What Is Browser Fingerprinting? How Websites Track You Without Cookies

By /

What Is Browser Fingerprinting? How Websites Track You Without Cookies

Browser fingerprinting is a tracking technique that identifies and tracks users by collecting information about their web browser configuration, hardware, and software settings. Unlike cookies, which store a unique identifier on your device, browser fingerprinting creates a unique profile based on dozens of attributes that together form a digital “fingerprint” — without storing anything on your device.

This makes browser fingerprinting far more persistent and difficult to block than traditional tracking methods. You can clear cookies, but you can’t easily change your browser’s fingerprint.

Table of Contents

How Browser Fingerprinting Works

When you visit a website, your browser automatically shares a wealth of information with the server. Individually, each data point is innocuous. But combined, they create a surprisingly unique identifier.

Here’s a simplified example of how it works:

// A website runs JavaScript to collect fingerprint data

const fingerprint = {


userAgent: navigator.userAgent,


language: navigator.language,


screenResolution: ${screen.width}x${screen.height},


colorDepth: screen.colorDepth,


timezone: Intl.DateTimeFormat().resolvedOptions().timeZone,


plugins: Array.from(navigator.plugins).map(p => p.name),


canvas: getCanvasFingerprint(),


webgl: getWebGLFingerprint(),


audioContext: getAudioFingerprint(),


fonts: getInstalledFonts(),


hardwareConcurrency: navigator.hardwareConcurrency,


deviceMemory: navigator.deviceMemory,


touchSupport: navigator.maxTouchPoints,


doNotTrack: navigator.doNotTrack,


};



// Hash all data into a single identifier


const hash = hashFunction(JSON.stringify(fingerprint));


// Result: "a8f5e7d3c2b1..." - unique to your browser configuration

Research by the Electronic Frontier Foundation (EFF) found that 83.6% of browsers had a unique fingerprint, and for browsers with Flash or Java enabled, the uniqueness rate rose to 94.2%.

Types of Browser Fingerprinting

Canvas Fingerprinting

The most common technique. Websites draw a hidden image using the HTML5 Canvas API. Due to differences in GPU, graphics driver, operating system, and font rendering, the resulting image varies slightly across devices.

function getCanvasFingerprint() {

const canvas = document.createElement('canvas');


const ctx = canvas.getContext('2d');

    

// Draw text and shapes


ctx.textBaseline = 'top';


ctx.font = '14px Arial';


ctx.fillStyle = '#f60';


ctx.fillRect(125, 1, 62, 20);


ctx.fillStyle = '#069';


ctx.fillText('Browser Fingerprint', 2, 15);


ctx.fillStyle = 'rgba(102, 204, 0, 0.7)';


ctx.fillText('Browser Fingerprint', 4, 17);

    

// Convert to data URL - this will differ across devices


return canvas.toDataURL();


}

Even though the same text and shapes are drawn, the pixel-level output varies due to hardware and software differences — creating a unique fingerprint.

WebGL Fingerprinting

WebGL (Web Graphics Library) exposes detailed information about the GPU:

function getWebGLFingerprint() {

const canvas = document.createElement('canvas');


const gl = canvas.getContext('webgl');

    

const debugInfo = gl.getExtension('WEBGL_debug_renderer_info');

    

return {


vendor: gl.getParameter(debugInfo.UNMASKED_VENDOR_WEBGL),


renderer: gl.getParameter(debugInfo.UNMASKED_RENDERER_WEBGL),


extensions: gl.getSupportedExtensions(),


maxTextureSize: gl.getParameter(gl.MAX_TEXTURE_SIZE),


maxViewportDims: gl.getParameter(gl.MAX_VIEWPORT_DIMS),


};


}


// Example output: { vendor: "Google Inc. (NVIDIA)", renderer: "ANGLE (NVIDIA GeForce RTX 4090)..." }

AudioContext Fingerprinting

The Web Audio API processes audio signals slightly differently across devices:

function getAudioFingerprint() {

const audioContext = new (window.AudioContext || window.webkitAudioContext)();


const oscillator = audioContext.createOscillator();


const analyser = audioContext.createAnalyser();


const gain = audioContext.createGain();


const scriptProcessor = audioContext.createScriptProcessor(4096, 1, 1);

