I keep seeing the same advice in e-commerce communities: "use a VPN, use residential proxies, clear your cookies." This fixes one layer. Modern platforms check four.
Layer 1: Network Identity
What platforms check: IP address, IP reputation (residential vs. datacenter), ASN (reveals proxy provider)
What works: Residential proxies with sticky IPs per account
What doesn't: Datacenter VPNs, shared proxy pools, rotating IPs mid-session
Layer 2: Browser Environment (The Tricky One)
This is where most people's setups fail.
Canvas fingerprint: Your GPU renders a hidden <canvas> element. The pixel output hashed into a unique ID. This ID is:
- Hardware-specific (GPU model + driver + OS combination)
- Session-persistent (doesn't change between page loads)
- Cookie-independent (clearing cookies does nothing)
- VPN-transparent (proxies have zero effect)
WebGL renderer: WebGLRenderingContext.getParameter(gl.RENDERER) returns a string like "ANGLE (NVIDIA GeForce RTX 3080 Direct3D11 vs_5_0 ps_5_0)". Identical across every browser session on your machine.
AudioContext fingerprint: The Web Audio API processes a sine wave through your hardware's audio stack. Floating-point precision variations create a device-unique output.
Font enumeration: Installed fonts reveal locale, software stack, and sometimes occupation.
Layer 3: Environment Consistency
Even if you spoof Layer 2, inconsistent environments trigger detection:
| Signal | Value | Expected |
|---|---|---|
| Proxy IP | Dallas, TX | - |
Intl.DateTimeFormat().resolvedOptions().timeZone |
Asia/Shanghai | America/Chicago |
navigator.language |
zh-CN | en-US |
| System fonts | Includes CJK fonts | Should be US locale |
Any mismatch here is a flag. All four need to be internally consistent.
Layer 4: Behavioral Patterns
ML models trained on millions of sessions can cluster accounts by:
- Session length distributions
- Click timing patterns
- Navigation flow similarity
- Simultaneous activity across accounts
The Fix
Proper isolation requires addressing all four layers:
- Residential proxy with one sticky IP per account
- Browser profile with unique Canvas/WebGL/AudioContext per profile (not incognito — actual isolated profiles)
- Matching environment: timezone + language + fonts = proxy location
- Behavioral separation: different session patterns, no simultaneous logins
Anti-detect browsers like FireKey automate Layer 2-3. Layers 1 and 4 still need manual attention.
Test your current fingerprint isolation: visit browserleaks.com in two "separate" browser windows. If the Canvas hash matches — they're linkable.
Questions? Drop them below — happy to go deeper on any specific platform's detection approach.
Top comments (0)