.webdriverand other automation flags- Battery status (where still exposed)
- Pointer and touch support
Each individual signal is low-entropy on its own. Combined, they push the fingerprint close to unique.
What is canvas fingerprinting?
Canvas fingerprinting identifies your device by rendering graphics on an invisible <canvas> element and hashing the pixel output. It is the single largest source of entropy in a modern fingerprint.
A script creates the canvas, draws a test image (usually a line of text, a few shapes, sometimes a gradient or a shadow), and then reads the canvas back as a pixel array. The resulting pixels depend on your GPU model, your graphics driver, your font rendering stack, the OS-level subpixel smoothing, and the browser’s compositor. Tiny differences in any of those produce tiny differences in the output. Hash the pixels and you get an identifier that is nearly unique per device.
The differences are invisible to the human eye. Two computers can render the same canvas command and produce images that look identical, but the hash values will differ by several bytes. The Tor Project has called canvas “the single largest fingerprinting threat browsers face today.”
Naive defenses randomize the canvas output by injecting noise into the pixel array. This is why serious detection scripts now do consistency checks: they render the same canvas twice and compare hashes. If the two reads differ, you are clearly using a randomization-based anti-fingerprinting tool, which is itself a strong signal.
Random noise makes you more detectable, not less. Stable per-profile spoofing, a plausible fingerprint that stays the same on repeated reads, is the approach that actually works.
What is WebGL fingerprinting?
WebGL fingerprinting takes canvas fingerprinting further by probing the GPU directly. A script creates a WebGLRenderingContext, queries the renderer and vendor strings, reads back shader compilation behavior, and runs a 3D render whose pixel output depends on GPU microarchitecture.
The highest-value WebGL signals are the unmasked vendor and renderer strings, which return things like "NVIDIA Corporation" and "NVIDIA GeForce RTX 3080/PCIe/SSE2". Those two strings alone eliminate most of the possible device space. Combined with the shader-rendering fingerprint, WebGL gives a per-GPU identifier that is very hard to fake without breaking something.
Anti-detect browsers have to spoof WebGL at the engine level, not just by overriding the JavaScript API. Surface-level overrides (navigator.webdriver = undefined, a patched getParameter()) fail consistency checks because the actual rendered pixels still match the real GPU. The only reliable approach is to replace the rendering pipeline itself or to hook lower in the stack.
What is audio fingerprinting?
Audio fingerprinting identifies your device through the Web Audio API’s AudioContext without playing any sound. A script constructs a signal, passes it through a series of audio nodes (oscillator, compressor, analyser), and then reads the output buffer. The output depends on your CPU’s floating-point behavior, your audio stack, and the browser’s DSP implementation.
Like canvas, the output is stable for a given device and highly variable across devices. Like canvas, it is trivial to defeat with random noise and trivial to detect that random noise. Audio fingerprinting is quieter in public discussion but present on most major anti-bot systems.
What is font fingerprinting?
Font fingerprinting reads your installed fonts, a surprisingly high-entropy signal. There are two ways to read them:
- JavaScript font enumeration. A script measures how wide a string renders in a known-missing font, then re-measures it in each candidate font. If the measurements differ, the font is installed. Run this for a list of a few hundred candidates and you have a full font inventory.
- Canvas-based font detection. The canvas technique above doubles as a font probe: if a requested font is missing, the fallback glyph is rendered instead, which changes the pixel output.
Your font list reflects your operating system, your locale, and every design tool, office suite, or language pack you have installed. Two devices with the same OS and browser but different font lists produce clearly different fingerprints.
What is TLS fingerprinting (JA3 and JA4)?
TLS fingerprinting identifies your client below the browser: when your browser opens a TLS (HTTPS) connection, the handshake itself reveals a unique combination of cipher suites, supported extensions, elliptic curves, signature algorithms, and ALPN values. That combination is called the ClientHello, and its hashed form is known as a JA3 or JA4 fingerprint.
