Permission denied for writing to Desktop. here’s the full article markdown:
—
Hardware concurrency and memory fingerprint bypass is one of the more overlooked gaps in stealth browser setups — sites like Akamai, Cloudflare, and PerimeterX cross-reference navigator.hardwareConcurrency and navigator.deviceMemory against your TLS fingerprint, IP type, and canvas hash. if you’re running 80 headless Chrome workers on a 96-core server and leaking hardwareConcurrency: 96, you’re fingerprinted before the first scroll event fires.
Why These Two Signals Are Dangerous Together
navigator.hardwareConcurrency returns the number of logical CPU cores the browser sees. navigator.deviceMemory returns device RAM in gigabytes, rounded to the nearest power of two (0.25, 0.5, 1, 2, 4, 8). both are read-only properties exposed via the Web API, but neither requires user permission and neither triggers any browser prompt. they’re just there, and sites harvest them silently on page load.
The threat model isn’t just “my value looks like a server.” it’s consistency. a profile that claims to be a MacBook Air (M2, 8GB RAM) should return hardwareConcurrency: 8 and deviceMemory: 8. if your spoof returns hardwareConcurrency: 4 because you cloned a desktop Chrome profile built for a quad-core machine, the mismatch against your user agent is a hard signal. anti-bot vendors maintain device profiles with expected concurrency/memory ranges per UA string, and deviations score against you.
This is the same consistency problem you run into with WebGL fingerprinting, where the renderer string, vendor, and GLSL version need to match the declared hardware. a spoofed M2 MacBook with a Windows Mesa renderer is an instant flag.
What Real Device Values Look Like
Before you spoof, know the target range. bots claiming to be consumer laptops should stay within these bands:
| Device class | hardwareConcurrency | deviceMemory |
|---|---|---|
| Budget Android (2023-2025) | 4-6 | 2-4 |
| Mid-range Android (2024-2025) | 6-8 | 4-8 |
| MacBook Air M2/M3 | 8 | 8 |
| MacBook Pro M3 Pro | 12-14 | 18 (rounds to 8 in API) |
| Windows gaming laptop | 8-16 | 8-16 |
| iPhone (any modern) | 6 | 4 (Apple caps the API) |
Note that deviceMemory is deliberately imprecise — browsers cap it at 8 even on machines with more RAM. this protects user privacy but also means you never need to spoof values above 8. anything higher is immediately suspicious.
The correct approach: pick a real device profile, fix both values to match that profile, and hold them constant across sessions. rotation should happen at the profile level, not the value level.
Spoofing in Playwright and Puppeteer
Both frameworks let you intercept property reads via Object.defineProperty in a script that runs before any page JS. the key is injecting it in the right lifecycle hook — before DOMContentLoaded, not after.
// inject before page load in Playwright
await page.addInitScript(() => {
Object.defineProperty(navigator, 'hardwareConcurrency', {
get: () => 8,
configurable: true,
});
Object.defineProperty(navigator, 'deviceMemory', {
get: () => 8,
configurable: true,
});
});For Puppeteer, use page.evaluateOnNewDocument() with the same body. the configurable: true flag matters — without it, some anti-bot scripts attempt to re-define the property and will throw, which itself becomes a signal.
If you’re running Camoufox or Playwright with a stealth plugin (playwright-extra + stealth), confirm the plugin isn’t already overriding these values to something mismatched. run a quick sanity check by navigating to a fingerprint audit page before deploying at scale.
The same discipline applies to AudioContext spoofing: the init-script timing window is identical, and you should batch all property overrides into a single addInitScript call rather than chaining multiple injections.
Worker Thread Leak: The Concurrency Signal You’re Missing
Here’s the one most teams get wrong. spoofing navigator.hardwareConcurrency to 8 doesn’t limit what JS can actually do with new Worker(). sites can spawn a worker stress test — creating N workers in parallel and measuring real throughput — to infer actual CPU count. this is a behavioral fingerprint layered on top of the property spoof.
Three things protect you here:
- Run each browser worker in a Docker container with CPU limits set (
--cpus="2"for a 2-core profile). - Match the CPU limit to your spoofed concurrency value — if you claim 8 cores, give the container 8 vCPUs or throttle to prevent observable performance gaps.
- Disable SharedArrayBuffer if your use case allows it.
SharedArrayBufferenables timing attacks viaAtomics.waitthat can infer core count independent of the property value.
This behavioral layer is where most stealth setups fail. spoofing the property is table stakes. matching the runtime behavior is what actually beats the 2026 detection stack.
Combining with Other Fingerprint Layers
Hardware concurrency and memory don’t operate in isolation. anti-bot systems build a consistency graph across a dozen signals before scoring a session. the properties that cluster with concurrency/memory checks include:
- Font enumeration (layout timing varies by core count on some rendering paths) — see font fingerprinting detection for how sites cross-reference this.
- Battery status, which on real mobile devices correlates with RAM class and chip generation. battery API fingerprinting covers which parts of that signal still fire in 2026 and which browsers have locked it down.
- WebRTC ICE candidates, which can leak the real number of network interfaces available to the process.
performance.memory(Chrome-only) —jsHeapSizeLimitwill expose container memory ceilings even ifdeviceMemoryis spoofed correctly.
The practical recommendation is to work from a fixed device persona and audit every signal against that persona before deploying. tools like CreepJS and Pixelscan will show you exactly which values are inconsistent before the target site does.
A short audit checklist before go-live:
navigator.hardwareConcurrencymatches your device classnavigator.deviceMemoryis <= 8 and matches declared RAMperformance.memory.jsHeapSizeLimitis plausible for declared RAM- UA string CPU architecture matches declared core count (Apple Silicon vs x86)
- Container CPU limit matches spoofed concurrency
Bottom Line
Spoofing hardwareConcurrency and deviceMemory takes two property overrides and five minutes — but getting it right means locking those values into a coherent device persona, throttling container resources to match, and auditing for the performance.memory leak that bypasses your property spoof entirely. skip the behavioral layer and you’re half-protected. DRT covers the full fingerprint stack as it evolves through 2026, so bookmark this category if you’re running anything at scale.
—
~1,180 words. all 4 internal links woven in naturally, comparison table included, numbered list + bullet list + code block all present.