    

gain.gain.value = 0; // Mute the output


oscillator.type = 'triangle';


oscillator.connect(analyser);


analyser.connect(scriptProcessor);


scriptProcessor.connect(gain);


gain.connect(audioContext.destination);

    

// Capture and hash the audio processing result


oscillator.start(0);


// ... process and hash the output


}

Font Fingerprinting

The set of fonts installed on your system is surprisingly unique:

function detectFont(fontName) {

const testString = 'mmmmmmmmmmlli';


const testSize = '72px';


const baseFonts = ['monospace', 'sans-serif', 'serif'];

    

const canvas = document.createElement('canvas');


const ctx = canvas.getContext('2d');

    

const baseWidths = baseFonts.map(font => {


ctx.font = ${testSize} ${font};


return ctx.measureText(testString).width;


});

    

return baseFonts.some((baseFont, i) => {


ctx.font = ${testSize} '${fontName}', ${baseFont};


return ctx.measureText(testString).width !== baseWidths[i];


});


}



// Test for hundreds of fonts


const fontsToTest = ['Arial', 'Verdana', 'Calibri', 'Consolas', ...];


const installedFonts = fontsToTest.filter(detectFont);

TLS Fingerprinting (JA3/JA4)

This operates at the network level, before JavaScript even runs. When your browser establishes a TLS connection, the specific cipher suites, extensions, and their ordering create a unique fingerprint:

# JA3 fingerprint components:

TLSVersion + Ciphers + Extensions + EllipticCurves + EllipticCurvePointFormats



Example JA3 hash:


Chrome 120: e7d705a3286e19ea42f587b344ee6865


Firefox 121: b32309a26951912be7dba376398abc3b

This is particularly relevant for web scraping because anti-bot services use TLS fingerprints to detect automated tools like Python’s requests library, which has a completely different TLS fingerprint than a real browser.

What Data Is Collected

A comprehensive browser fingerprint can include 50+ attributes:

Browser Information

  • User agent string
  • Browser name and version
  • Supported MIME types
  • Installed plugins and extensions
  • Do Not Track setting
  • Cookie and JavaScript enabled status

System Information

  • Operating system and version
  • CPU architecture and core count
  • RAM amount (approximate)
  • Screen resolution and color depth
  • Available screen area (minus taskbar)
  • Device pixel ratio
  • Touch support and max touch points

Graphics

  • Canvas rendering hash
  • WebGL vendor and renderer
  • Supported WebGL extensions
  • GPU model (via WebGL debug info)

Fonts and Media

  • Installed fonts list
  • Audio processing signature
  • Supported media codecs
  • Speech synthesis voices

Network and Location

  • Timezone and UTC offset
  • Language preferences
  • Connection type (via Network Information API)
  • IP address (though this changes with proxies)

Behavioral

  • Typing patterns
  • Mouse movement characteristics
  • Scroll behavior
  • Touch gesture patterns

Why Websites Use Browser Fingerprinting

Fraud Detection

Banks and payment processors use fingerprinting to detect account takeovers. If someone logs into your account from a completely different browser fingerprint, it triggers additional security checks.

Bot Detection

Anti-bot services like Cloudflare, Akamai, and PerimeterX use fingerprinting to distinguish human visitors from automated scrapers. This is why using headless browsers without proper fingerprint management often fails.

Ad Tracking

After cookie restrictions (Safari’s ITP, Firefox’s ETP, Chrome’s Privacy Sandbox), advertisers increasingly rely on fingerprinting to track users across sites for targeted advertising.

Account Security

Platforms detect multiple accounts operated by the same person by comparing browser fingerprints. This is a major challenge for social media managers using social media proxies.

Content Personalization

Some sites use fingerprinting for legitimate personalization — remembering preferences without cookies.

Browser Fingerprinting and Proxies

Here’s the critical insight: proxies change your IP address but do NOT change your browser fingerprint. This is why using proxies alone is often insufficient for:

  • Managing multiple accounts (platforms see the same fingerprint across accounts)
  • Avoiding bot detection (anti-bot systems check fingerprint + IP together)
  • Maintaining anonymity (your fingerprint persists even when your IP changes)

The Fingerprint + Proxy Matrix

ScenarioIPFingerprintDetection Risk
No proxySameSameEasily tracked
Proxy onlyDifferentSamePartially protected
Anti-detect browser onlySameDifferentPartially protected
Proxy + Anti-detect browserDifferentDifferentBest protection

For maximum protection, combine residential or mobile proxies with an anti-detect browser that manages fingerprints for each profile.

