What is browser fingerprinting?

Browser fingerprinting is a tracking technique that collects attributes about your browser and device — such as screen resolution, installed fonts, graphics rendering output, and TLS handshake parameters — to create a unique identifier. Unlike cookies, fingerprinting works without storing anything on your device, making it nearly impossible to detect or delete.

Is browser fingerprinting legal?

There is no law that specifically prohibits browser fingerprinting. The EU's ePrivacy Directive and GDPR require consent for tracking, but enforcement against fingerprinting is limited because it operates without cookies or local storage. Some data protection authorities have taken the position that fingerprints constitute personal data under GDPR, but this remains an evolving area of law.

Can I block browser fingerprinting?

You cannot fully block fingerprinting without breaking website functionality, but you can significantly reduce your uniqueness. The Tor Browser is the most effective tool because it makes all users look identical. Brave's farbling technique adds noise to fingerprinting signals. Firefox's resistFingerprinting setting standardizes many attributes. Using any of these reduces the accuracy of fingerprint-based tracking.

What is the difference between canvas fingerprinting and WebGL fingerprinting?

Canvas fingerprinting draws text and shapes on an HTML5 Canvas element and reads back the pixel output, which varies based on your GPU, drivers, and font renderer. WebGL fingerprinting probes the graphics hardware directly through the WebGL API, exposing renderer strings, supported extensions, and precision parameters. Both produce hardware-specific output, but WebGL reveals deeper hardware information.

Does incognito mode prevent fingerprinting?

No. Incognito or private browsing mode only prevents local storage of cookies, history, and cache. It does not change your browser's fingerprint — your screen resolution, fonts, GPU, and all other attributes remain identical. Trackers can fingerprint you in incognito mode just as easily as in a normal session.

