An open-source browser fingerprinting tester (github.com/abrahamjuliot/creepjs) that's more thorough than commercial alternatives like FingerprintJS. Tests 30+ signals and detects anti-fingerprinting tools themselves — including Tor Browser, Brave shields, antidetect browsers, and DIY spoofs. Free to use; runs in any browser.

What's a good CreepJS Trust Score?

Real browsers: 95-99%. Production-ready antidetect profiles: 85-95%. Below 70% means CreepJS detected several inconsistencies — your spoof is obvious. Goal for antidetect: 85%+ with 0-2 lies detected. The 'rare fingerprint' factor also lowers score, so even legitimate Tor users score ~50%.

How is CreepJS different from FingerprintJS?

FingerprintJS focuses on identifying users (browser hash stability). CreepJS focuses on detecting spoofing — checks whether signals are CONSISTENT and whether functions have been patched. CreepJS is better for validating antidetect setups; FingerprintJS is better for understanding production fingerprinting impact.

Should my fingerprint be stable across CreepJS reloads?

Yes — that's a critical test. Reload CreepJS and verify the fingerprint hash is IDENTICAL. If it changes, your spoof is randomizing too aggressively, which is itself a bot signal (real users have stable fingerprints). Antidetect browsers must produce consistent-per-profile hashes.

What does 'Function lies' mean in CreepJS output?

CreepJS calls .toString() on native browser functions and checks if the result looks like 'function toDataURL() { [native code] }'. If you've patched a function with plain JavaScript, the toString output reveals it. Most DIY anti-fingerprinting patches fail this test; commercial antidetect browsers handle it properly.

Can CreepJS detect when I'm using a VPN or proxy?

Not directly — CreepJS doesn't see your IP. But it tests for consistency between claimed timezone, language, and geolocation. If timezone is America/Los_Angeles but other signals don't match, CreepJS may flag inconsistency. For full network-layer testing, combine CreepJS with an IP geolocation check.

How often should I re-test my antidetect setup with CreepJS?

Before deploying any new profile. After each antidetect browser update (browser features change, detection methods evolve). Every 1-2 months for in-production profiles (CreepJS itself updates as new detection methods emerge — your setup may fail a check it previously passed).

Is CreepJS the only fingerprint tester I need?

Best in class but use multiple. CreepJS for deep technical analysis. EFF Cover Your Tracks for user-friendly privacy summary. SannySoft bot.sannysoft.com specifically for headless-browser detection signals. FingerprintJS demo to see what commercial tools see. Each catches different issues.

CreepJS: The Browser Fingerprint Tester (2026 Guide)

Alex R.

Sun May 10 2026

Quick verdict: CreepJS is the most thorough open-source browser fingerprinting test — it detects more signals than commercial tools like FingerprintJS, plus catches anti-fingerprinting tools themselves (Tor, Brave shields, antidetect spoofs). Use it to validate your antidetect browser setup before deploying to production. The key score: "Trust Score" reflects how consistent and natural-looking your fingerprint is. Below 70% = obvious spoofing; 85%+ = production-ready.

What CreepJS Tests

CreepJS runs 30+ tests against your browser:

Canvas, WebGL, audio context fingerprints
Font list, system font availability
Screen resolution, color depth, pixel density
Timezone consistency (TZ vs IP geolocation)
Math precision (floating-point quirks per CPU/OS)
Plugins, MIME types
Permissions API (notifications, geolocation)
Network info (effective connection type)
Lie detection — tests for inconsistent values that suggest spoofing

The "lie detection" piece is what makes CreepJS unique. Most fingerprinting libraries collect signals; CreepJS additionally checks whether the signals make sense together.

How to Run It

Visit https://abrahamjuliot.github.io/creepjs/
Wait ~5 seconds for all tests to run
Read the result panels

For automated testing (e.g., validating antidetect profiles in CI), self-host CreepJS via the GitHub repo.

Reading the Output

CreepJS produces several distinct outputs:

Trust Score

Top of the page. 0-100%. Reflects:

How consistent your signals are (high score = consistent)
How rare your fingerprint is in CreepJS's observation database
How many "lies" CreepJS detected

Real browsers usually score 95%+. Tor Browser scores ~50% (very consistent within Tor users but extremely rare overall). Antidetect browsers should score 85%+ for production use.

