Back to Blog
Apr 24, 2026Browser fingerprinting is a tracking technique that identifies you by combining dozens of passive signals your browser emits — screen resolution, installed fonts, canvas rendering quirks, WebGL output, audio context, TLS handshake shape, HTTP/2 settings, and more — into a single, near-unique fingerprint hash. In 2026, browser fingerprinting is the primary identity layer used by DataDome, PerimeterX (HUMAN), Kasada, Cloudflare Turnstile, Akamai Bot Manager, Shape Security, and every serious anti-fraud stack. IP-only protection is not enough: a residential proxy gives you a clean IP, but if your fingerprint is unique, the site has already identified you.
This guide explains how browser fingerprinting actually works at the technique level, maps every fingerprinting surface in a modern browser, walks through how to test your own fingerprint, compares the top five anti-detect browsers on the market, and shows working Playwright code that patches the canvas and navigator properties most commonly used by fingerprinters.
Browser fingerprinting is the collection and hashing of every differentiating detail your browser reveals to a website, producing a stable identifier that follows you across sessions even without cookies. Unlike cookies, fingerprints are passive — no permission prompt, no storage, nothing for the user to clear. The site calls a JavaScript API, reads the result, ships it to its backend, and on your next visit matches you to the same profile even after a clean install of the browser.
The EFF's Panopticlick project (now Cover Your Tracks) demonstrated as early as 2010 that ~84% of browsers are uniquely identifiable by fingerprint alone. In 2026, after 15+ years of fingerprinting research, anti-fraud vendors have expanded the surface from ~20 signals to well over 100, including GPU-specific WebGL output, audio processing quirks, TLS cipher ordering, and HTTP/2 frame sizes. A unique fingerprint is now the default state of any stock browser.
Fingerprinting is orthogonal to IP. A residential proxy hides your public IP but does not change the fingerprint your browser emits, so the anti-fraud stack can still link you across proxy rotations, IP geolocations, and sessions. Common failure modes:
requests TLS. The JA4 TLS fingerprint of the Python stack is a dead giveaway, IP irrelevant.The fix is layered: clean proxy IPs and a per-identity fingerprint. Anti-detect browsers exist specifically to make this trivial.
The modern fingerprint is assembled from dozens of separate surfaces. Below are the highest-entropy signals in 2026.
The User-Agent string and the newer Sec-CH-UA client hints reveal your browser, version, OS, and platform architecture. Chrome 131 on Windows 11 x86_64 is a common fingerprint bucket, but combined with other signals it narrows quickly. Client hints like Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform-Version, and Sec-CH-UA-Model add even more entropy.
The site asks the browser to render a specific string to an invisible HTML5 canvas, then reads the pixel data back. Tiny rendering differences between GPU, driver version, OS, font-rendering engine, and anti-aliasing settings produce a stable hash that is remarkably unique. Canvas remains the single highest-entropy fingerprint signal in 2026.
WebGL exposes the GPU renderer string (e.g. ANGLE (NVIDIA GeForce RTX 4070)), the supported extensions, the shader precision, and the output of test renderings. Each of these narrows the fingerprint bucket dramatically. WebGL fingerprinting is particularly deadly for farms running on identical hardware.
JavaScript can test whether a given font is installed by measuring the width of a rendered text span. By testing a list of thousands of fonts, a site builds the full installed-font list for your OS. Font lists are stable, slow-changing, and highly unique — a developer's machine with 200 programming fonts fingerprints differently from a stock OEM Dell.
The Web Audio API processes a test signal through an OfflineAudioContext and returns the output samples. Tiny floating-point differences between audio subsystems (CPU, OS audio stack, driver) produce a stable hash that is invisible to the user and effectively permanent per device.
Screen width, height, color depth, pixel ratio, devicePixelRatio, available screen area, and window inner dimensions all go into the bucket. Unusual combinations (e.g. a 3440x1440 ultrawide at 1.25x DPR) are individually rare and narrow the fingerprint aggressively.
Your timezone (from Intl.DateTimeFormat), your browser locale, your preferred languages in the Accept-Language header, and your geo-IP should all match. A browser reporting America/New_York timezone with a Berlin IP is an instant flag.
The navigator.hardwareConcurrency (CPU core count), navigator.deviceMemory (GB rounded), and the Battery Status API (deprecated but still present in some browsers) all contribute entropy and catch farms running virtualized environments with unusual CPU topology.