Browser Fingerprinting in 2026: How Websites Identify You Without Cookies

Cookies were supposed to be the tracking story. Regulators wrote laws about them. Browsers added controls for them. Users learned to clear them. But while everyone was watching the cookie jar, the advertising industry built a completely different way to follow you around the internet — one that leaves nothing on your device, respects no consent dialog, and works even in incognito mode. Browser fingerprinting collects dozens of attributes about your browser and hardware — screen resolution, installed fonts, graphics card capabilities, audio processing characteristics, TLS handshake parameters — and combines them into a unique identifier. No cookie required. No local storage. No opt-out. How Browser Fingerprinting Works The principle is straightforward: the more attributes you measure, the more unique a browser becomes. A 2023 study by the Electronic Frontier Foundation found that over 80% of desktop browsers carry a fingerprint that is unique among the hundreds of thousands of browsers in their dataset. On mobile, the number is lower but still significant. A fingerprinting script typically runs silently when a page loads. It does not need your permission. It does not trigger any browser permission prompt. It does not store anything on your device. It simply reads attributes that your browser exposes to every website by design, sends those readings to a server, and computes a hash. That hash is your fingerprint. The key attributes fall into several categories, each with its own techniques and quirks. Canvas Fingerprinting Canvas fingerprinting exploits the HTML5 Canvas API, which websites use to draw graphics. When a script draws text and shapes onto a canvas element and then reads the pixel data back with or , the resulting pixel output varies based on your specific combination of GPU, graphics driver, font renderer, operating system, and anti-aliasing settings. The technique works because rendering the same drawing instructions produces subtly different pixel output on different hardware. A text character rendered on an NVIDIA GeForce RTX 4070 with Windows 11 and ClearType will produce a different pixel pattern than the same character rendered on an Apple M3 with macOS and Core Text. The differences are invisible to the human eye but trivially extractable by software. Canvas fingerprinting is extremely common. A 2024 study by FingerprintJS found canvas fingerprinting scripts on over 25% of the top 10,000 websites. It is the single most effective fingerprinting signal for desktop browsers. You can see exactly what your browser's canvas rendering looks like using our canvas fingerprint tool. WebGL Fingerprinting WebGL (Web Graphics Library) gives websites direct access to your GPU for 3D rendering. This access exposes far more hardware information than the Canvas 2D API. A WebGL fingerprinting script queries your browser for the GPU vendor and renderer string (for example, ), the list of supported WebGL extensions, the precision of floating-point operations, and the maximum texture size and viewport dimensions. It may also render a 3D scene and read back the pixel output, similar to canvas fingerprinting but through the 3D pipeline. The combination of renderer string, extensions, and precision parameters is highly identifying. Two laptops with the same GPU model but different driver versions will produce different WebGL fingerprints. A virtual machine with software rendering looks completely different from a physical machine with hardware acceleration. Test your browser's WebGL fingerprint with our WebGL fingerprint tool. AudioContext Fingerprinting AudioContext fingerprinting leverages the Web Audio API, which browsers provide for audio processing and synthesis. When a script creates an oscillator, applies signal processing (such as compression or filtering), and reads the output, the resulting audio signal varies based on the browser's audio stack — the specific implementation of the AudioContext, the operating system's audio subsystem, and the hardware's audio processing capabilities. The technique is particularly insidious because it works without producing any audible sound. The script processes audio entirely in software, reads the numerical output of the processed signal, and computes a hash. Two browsers on the same machine can produce different AudioContext fingerprints if they use different audio engines (Chrome's vs. Firefox's, for example). AudioContext fingerprinting is less common than canvas or WebGL fingerprinting but is used by sophisticated trackers because it provides an independent signal that is difficult to spoof without breaking audio functionality. Font Enumeration Browsers allow websites to detect which fonts are installed on your system through a timing side-channel. The technique works by measuring how long it takes the browser to render text in a specific font. If the font is installed locally, rendering is nearly instantaneous. If the font is not installed, the browser falls back to a default font, which takes measurably longer. By testing hundreds of fonts and measuring rendering times, a script can build a list of installed fonts. This list is highly identifying because font installations depend on your operating system, language settings, installed applications (Microsoft Office installs dozens of fonts, Adobe Creative Cloud installs hundreds), and any custom fonts you have added. Font enumeration is one of the oldest fingerprinting techniques and remains effective. Some browsers have implemented defenses — Firefox with returns a standardized font list — but most browsers still expose this information. Check what your browser reveals with our font fingerprint tool. TLS and HTTP/2 Fingerprinting When your browser connects to a website over HTTPS, it sends a TLS Client Hello message before any HTTP traffic. This handshake message contains a list of supported cipher suites, TLS extensions, elliptic curves, and signature algorithms — all in a specific order. The exact combination and ordering of these parameters varies between browsers and versions, creating a fingerprint that is visible to any network observer, including your ISP, without even looking at the encrypted traffic. TLS fingerprinting (also called JA3 fingerprinting, after the open-source tool that popularized it) works at the network level. It does not require JavaScript. It does not require the webpage to load. It identifies your browser the moment it initiates a connection. HTTP/2 adds another layer: the SETTINGS frame that your browser sends at the start of an HTTP/2 connection includes parameters like the initial window size, maximum concurrent streams, and header table size. The values and ordering of these parameters create an HTTP/2 fingerprint (called JA4) that can distinguish between browser versions and even between different configurations of the same browser. TLS and HTTP/2 fingerprinting are particularly difficult to defend against because they operate below the application layer. Changing these parameters requires modifying browser source code or using a proxy that rewrites the handshake. How Trackers Combine These Signals Individual fingerprinting signals are useful, but their real power comes from combination. A tracker does not rely on canvas alone or WebGL alone. It collects every available signal — canvas, WebGL, AudioContext, fonts, screen resolution, timezone, language, platform, plugins, touch