TLS fingerprints matter because they happen before any JavaScript runs. A site does not have to wait for your browser to execute a canvas draw; it can classify the connection during the handshake and serve you a challenge page if it does not like what it sees. Real Chrome and real Firefox have known, recognizable ClientHello signatures. Python’s requests library, curl, Node.js fetch, and even Playwright driving a real browser can end up with subtly different TLS fingerprints that give them away.
The important consequence: you cannot fix TLS fingerprinting from inside a JavaScript patch, an extension, or a developer-tools override. It lives below the browser, at the network stack. Spoofing it requires either a custom TLS library or a proxy layer that terminates and re-originates the connection with the right fingerprint.
Do IP addresses, cookies, and port scanning still track you?
A few related tracking techniques show up adjacent to fingerprinting and are worth addressing.
IP address and geolocation. It is easy to guess your approximate location from your IP
Cookies. Still in use, still declining. Firefox and Safari block third-party cookies by default, and Chrome has been slow-walking deprecation. Many privacy-respecting analytics tools like Simple Analytics skip cookies entirely and work from request patterns, which also removes the need for a consent popup in the EU and California. The industry has not stopped using cookies, but it has largely stopped relying on them for persistent cross-site identification, which is exactly why fingerprinting filled the gap.
Local port scanning. A few years ago it was common for websites to probe ports on your local machine by sending requests to localhost:PORT, which could tell them whether you had Discord (6463 to 6472), Skype (23399), Viber (4303), Microsoft Teams (3478 to 3481), and dozens of other apps installed. Since June 9, 2025, Google Chrome requires websites to request permission via a prompt before scanning the local network. Firefox is following. This technique is on its way out.
How do you defend against browser fingerprinting?
Most advice on this topic is wrong. Here is what actually works, in order of how much it helps.
What does not work against fingerprinting?
- Incognito mode. Private browsing clears local state when you close the window. It does not change any fingerprint signal. A site that fingerprinted you in a normal window will recognize you in incognito immediately. Anti-Detect Browser vs VPN vs Incognito goes deeper on this.
- VPNs. A VPN hides your IP and your approximate location. That is one signal. Your canvas, WebGL, audio, fonts, timezone, language, and TLS fingerprint all still match the device behind the VPN. A site that fingerprints you through a VPN will recognize you as the same user when you connect directly later.
- User-Agent switchers and fingerprinting extensions. These patch surface-level JavaScript APIs. They do not change the canvas output, the WebGL renderer strings, the audio stack, or the TLS handshake. Worse, extensions themselves are a fingerprintable signal: a browser with three privacy extensions installed has a distinct behavior that marks you as someone trying to hide.
- Randomization. Rotating your canvas hash on every read, or randomizing your user agent on every request, breaks consistency. Websites detect the inconsistency and flag you as suspicious. Brave’s per-session randomization and Firefox’s
privacy.resistFingerprintingboth fall into this trap: they are visible specifically because they are trying to hide.
What actually works against fingerprinting?
- Tor Browser. Tor’s approach is the inverse of randomization: make every Tor user look identical by shipping a locked-down Firefox build with a uniform screen size, font list, and everything else. Against fingerprinting, it is the strongest defense available. The catch: Tor is only useful for anonymous browsing, since you cannot log into your personal accounts through it without immediately giving up the anonymity, and many sites block Tor exit nodes. Download it at torproject.org for pure anonymous browsing.
- A real anti-detect browser with consistent per-profile spoofing. Instead of trying to hide, you present each website with a plausible, stable fingerprint that is different from your real one and different from the fingerprint of every other profile you own. Each profile spoofs canvas, WebGL, audio, fonts, timezone, and the rest with internally consistent values: a Windows user agent gets a Windows GPU and a Windows font list, not a random mix. This is the only approach that lets you log into multiple accounts, pass consistency checks, and still not get cross-linked.