Fingerprint Hash

The persistent identifier CreepJS computes. Same value across page reloads, same value across sessions if your fingerprint is stable. Useful for testing that your antidetect profile maintains consistency.

Lies Detected

The key panel. CreepJS lists every inconsistency it found:

"Canvas data unstable" — consecutive canvas reads return different hashes. Your spoof randomizes too aggressively.
"WebGL parameters mismatched" — the GL_VENDOR and GL_RENDERER strings do not correspond to a real GPU.
"Function lies" — native browser functions (toString, toDataURL) have been overridden, which CreepJS detects via toString length.
"User-Agent mismatch" — UA says Chrome but the actual browser features do not match Chrome's capabilities.
"Math fingerprint mismatch" — floating-point operations produce results inconsistent with the claimed OS.

Each lie is a vulnerability. For a clean fingerprint, the goal is 0 lies detected.

Per-Section Details

CreepJS breaks results into ~20 sections (Canvas, WebGL, Audio, Fonts, Headless, ...). Each shows the raw value and any anomalies. Useful for debugging which specific spoof is failing.

What "Real" vs "Spoofed" Looks Like

Property	Real Chrome	Good Antidetect	Bad Spoof
Trust Score	95-99%	85-95%	20-70%
Lies detected	0	0-2	5+
Canvas stability	Stable across reads	Stable	Often unstable
WebGL renderer	Real GPU string	Real GPU string (matched)	"Mesa LLVM" or empty
navigator.webdriver	undefined	undefined	true (headless tell)
Function toString	Native code	Native code	"function() { [patched] }"

Using CreepJS to Validate Antidetect Setups

Before deploying antidetect browser profiles to production:

Open the profile in your antidetect browser
Visit creepjs URL
Take a screenshot of the Trust Score + Lies panel
Reload the page and verify the fingerprint hash is identical (consistency check)
Open the SAME profile in 24 hours and verify hash is still the same (persistence check)

If the hash changes between reloads, your spoof is randomizing too aggressively — an obvious anti-fingerprinting signal. Real users have stable fingerprints across all their sessions.

Common Antidetect Browser Failures

1. Canvas Noise Too Aggressive

Adding 5+ pixels of noise per read produces visually-imperceptible but hash-distinct outputs. Real browsers always produce the same hash. CreepJS flags as "Canvas data unstable."

Fix: lower noise (1-2 pixel max) AND seed it deterministically per profile, so the same profile produces the same hash across sessions.

2. WebGL Mismatch

Spoofing the renderer string to "Intel HD Graphics 620" while running on an NVIDIA system — CreepJS notices the WebGL extensions list does not match what an Intel iGPU would actually expose.

Fix: use a renderer string that matches a complete profile (NVIDIA GPU + matching extension list). Antidetect browsers ship preset profiles for this.

3. Function Patching Detectable

Overriding HTMLCanvasElement.prototype.toDataURL with a plain function makes toDataURL.toString() return the patched function source. Real natives return "function toDataURL() { [native code] }".

Fix: use Object.defineProperty + custom toString override that returns the native string. Most antidetect browsers handle this; DIY patches often miss it.

4. Headless Mode Tells

navigator.webdriver = true, missing permissions API, no notifications support. CreepJS flags all of these.

Fix: use stealth plugins (playwright-stealth, undetected-chromedriver).

Alternative Testers

EFF Cover Your Tracks (formerly Panopticlick) — less thorough than CreepJS but more user-friendly. Good for general privacy audit.
amiunique.org — research project tracking fingerprint uniqueness across users.
FingerprintJS demo — commercial fingerprinting library's demo. See exactly what FingerprintJS sees about you.
SannySoft bot test — specifically tests for headless browser and bot tells.

For a complete pre-deployment audit, run all four. They catch different issues.

CreepJS + Proxies

Run CreepJS through the SAME proxy your scraper will use. The IP geolocation gets compared to your timezone; if your antidetect browser claims America/Los_Angeles but your proxy IP is in Germany, CreepJS flags it.

Best practice: pair each antidetect profile with a proxy in the matching country. For LTE-mobile workflows, SpyderProxy LTE ($2/IP) supports city-level targeting in 150+ countries.