Most developers are familiar with cookies and session tokens. Fewer account for the browser fingerprint layer — a set of signals that are hardware-bound, session-persistent, and unaffected by the usual counter-measures.
The Core Signals
Canvas API
const canvas = document.createElement('canvas');
const ctx = canvas.getContext('2d');
ctx.fillText('fp test ❤ 🔥', 2, 15);
const hash = btoa(canvas.toDataURL());
The resulting pixel data varies based on GPU model, driver version, and OS-level rendering. Same device = same hash, every time.
WebGL
const gl = document.createElement('canvas').getContext('webgl');
const renderer = gl.getParameter(gl.RENDERER);
// "ANGLE (NVIDIA GeForce RTX 3080 Direct3D11 vs_5_0 ps_5_0)"
Exposes GPU model and driver string directly. Hardware-unique and immutable.
AudioContext
const ctx = new AudioContext();
const analyser = ctx.createAnalyser();
// Process a sine wave through the audio stack
// Floating-point output varies by hardware
Small variations in hardware audio processing = unique float signature.
Font Enumeration
Platforms probe font availability via CSS timing or JavaScript. Installed fonts reveal locale, software stack, and sometimes profession.
Why Standard Counter-Measures Fail
- VPNs: Change IP address only. Zero effect on Canvas/WebGL/Audio.
- Private browsing: Clears cookies and history. Hardware signals unchanged.
- Cookie deletion: Affects session cookies. Canvas hash is not a cookie.
- Browser reinstall: Clears browser cache. GPU-based signals remain.
The Consistency Requirement
Even with spoofed fingerprints, environment mismatches create detection signals:
Proxy exit: Dallas, TX (USA)
Browser timezone: Asia/Shanghai ← mismatch
navigator.language: zh-CN ← mismatch
Installed fonts: Source Han Sans (CJK) ← mismatch
All environment signals must be internally consistent with the declared location.
What Actually Isolates
For developers building multi-account systems or privacy tools:
- Per-profile fingerprint isolation — unique Canvas/WebGL/AudioContext per profile, stable within session (not re-randomized per page load)
- Environment matching — timezone + language + fonts = proxy geographic location
- Behavioral separation — different session patterns, timing, navigation flows
Testing Your Implementation
browserleaks.com — comprehensive fingerprint audit
coveryourtracks.eff.org — EFF fingerprint test
If two profiles return matching Canvas hashes, they're linkable at hardware level regardless of IP configuration.
Building something in this space? Drop questions in the comments — happy to go deeper on any of these signals.
Top comments (0)