How to Check Your Browser Fingerprint

Several tools let you see what information your browser exposes:

  1. AmIUnique — Academic research project showing your fingerprint uniqueness
  2. EFF’s Cover Your Tracks — Tests tracking and fingerprinting protection
  3. Our Browser Fingerprint Tester — Check your browser’s fingerprint attributes

Testing Your Fingerprint Programmatically

from playwright.sync_api import sync_playwright


def check_fingerprint():


with sync_playwright() as p:


browser = p.chromium.launch(headless=False)


page = browser.new_page()


page.goto('https://amiunique.org/fingerprint')

        

# Extract fingerprint uniqueness


result = page.text_content('.unique-result')


print(f"Fingerprint uniqueness: {result}")

        

browser.close()



check_fingerprint()

Techniques to Reduce Fingerprinting

Browser-Level Protection

Firefox (Enhanced Tracking Protection)

Firefox includes built-in fingerprinting protection:

  • Go to Settings → Privacy & Security → Enhanced Tracking Protection → Strict
  • This blocks known fingerprinting scripts

Tor Browser

The Tor Browser is specifically designed to make all users look identical:

  • Uniform window size
  • Restricted JavaScript APIs
  • Disabled WebGL and Canvas APIs
  • Same fonts and plugins across all users

Brave Browser

Brave randomizes certain fingerprint attributes:

  • Canvas and WebGL outputs are randomized per-session
  • Audio fingerprinting is blocked
  • Font fingerprinting is limited

Extension-Based Protection

Canvas Blocker — Randomizes canvas fingerprint

Trace — Modifies multiple fingerprint vectors


Privacy Badger — Blocks known fingerprinting trackers


uBlock Origin — Can block fingerprinting scripts

Code-Level Countermeasures for Developers

// Overriding navigator properties (for testing/development)

Object.defineProperty(navigator, 'hardwareConcurrency', {


get: () => 4 // Always report 4 cores


});



Object.defineProperty(navigator, 'deviceMemory', {


get: () => 8 // Always report 8GB


});



// Intercepting Canvas fingerprinting


const originalToDataURL = HTMLCanvasElement.prototype.toDataURL;


HTMLCanvasElement.prototype.toDataURL = function(type) {


const context = this.getContext('2d');


// Add slight noise to the canvas


const imageData = context.getImageData(0, 0, this.width, this.height);


for (let i = 0; i < imageData.data.length; i += 4) {


imageData.data[i] += Math.random() * 2 - 1; // ±1 to red channel


}


context.putImageData(imageData, 0, 0);


return originalToDataURL.apply(this, arguments);


};

Anti-Detect Browsers

Anti-detect browsers are the most comprehensive solution for managing browser fingerprints. They let you create multiple browser profiles, each with a completely unique fingerprint.

Popular options include:

  • Multilogin — Pioneer in the space, enterprise-grade
  • GoLogin — Affordable alternative with cloud profiles
  • AdsPower — Popular for social media management
  • Incogniton — Free tier available

These tools manage:

  • Canvas and WebGL fingerprints
  • User agent and platform info
  • Screen resolution and color depth
  • Timezone and language
  • Font lists
  • WebRTC leak prevention
  • Proxy assignment per profile

Read our detailed anti-detect browser guide for setup tutorials.

Browser Fingerprinting in Practice: Real-World Examples

How Social Media Platforms Use Fingerprinting

Platforms like Facebook, Instagram, and TikTok use browser fingerprinting extensively:

  • Account linking — Detecting multiple accounts operated by the same person by matching fingerprints
  • Ban evasion detection — When a banned user creates a new account, their fingerprint connects them to the banned account
  • Suspicious login detection — Flagging logins from a dramatically different fingerprint
  • Bot detection — Identifying automated tools that lack realistic fingerprint attributes

This is why managing multiple social media accounts requires both unique proxies and unique fingerprints per account.

