What Your Browser Fingerprint Reveals (With Live Examples)
TL;DR: Fingerprinting is how sites track you when cookies, logins, and even VPNs fail. Each signal on its own is harmless. Together they form a near-unique ID that survives across tabs, sessions, and private mode. This post explains each signal with live examples — run our Fingerprint Check alongside to see your own.
📋 Contents
What fingerprinting actually is
Cookies used to be the main way websites followed you around. They're easy to block, easy to clear, and every browser has a setting for them. So trackers built something better: fingerprinting, which doesn't store anything on your machine. Instead, it reads signals your browser already exposes by design — screen size, installed fonts, the way your GPU draws a letter — and combines them into a stable identifier.
No single signal is a secret. Screen resolution, for example, is completely innocent on its own. But screen resolution + timezone + GPU model + the specific way your browser renders the word "mmmmmmmmmmlli" is almost certainly unique to you, your device, and nobody else in the world right now.
⚠️ Why this matters more in 2026
Third-party cookies are being phased out across all major browsers. Regulation (GDPR, CCPA, DSA) is making cookie-based tracking expensive. So trackers have quietly shifted to fingerprinting — which doesn't require a cookie banner, isn't covered by "clear browsing data," and isn't currently regulated in most jurisdictions.
Entropy: the math of uniqueness
Fingerprinting is a numbers game. Each signal contributes some number of bits of entropy — bits of information that narrow down who you are. If a signal has 2 possible values, knowing yours eliminates half the population (1 bit). If it has 1024 possible values and yours is relatively rare, it might contribute 8–10 bits.
You need roughly 33 bits of entropy to uniquely identify one specific person out of 8 billion. A typical desktop browser leaks more than 30 bits through fingerprinting signals alone. That's why sites with good fingerprinting libraries can re-identify returning visitors with 99%+ accuracy even after a VPN change and a clear-cookies.
Let's walk through the biggest contributors.
Signal: Canvas rendering
What it is: the browser has a 2D drawing API called Canvas. Scripts can render text into an off-screen canvas, then read back the pixel data as a data URL or hash.
Why it's unique: the exact pixels depend on the combination of GPU, GPU driver, OS font-rasteriser, browser version, and sometimes the fonts the user has installed. Two "identical" laptops running the same Chrome version but different GPU drivers produce subtly different pixel output — enough to distinguish them.
What it looks like in code:
const canvas = document.createElement('canvas');
const ctx = canvas.getContext('2d');
ctx.textBaseline = 'alphabetic';
ctx.fillStyle = '#f60';
ctx.fillRect(125, 1, 62, 20);
ctx.fillStyle = '#069';
ctx.font = '13px "Arial"';
ctx.fillText('FunWithText fingerprint', 2, 15);
const hash = sha256(canvas.toDataURL());
// "a7b3c9d2e1f8..." — stable per device, unique across devicesDefence: Brave and Tor Browser randomise the canvas output per session so the hash is
different every time. Firefox's privacy.resistFingerprinting does something similar but less
aggressive.
Signal: WebGL vendor & renderer
What it is: WebGL exposes a UNMASKED_VENDOR_WEBGL and
UNMASKED_RENDERER_WEBGL string. Together they reveal your GPU.
Typical values:
Vendor: "Google Inc. (NVIDIA)"
Renderer: "ANGLE (NVIDIA, NVIDIA GeForce RTX 4070 Direct3D11 vs_5_0 ps_5_0, D3D11)"Why it's unique: GPU model + driver version is a strong discriminator, especially on desktop. RTX 4070 owners are a small fraction of the population. Add the driver version (implicit in the renderer string) and you're down to a much smaller slice.
Defence: in Chrome, the renderer string is gradually being standardised to hide model
details — but it's a slow rollout. Firefox with
webgl.enable-debug-renderer-info = false returns empty values.
Signal: AudioContext
What it is: the OfflineAudioContext API can generate a tone, pass it through
a DynamicsCompressor node, and read the resulting floating-point sample values. Those values
depend on the CPU's floating-point behavior and the audio-subsystem implementation.
Why it's unique: subtle differences in how different OSes and CPUs handle the compressor DSP produce distinct sample sums. It's not as discriminating as canvas, but it's stable across sessions and hard to spoof because it doesn't look like a tracking signal.
Defence: Brave randomises audio output. Tor Browser fakes a standard profile.
Signal: Installed fonts
What it is: a script measures a string rendered in many candidate fonts. If the rendered width differs from the fallback width, that font is installed.
Why it's unique: installed fonts depend on OS, language, pre-installed apps (Adobe Creative Cloud, Office, Photoshop all add dozens of fonts), and user installs. Your font list is often the single most discriminating signal your browser exposes, because software installs accumulate over years.