A desktop browser never fires touch events. A mobile browser never fires fine-grained mouse movement. A tablet fires both. Anti-fraud stacks listen for pointer patterns over the first few seconds of a page visit and compare them to what the user-agent claims — a "mobile Safari" that fires pixel-perfect mouse clicks is a bot.
Before any HTTP traffic flows, the TLS Client Hello reveals cipher suite ordering, supported extensions, elliptic curves, and signature algorithms. JA3 (and the newer JA4 standard) hashes this into a single identifier. Chrome, Firefox, Safari, and curl each have distinctive JA4 fingerprints, and requests in Python has yet another. Cloudflare, Akamai, and DataDome all check JA4 before they even look at the user-agent.
HTTP/2 SETTINGS frames, WINDOW_UPDATE increments, and HEADERS frame pseudo-header ordering differ between browser implementations. Akamai's HTTP/2 fingerprinting catches bots that present a perfect Chrome user-agent and JA4 but fail on HTTP/2 frame layout.
Several free tools let you see exactly what your browser emits and how unique you are among recent visitors.
If your uniqueness score on amiunique.org is "Yes, your fingerprint is unique" (>90% of visitors), you are trivially trackable across any site running any mainstream anti-fraud stack.
Anti-detect browsers are Chromium forks that expose per-profile overrides for every fingerprinting surface — canvas spoof, WebGL spoof, audio noise, font list, navigator properties, screen size, TLS/JA4, WebRTC. Each profile behaves like a fresh machine with its own fingerprint. The table below summarizes the major products.
| Browser | Starting Price | OS | Profiles | Fingerprint Coverage | Team Features |
|---|---|---|---|---|---|
| Multilogin | $109/mo (Solo) | Win, macOS, Linux | 100 profiles | Canvas, WebGL, audio, fonts, WebRTC, JA3/JA4 | Roles, sharing, API |
| GoLogin | $24/mo (Pro) | Win, macOS, Linux, Android | 100 profiles | Canvas, WebGL, audio, WebRTC, timezone | Team sharing, cloud |
| AdsPower | $5.40/mo (Pro) | Win, macOS | 100 profiles | Canvas, WebGL, audio, fonts, WebRTC, RPA builder | Roles, RPA, API |
| Dolphin Anty | Free (up to 10) | Win, macOS, Linux | Unlimited (paid) | Canvas, WebGL, audio, WebRTC, MediaDevices | Free tier, teams |
| Kameleo | €59/mo (Starter) | Win, iOS, Android | Unlimited | Mobile + desktop profiles, canvas, WebGL, TLS | Mobile emulation |
AdsPower is the most popular pick among solo operators on price-to-feature ratio. Multilogin is the enterprise standard. Dolphin Anty's free tier is the fastest way to trial the category. Kameleo is the only one of the five with first-class mobile fingerprint emulation.
Fingerprint and IP are both required. One without the other is trivially linkable:
SpyderProxy's Premium Residential at $2.75/GB pairs with any anti-detect browser via HTTP/SOCKS5 proxy config. For multi-account work that needs the same IP per profile for weeks, Static Residential at $3.90/day per IP is the correct tier. For the hardest targets — Mercari, PayPay, Japanese banking — use LTE Mobile at $2/IP paired with a mobile-profile anti-detect browser like Kameleo.
You do not need an anti-detect browser for one-off automation. Playwright with a handful of addInitScript patches gets you most of the way there. The snippet below patches the canvas, WebGL renderer, and navigator properties that fingerprinters most commonly read.
