DEV Community

FireKey Team
FireKey Team

Posted on

Canvas Fingerprinting Explained: The Invisible Tracker That Survives Cookie Deletion

You cleared your cookies. You're using incognito. You switched to a different IP. And the website still knows it's you.

Welcome to canvas fingerprinting — one of the most persistent tracking techniques on the web.

What is Canvas Fingerprinting?

The HTML5 Canvas API lets browsers render 2D graphics. What most developers don't realize is that the exact pixel output of canvas rendering differs slightly between machines — due to differences in:

  • GPU model and driver version
  • Operating system font rendering
  • Anti-aliasing implementation
  • Subpixel rendering settings

These tiny variations produce a unique "fingerprint hash" for each device.

How Websites Extract It 

function getCanvasFingerprint() {
  const canvas = document.createElement('canvas');
  const ctx = canvas.getContext('2d');

  // Draw text with specific styling
  ctx.textBaseline = 'top';
  ctx.font = '14px Arial';
  ctx.fillText('Browser fingerprint test 🔐', 2, 2);

  // Add geometric shapes
  ctx.fillStyle = 'rgba(255, 0, 100, 0.5)';
  ctx.fillRect(100, 5, 80, 50);

  // The toDataURL output is your fingerprint
  return canvas.toDataURL();
}
Enter fullscreen mode Exit fullscreen mode

The resulting string is hashed and stored server-side. Next visit — same hash, same user, regardless of cookies or IP.

Why It Persists Across Everything

User Action Hides Canvas Fingerprint?
Clear cookies ❌ No
Use incognito ❌ No
Change VPN/proxy ❌ No
Use different Chrome profile ❌ No
Use different browser (Chrome → Firefox) ✅ Slightly different
Use different machine ✅ Yes

Real-World Impact

E-commerce sellers: If you run multiple Amazon/eBay stores from one machine, every account has the same canvas hash. Amazon correlates these within hours.

Social media managers: Running 10 Twitter accounts from one laptop? Same fingerprint on all 10.

Scrapers/automation: Sites like LinkedIn and Cloudflare use canvas hashing as a bot signal.

The Fix: Fingerprint Spoofing Per Profile

True protection requires randomizing or spoofing the canvas output per browser profile — not just blocking it (which itself becomes a fingerprint).

Tools like FireKey handle this at the profile level: each browser environment gets a deterministic but unique canvas fingerprint, making profiles appear as completely different devices.

Free open beta: app.firekey.ai

Verify Your Canvas Fingerprint

https://browserleaks.com/canvas — shows your exact canvas hash

Run it twice across sessions. If the hash is the same — you're trackable.

This article was written in a FireKey isolated browser environment with a unique canvas fingerprint.

Top comments (0)