Defence: newer Chrome and Safari use "font allow-lists" — only a fixed set of system fonts is measurable. Tor Browser ships a bundled font stack and ignores system fonts entirely.
Signal: Hardware & display
What it is: navigator.hardwareConcurrency (CPU cores),
navigator.deviceMemory (GB, quantised), screen resolution, viewport, device pixel ratio, and
touch support all help narrow the device class.
Why it's relatively low entropy: these values cluster tightly — most laptops are 8-core with 16 GB RAM at 1920×1080. But they add 3–6 bits on top of whatever else you're leaking, and some combinations (like 24-core with HDR display at 3840×1600) are instantly distinctive.
Defence: some anti-fingerprinting modes round these values (deviceMemory to 8, hardwareConcurrency to 4). Don't run your browser in an oddly-sized window — a unique window size is a strong signal.
Signal: Language & timezone
What it is: navigator.languages returns an ordered list (e.g.
["en-GB", "no", "en"]). Intl.DateTimeFormat().resolvedOptions().timeZone returns
your timezone (e.g. "Europe/Oslo").
Why it's informative: language preference + timezone often narrows to a country, a
city, or even a single employer (English-speaking developer on Oslo time is a fairly specific person). It
also defeats VPN-based anonymity because a user in Oslo with a US VPN still shows
"Europe/Oslo".
Defence: Tor Browser forces en-US and UTC for all users.
Firefox's resistFingerprinting does the same.
🧬 See your own fingerprint right now
All of the above is easier to understand when you can see your own signals. Our Fingerprint Check shows every signal plus a combined SHA-256 hash — 100% in your browser, nothing stored.
Run the checkHow to reduce your fingerprint
Fully blocking fingerprinting is hard — every signal you lie about is itself a signal (a trivially-spoofed UA + a canvas hash that matches Windows tells the tracker you're spoofing). The realistic goal is to look like a large herd: be one of millions of indistinguishable browsers, not one of a kind.
- Tor Browser is the gold standard. Every Tor user is forced into a small set of identical configurations (window size via letterboxing, fixed UA, fixed fonts, no WebGL details, no canvas).
- Brave has randomisation for canvas, audio, and WebGL built in via the "Shields" settings. Set "Block fingerprinting" to "Strict."
- Firefox — set
privacy.resistFingerprintingtotrueinabout:config. Breaks some video players and timezone display; survivable for most users. - Don't install rare fonts. Every uncommon font adds entropy. Uninstall what you don't use.
- Use standard window sizes. Odd viewport dimensions stick out. Maximise, don't resize.
- Keep your browser updated. Old versions are rarer than new ones and therefore more distinctive.
- Avoid extensions that modify DOM globally (e.g. some "dark mode everywhere" extensions inject detectable style attributes).
- Use a separate browser profile for sensitive browsing. Fingerprints don't bridge across different browser processes if you're careful.
⚠️ VPN + fingerprinting = not enough
A VPN hides your IP but leaves every fingerprint signal untouched. If a tracker has fingerprinted you before, switching VPN servers doesn't help — your browser still looks identical from the tracker's perspective. Use anti-fingerprinting and a VPN.
FAQ
What is browser fingerprinting?
A tracking technique that builds a stable identifier for your browser by combining low-level signals — screen size, GPU, fonts, timezone, canvas rendering, audio processing — into a single hash. Because no individual signal is unique but the combination is, fingerprinting works even when cookies are blocked.
Can I block fingerprinting?
You can reduce it, not fully eliminate it, in a normal browser. Tor Browser is designed so every user looks identical, which is the only way to be genuinely unidentifiable. Brave and Firefox offer strong anti-fingerprinting modes that degrade tracker accuracy substantially.
Is incognito mode enough?
No. Incognito prevents history, cookies, and cache from being saved locally. Every fingerprinting signal is identical in incognito and normal mode, so trackers see the same ID. A "new session" in incognito looks like the same browser to a fingerprinter.
How unique is my browser?
On a typical desktop, roughly 1 in 100,000 browsers share your exact fingerprint. On mobile it's better because devices are more uniform, but installed apps, fonts, and locale still produce millions of distinguishable profiles. Run our Fingerprint Check to see your own combined hash.
Does a VPN help against fingerprinting?
Not directly. A VPN changes your IP address but leaves every fingerprint signal untouched. A tracker that fingerprinted you once can still recognise you across VPN sessions. Use anti-fingerprinting settings and a VPN, not one or the other.
🛠️ Check your privacy exposure
See what websites can learn about you right now — all client-side, nothing stored:
About FunWithText
We build free, privacy-focused text tools and network diagnostics. Most of our tools run in your browser — your data stays on your device.
Read More Articles →