from playwright.async_api import async_playwright
import asyncio
async def run():
async with async_playwright() as p:
browser = await p.chromium.launch(
headless=False,
args=["--disable-blink-features=AutomationControlled"],
proxy={
"server": "http://pr.spyderproxy.com:7777",
"username": "USER-country-DE-city-berlin",
"password": "PASS",
},
)
context = await browser.new_context(
viewport={"width": 1920, "height": 1080},
locale="de-DE",
timezone_id="Europe/Berlin",
user_agent=(
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) "
"AppleWebKit/537.36 (KHTML, like Gecko) "
"Chrome/131.0.0.0 Safari/537.36"
),
)
# Patch navigator, canvas, WebGL
await context.add_init_script("""
Object.defineProperty(navigator, 'hardwareConcurrency',
{ get: () => 8 });
Object.defineProperty(navigator, 'deviceMemory',
{ get: () => 8 });
Object.defineProperty(navigator, 'webdriver',
{ get: () => undefined });
const origGet = HTMLCanvasElement.prototype.toDataURL;
HTMLCanvasElement.prototype.toDataURL = function(...a) {
const ctx = this.getContext('2d');
if (ctx) {
// Add 1-bit random noise per pixel
const img = ctx.getImageData(0, 0, this.width, this.height);
for (let i = 0; i < img.data.length; i += 4) {
img.data[i] ^= Math.random() < 0.5 ? 0 : 1;
img.data[i+1] ^= Math.random() < 0.5 ? 0 : 1;
img.data[i+2] ^= Math.random() < 0.5 ? 0 : 1;
}
ctx.putImageData(img, 0, 0);
}
return origGet.apply(this, a);
};
const getParam = WebGLRenderingContext.prototype.getParameter;
WebGLRenderingContext.prototype.getParameter = function(p) {
if (p === 37445) return "Intel Inc."; // VENDOR
if (p === 37446) return "Intel Iris OpenGL"; // RENDERER
return getParam.call(this, p);
};
""")
page = await context.new_page()
await page.goto("https://amiunique.org/fingerprint")
await page.wait_for_timeout(5000)
await browser.close()
asyncio.run(run())
This is table stakes. Serious anti-fraud detects this level of naive patching by cross-checking signals (creepjs is the reference tool for seeing what leaks through). For production multi-account work, use a real anti-detect browser rather than rolling your own patches.
Fingerprinting is one layer of a larger anti-bot stack. Our how to bypass Cloudflare guide covers TLS/JA4, Turnstile, and bot-score handling in depth. Our WebRTC leak guide explains the ICE candidate leak that undoes any fingerprint effort. See also best proxies for web scraping, what is a proxy server, and static residential proxies explained.
Browser fingerprinting is a tracking technique that identifies you by combining dozens of signals your browser emits — canvas rendering, WebGL GPU output, installed fonts, audio context, TLS handshake, timezone, hardware properties — into a unique hash. Unlike cookies, fingerprints are passive and cannot be cleared by the user.
Most stock browsers are unique or near-unique among recent visitors to tools like amiunique.org. Over 84% of browsers are uniquely identifiable by fingerprint alone according to EFF research, and modern anti-fraud stacks that track 100+ signals bring that number well above 95%.
No. A residential proxy only changes your IP. The fingerprint your browser emits — canvas, WebGL, fonts, audio, TLS — is emitted the same way regardless of which IP you use. Anti-detect browsers are required to change fingerprints, not proxies.
An anti-detect browser is a Chromium fork that exposes per-profile overrides for every fingerprinting surface — canvas, WebGL, audio, fonts, timezone, WebRTC, TLS. Each profile behaves like a fresh machine with its own fingerprint. Popular options include Multilogin, GoLogin, AdsPower, Dolphin Anty, and Kameleo.
AdsPower is the most popular pick for solo operators on price-to-feature ratio at $5.40/mo. Multilogin is the enterprise standard at $109/mo with the most mature JA4 TLS and canvas coverage. Dolphin Anty offers a free tier up to 10 profiles. Kameleo leads on mobile fingerprint emulation.
JA3 and the newer JA4 are standardized hashes of the TLS Client Hello — cipher suite ordering, supported extensions, elliptic curves, and signature algorithms. They identify the TLS implementation (Chrome vs Firefox vs Python requests vs curl) before any HTTP traffic flows. Cloudflare, Akamai, and DataDome all check JA4 at the edge.
Partially. Playwright and Puppeteer with addInitScript patches can override navigator properties, canvas, and WebGL at the JS level. But TLS (JA4) and HTTP/2 fingerprints come from the underlying Chromium stack and still identify as headless automation. Use playwright-stealth, curl_cffi, or a real anti-detect browser for production work.
Use a privacy-focused browser (Brave, Tor, Firefox with privacy.resistFingerprinting enabled), disable WebRTC, turn off JavaScript-heavy features you do not need, and run popular browser/OS combinations (Chrome on Windows is less unique than Brave on Linux). For multi-account work, the only reliable path is an anti-detect browser paired with residential proxies.
Browser fingerprinting is the dominant identity layer on the commercial internet in 2026. Every serious anti-fraud vendor — Cloudflare, DataDome, PerimeterX, Kasada, Akamai — scores fingerprints before they look at IPs. A residential proxy alone is no longer enough; you need a matching per-identity fingerprint that does not contradict the proxy geolocation.
Start with SpyderProxy residential IPs at $1.75/GB or $2.75/GB, pair them with AdsPower, Multilogin, or Dolphin Anty, and test the combined fingerprint on amiunique.org or creepjs before going live. That is the 2026 baseline for anonymous browsing and multi-account work.