support, battery status (where available), and dozens more — and combines them into a single fingerprint hash. This combinatorial approach means that even if you change one attribute, the others still identify you. Changing your screen resolution does not help if your GPU, fonts, and audio stack remain the same. This is why fingerprinting is so resilient against partial defenses. Cross-site tracking works the same way. Two different websites running the same fingerprinting script (often served by the same third-party adtech company) will compute the same fingerprint hash for your browser. The tracker can then link your activity across both sites without ever placing a cookie. How Anti-Fingerprinting Tools Work Tor Browser The Tor Browser takes the most aggressive approach: it makes every user look identical. It standardizes the screen resolution reported to websites, uses a fixed window size, returns a uniform font list, disables WebGL by default, and normalizes the Canvas and AudioContext outputs. The goal is not to hide your fingerprint but to make it identical to every other Tor Browser user. If ten thousand people have the same fingerprint, the fingerprint becomes useless for tracking an individual. This uniformity approach is theoretically the strongest defense, but it comes with significant usability costs. Many websites break or display incorrectly when run under Tor Browser's restrictions. WebGL-dependent applications will not work. Custom font rendering is disabled. Brave Farbling Brave Browser uses a technique called "farbling," which adds small amounts of random noise to fingerprinting signals. For canvas fingerprinting, farbling subtly alters the pixel data that returns. For WebGL, it modifies the renderer string and supported extensions list. For AudioContext, it introduces slight variations in the audio output. The key insight behind farbling is that the noise is deterministic per domain — the same website always sees the same fake fingerprint, so the site functions correctly, but a different website sees a different fake fingerprint, preventing cross-site correlation. This is a clever tradeoff: it preserves usability while breaking the cross-site tracking that makes fingerprinting valuable to advertisers. Firefox resistFingerprinting Firefox offers the preference (also enabled by the Tor Browser integration). When active, it standardizes many fingerprinting signals: it reports a fixed timezone (UTC), a fixed screen resolution, a standardized font list, and disables or limits several APIs. It also spoofs the User-Agent string. Firefox has also introduced as a more granular alternative that allows users to choose which protections to enable without the full Tor-level restrictions. This is available in Firefox 120+ and can be configured via about:config. What Does Not Work Randomized Canvas Noise Some privacy tools add random noise to canvas output on every page load. The problem is that this noise itself becomes a fingerprint. If your canvas output changes every time but all your other attributes stay the same, a tracker can identify you by the stability of your non-canvas signals while ignoring the canvas variation. Even worse, the statistical properties of the noise (its distribution, magnitude, and correlation across pixels) may be distinctive to the privacy tool you are using, effectively flagging you as someone who is trying to hide. Research from Brave's privacy team has shown that randomized noise is detectable and can actually increase your fingerprint uniqueness rather than reducing it. Uniformity — making your browser look like many others — is more effective than randomness. Blocking JavaScript Blocking JavaScript entirely prevents most fingerprinting, but it also breaks most of the web. More importantly, some fingerprinting techniques do not require JavaScript at all. TLS fingerprinting works at the network level. CSS-based font detection can work without JavaScript by measuring element rendering with CSS alone. Server-side fingerprinting based on HTTP headers (Accept-Language, User-Agent, Accept-Encoding) works without any client-side code. Switching Browsers Using multiple browsers reduces the linkability of your activity across sessions, but each individual browser still has its own unique fingerprint. If you use Chrome for personal browsing and Firefox for work, both browsers are individually fingerprintable. A tracker that operates across both browsers' fingerprinting surfaces can still build separate profiles for each. Practical Advice Getting your fingerprint to zero uniqueness is not realistic without severe usability sacrifices. But reducing it significantly is achievable. Use a browser with built-in anti-fingerprinting. Brave, Firefox with , or the Tor Browser all provide meaningful protection. Choose based on your threat model: Tor for maximum anonymity, Brave for everyday browsing with good privacy, Firefox with RFP for a middle ground. Standardize your environment. The closer your browser looks to millions of others, the less useful your fingerprint is. Use default settings wherever possible. Avoid installing exotic browser extensions that modify page rendering. Do not change your screen resolution to unusual values. Use separate browser profiles for separate contexts. A work profile and a personal profile in the same browser will have slightly different fingerprints (different extensions, different stored data), reducing the ability of trackers to link your activities across contexts. Test your own fingerprint. You can check how unique your browser appears using our browser fingerprint tool. Run it in your current browser, then run it again after enabling anti-fingerprinting protections to see the difference. Do not rely on incognito mode. Private browsing prevents local storage but does not change your fingerprint. If you need anonymity, use the Tor Browser. Keep your browser updated. Browser vendors regularly patch fingerprinting vectors in response to new research. Staying current means you benefit from these protections as they are released. The Arms Race Continues Browser fingerprinting is not a solved problem — it is an ongoing arms race between trackers and privacy defenders. As browsers close known fingerprinting vectors, researchers discover new ones. Recent work has demonstrated fingerprinting through CSS media queries, scroll behavior patterns, and even the timing characteristics of JavaScript execution. The W3C's Privacy Community Group continues to develop standards that could limit fingerprinting surfaces, but adoption is slow and enforcement is weaker still. The fundamental tension remains: the web platform was designed to expose rich device information so that websites could adapt to different capabilities. That same information enables tracking. Every attempt to restrict fingerprinting surfaces must balance privacy against functionality, and trackers exploit every gap in that balance. Understanding how fingerprinting works is the first step. Testing your own exposure is the second. Our tools at browser fingerprint, canvas fingerprint, WebGL fingerprint, and font fingerprint let you see exactly what your browser reveals. What you do with that information is up to you — but at least now you know what they can see. --- Updated May 2026. Browser fingerprinting techniques and defenses evolve rapidly. Re-test your fingerprint periodically to check for changes in your exposure.