DEV Community

Seven Labs for Seven Labs

Posted on • Originally published at Medium on

What is Browser Fingerprinting and How to Reduce It

What is Browser Fingerprinting and How to Reduce It

Browser fingerprinting identifies you without planting anything on your device. No cookies, no storage, no tracking pixels — just your browser answering questions it was never designed to refuse. Run our free browser fingerprint test and you will see exactly how many signals your browser is leaking right now.

Quick Answer: What is Browser Fingerprinting?

Browser fingerprinting is a tracking technique that combines technical attributes of your browser and hardware — canvas rendering output, installed fonts, GPU model, timezone, screen dimensions, and 50+ other signals — into a single composite identifier. Because the combination is statistically unique, it functions as an ID without requiring cookies or local storage.

Unlike cookies, fingerprints cannot be deleted. They survive private browsing mode, clearing cookies, and switching networks.

How the Fingerprint is Built

Each signal alone is not very unique. Combined, they are.

Canvas fingerprint

Your browser is asked to render text and shapes on an invisible canvas element. The exact pixel output depends on your operating system, GPU, and font rendering engine. The resulting image is hashed into a short string that acts as a hardware signature.

WebGL render hash

A shader program renders a triangle on an off-screen WebGL canvas. The pixel values are read back and hashed. GPU driver differences — even between two machines with the same GPU model — produce different outputs.

Audio context fingerprint

The OfflineAudioContext API processes an audio signal through a compressor node. How your CPU handles the floating-point arithmetic is hardware-dependent, producing a value that differs per device.

Font enumeration

By measuring how your browser renders text in different typefaces, a script can determine which fonts are installed on your OS. The list differs meaningfully between Windows, macOS, and Linux.

Timezone and locale

Your IANA timezone, date format, number format, and language settings are all exposed without any permission prompt. If your timezone does not match your VPN exit country, the mismatch is itself a fingerprinting signal.

navigator.userAgent, navigator.hardwareConcurrency (CPU cores), navigator.deviceMemory, screen resolution, colour depth, and device pixel ratio are all readable by any script on any page you visit.

Why Cookies Are Not the Whole Picture

Cookie consent banners have trained users to believe that clicking “Reject All” protects them from tracking. It does not protect against fingerprinting.

Fingerprinting requires no consent because it stores nothing. The tracker reads data your browser volunteers as part of normal operation. GDPR and CCPA have limited legal coverage for fingerprinting — enforcement is rare and technically complex to prove.

What Your Privacy Score Means

Our browser fingerprint test calculates a privacy score from 0 to 100 and converts it to a letter grade:

If your score is below 60, the fixes below will move the needle significantly.

How to Reduce Your Browser Fingerprint

Use Firefox with resistFingerprinting

The single most effective change. In Firefox, go to about:config and set:

privacy.resistFingerprinting = true
Enter fullscreen mode Exit fullscreen mode

This enables Firefox’s built-in fingerprinting resistance mode. It normalises canvas output, returns a fixed set of fonts, reports a clamped timezone (UTC), and clamps CPU/memory values to fixed numbers. Your fingerprint becomes nearly identical to all other Firefox users with this setting enabled — which is the goal.

Firefox also ships with Enhanced Tracking Protection. Set it to “Strict” in Preferences > Privacy & Security.

Use the Brave browser

Brave takes a different approach: rather than reporting fixed values, it randomises canvas, WebGL, and audio fingerprints on a per-session basis. Each time you open Brave, those signals produce different outputs, making cross-session linking impossible. Enable “Strict” fingerprinting protection in Brave Shields.

Enable Global Privacy Control

GPC ( Sec-GPC: 1) is a browser signal that is legally enforceable in California under CCPA and in the EU. It tells sites not to sell or share your personal data.

  • Brave and Firefox ship with GPC support.
  • Firefox: set privacy.globalprivacycontrol.enabled = true in about:config.
  • Chrome: install the GPC extension.

Fix the WebRTC IP leak

WebRTC can expose your real IP address even behind a VPN. See our dedicated guide: How to Fix WebRTC IP Leaks.

Short version:

  • Firefox: set media.peerconnection.enabled = false in about:config.
  • Chrome: install uBlock Origin and enable “Prevent WebRTC from leaking local IP addresses” in its settings.

Block tracking scripts

Most fingerprinting code is delivered via third-party scripts. Blocking those scripts before they run is more effective than trying to spoof their results.

  • uBlock Origin (Firefox/Chrome) in medium or hard mode blocks the majority of fingerprinting domains.
  • Brave Shields blocks them by default.

Match your timezone to your VPN exit node

If you use a VPN, set your OS timezone to match the country of your VPN exit node. Otherwise the mismatch signals that you are using a VPN — and potentially reveals your real location.

Revoke unnecessary permissions

Visit chrome://settings/content or Firefox's Permissions settings and revoke:

  • Location (geolocation)
  • Clipboard read
  • Camera and microphone (unless needed)
  • Notifications

Permissions granted to one site persist until revoked. Check them periodically.

What Does Not Help (Common Misconceptions)

Incognito / private mode does not prevent fingerprinting. Your hardware and browser version are the same whether you are in a private window or not. Canvas and WebGL output are unchanged.

Clearing cookies has no effect on fingerprinting. The fingerprint is computed fresh on every page load from browser APIs — nothing is read from storage.

A VPN alone does not prevent fingerprinting. VPNs hide your IP address. They do nothing about canvas hashes, fonts, or GPU signatures. A fingerprint can re-identify you even if your IP changes every hour.

Spoofing your user agent string helps only marginally. User agent is one signal out of fifty. Changing it while leaving canvas and font signals intact makes you more unique, not less.

For Website Owners: Reducing What You Expose

If you run a website, you can limit the fingerprinting surface available to third-party scripts embedded on your pages.

The Permissions-Policy header lets you disable APIs that fingerprinting scripts commonly exploit:

Permissions-Policy: camera=(), microphone=(), geolocation=(), usb=()
Enter fullscreen mode Exit fullscreen mode

A strong Content Security Policy restricts which third-party scripts can load at all. If a fingerprinting script cannot load, it cannot run.

Scan your site’s security headers to see what you are currently exposing.

The Practical Bottom Line

No single change makes you completely untrackable. The goal is to be indistinguishable from the crowd — to blend in with millions of other users rather than stand out.

The highest-impact changes, in order:

  1. Use Firefox with privacy.resistFingerprinting = true, or use Brave
  2. Install uBlock Origin and set it to at least default mode
  3. Fix the WebRTC IP leak
  4. Enable Global Privacy Control
  5. Revoke permissions you do not actively use

Run the browser fingerprint test again after making these changes to see your updated score.

See the complete security headers checklist to protect your own site’s visitors. Or scan your site for missing headers now.

Originally published at https://sechead.sevenlabs.site on July 8, 2026.

Top comments (0)