Donut Browser does the second one. It is open source under AGPL-3.0 and lets you create unlimited local profiles with unique fingerprints that spoof 50+ parameters each with consistent values rather than random noise. It collects zero telemetry and supports per-profile proxies and VPN configs so the network layer matches the spoofed device. If you want the long version of why fingerprint consistency matters more than randomness, read 12 Anti-Detect Browser Mistakes.
How can you test your own browser fingerprint?
A few free tools will tell you exactly how identifiable your browser is right now:
- EFF Cover Your Tracks (formerly Panopticlick): tests tracker protection and fingerprint uniqueness against the EFF’s dataset.
- AmIUnique: shows which specific attributes make you unique and compares against millions of stored fingerprints.
- BrowserLeaks: section-by-section breakdown of every leak (WebRTC, canvas, WebGL, audio, fonts, TLS).
- Pixelscan: consistency-focused checker; tells you whether your fingerprint is internally coherent or shows the classic signs of a spoofing tool.
- CreepJS: the hardest test. Runs dozens of consistency checks and lie detectors; passing it is a serious bar.
Running your normal browser through these is educational. Running an anti-detect profile through them is the only way to know whether the spoofing actually holds up.
Frequently asked questions
Can you block browser fingerprinting entirely?
No. Browser fingerprinting cannot be blocked entirely without breaking the web. Every fingerprinting signal is also used for legitimate purposes: canvas for rendering, WebGL for graphics, audio for sound, fonts for typography. Blocking them means pages stop working, so the practical choice is between uniform fingerprints (Tor’s approach), consistent spoofed fingerprints (anti-detect browsers), and giving up.
Does incognito mode or a VPN stop browser fingerprinting?
No, neither one changes your fingerprint. Incognito clears cookies and history when you close the window, but your canvas output, GPU, fonts, audio stack, and TLS fingerprint stay identical because they come from your hardware and your OS. A VPN hides your IP address, one signal out of 50+, and a site that fingerprints you through a VPN recognizes you as the same user when you connect directly later.
How accurate is browser fingerprinting?
Browser fingerprinting is accurate enough to re-identify most visitors across sessions. The EFF’s Panopticlick research found that around 84% of browsers produce a fingerprint unique within their dataset, and modern fingerprinting libraries combining canvas, WebGL, audio, fonts, and TLS reach near-uniqueness on standard desktop devices. Accuracy drops slightly on mobile, where hardware diversity is lower.
Which browser has the best fingerprinting protection?
Tor Browser has the strongest fingerprinting protection of any mainstream browser because it ships a locked-down Firefox build with uniform screen size, font list, and disabled high-entropy APIs, making every Tor user look identical. Brave and Firefox with privacy.resistFingerprinting offer partial protection through randomization, but consistency checks can detect those defenses. Chrome, Edge, and Safari provide no meaningful fingerprinting protection by default.
How long does a browser fingerprint last?
A browser fingerprint typically lasts months to years on the same device. Most fingerprint signals (GPU, screen resolution, font list, audio stack, hardware concurrency) only change when you upgrade your hardware, change OS settings, or install new fonts. A browser update may shift one or two values, but the core identifier stays stable enough for sites to re-recognize you across cookie wipes and resets.
Is browser fingerprinting legal?
Browser fingerprinting is legal in most jurisdictions but regulated. In the EU, the GDPR treats fingerprinting as personal-data processing and requires a legal basis (typically consent), though enforcement is weak in practice and most major sites fingerprint without meaningful consent. In the US there is no federal equivalent; California’s CPRA covers some cases.
Further reading
If you want to go deeper into specific parts of the stack:
- 12 Anti-Detect Browser Mistakes (And How to Fix Them): the practical configuration side.
- Anti-Detect Browser vs VPN vs Incognito: when each tool applies.
- Proxies for Anti-Detect Browsers: choosing a proxy type and matching it to your fingerprint so it does not get flagged.
- Why Donut Browser Doesn’t Collect Any Telemetry: why auditable privacy tools matter.
Have questions? Email me at [email protected].