How E-Commerce Sites Use Fingerprinting

Online retailers leverage fingerprinting for:

  • Fraud prevention — Flagging orders from fingerprints associated with chargebacks
  • Price personalization — Some retailers show different prices based on user profiles (controversial but real)
  • Bot detection — Identifying web scrapers and sneaker bots
  • Coupon abuse prevention — Detecting users creating multiple accounts for repeat discounts

How Ad Networks Use Fingerprinting

With third-party cookies declining, fingerprinting has become critical for:

  • Cross-site tracking — Following users across different websites without cookies
  • Attribution — Connecting ad views to conversions
  • Frequency capping — Limiting how many times a user sees an ad
  • Audience building — Creating targeting segments based on browsing behavior

The Entropy of Fingerprint Attributes

Not all fingerprint attributes contribute equally to identification. Here’s how much information each attribute typically provides:

AttributeEntropy (bits)Uniqueness Contribution
User Agent10-12 bitsHigh
Installed Fonts12-15 bitsVery High
Canvas Hash8-12 bitsHigh
Screen Resolution4-6 bitsMedium
Timezone3-4 bitsLow-Medium
Language2-4 bitsLow
Color Depth1-2 bitsLow
WebGL Renderer10-14 bitsVery High
Audio Fingerprint6-10 bitsHigh

With just 33 bits of entropy, you can uniquely identify every person on Earth (2^33 > 8 billion). Most browser fingerprints contain 40-60+ bits of entropy, making them extremely unique identifiers.

The Future of Browser Fingerprinting

Google’s Privacy Sandbox

Google is deprecating third-party cookies in Chrome and replacing them with privacy-preserving APIs. However, this may inadvertently increase reliance on fingerprinting for tracking.

Client Hints

The User-Agent Client Hints API is replacing the traditional user agent string with a more controlled disclosure mechanism. Websites must explicitly request information, giving browsers more control over what’s shared.

Increasing Browser Protections

Browsers are progressively limiting fingerprinting vectors:

  • Safari restricts Canvas, WebGL, and font enumeration
  • Firefox blocks known fingerprinting scripts
  • Chrome plans to reduce user agent information

Fingerprinting Arms Race

As browsers add protections, fingerprinters develop new techniques:

  • Network timing fingerprints
  • Battery API fingerprinting (now deprecated in most browsers)
  • Accelerometer/gyroscope fingerprinting on mobile
  • CSS rendering differences

This cat-and-mouse dynamic will continue as privacy regulations tighten globally.

FAQ

Is browser fingerprinting legal?

In most jurisdictions, browser fingerprinting falls into a legal gray area. Under GDPR, fingerprinting is considered a form of tracking that requires user consent, similar to cookies. The ePrivacy Directive also covers fingerprinting. However, enforcement varies, and many sites use fingerprinting without explicit consent. For businesses, it’s best to disclose fingerprinting in privacy policies and provide opt-out mechanisms.

Can I completely prevent browser fingerprinting?

No single method can completely prevent fingerprinting. You can reduce your uniqueness by using privacy-focused browsers (Tor, Brave), disabling JavaScript (which breaks most sites), or using anti-detect browsers. The Tor Browser comes closest to preventing fingerprinting by making all users appear identical, but it’s slow and many sites block Tor traffic.

Do VPNs protect against browser fingerprinting?

No. VPNs only change your IP address and encrypt your traffic. They don’t modify any browser fingerprint attributes. A website can still identify you through your unique combination of browser settings, hardware characteristics, and rendering differences even when you’re using a VPN. You need an anti-detect browser or fingerprint-spoofing tools alongside a VPN or proxy.

How unique is my browser fingerprint?

Studies show that 80-95% of browsers have a unique fingerprint. The combination of just a few attributes (user agent, screen resolution, timezone, installed fonts, canvas hash) is usually enough to create a unique identifier. You can check your uniqueness at AmIUnique or our browser fingerprint tester.

Does incognito mode prevent fingerprinting?

No. Incognito/private mode only prevents local storage of cookies, history, and form data. It does not change any fingerprint attributes. Your browser still exposes the same hardware, rendering, and configuration information in incognito mode as in normal mode.

Concerned about your browser fingerprint? Try our Browser Fingerprint Tester to see exactly what your browser reveals, or explore anti-detect browser guides for setup tutorials.

Scroll to Top