How many signals do fingerprinting services use?

30+ distinct signals across network, JavaScript, and behavioral layers. The big ones: canvas hash, WebGL renderer, audio context, font list, TLS JA3 fingerprint, HTTP/2 SETTINGS, hardware concurrency, screen dimensions. Combined entropy is ~90+ bits — far more than needed to uniquely identify one user in a 100K population.

What's the most identifying signal?

Canvas hash and WebGL renderer are the two highest-entropy JS-layer signals (~17 and ~12 bits each). JA3 TLS fingerprint is the highest network-layer signal. Combined, these three alone uniquely identify 95%+ of browsers without any other data.

Can VPNs prevent browser fingerprinting?

No. VPNs only change your IP. Fingerprinting happens in your browser via JavaScript and at the TLS layer — independent of your IP. WebRTC can even leak your real IP through a VPN. VPNs help with IP reputation; they don't help with fingerprinting.

What's a JA3 fingerprint?

A hash of your TLS ClientHello — the encryption parameters your client announces to the server during the TLS handshake. Python's requests library produces one JA3; Chrome produces another. Anti-bot services trivially distinguish them. Defeating requires libraries like curl_cffi that impersonate browser TLS.

Does incognito mode prevent fingerprinting?

No. Incognito only clears cookies and history at session end. The canvas hash, WebGL renderer, audio context, fonts, and TLS fingerprint are all unchanged in incognito mode. Fingerprinting services identify the same browser in incognito vs regular mode.

Why is partial fingerprint spoofing worse than no spoofing?

Real browsers have consistent signals across all dimensions (Chrome UA + Chrome canvas + Chrome WebGL + Chrome TLS). A bot with Chrome UA + Python TLS shows INCONSISTENCY — that's a strong bot signal. Spoof everything consistently (antidetect browser + curl_cffi + residential proxy) or spoof nothing.

Can fingerprinting identify me across different websites?

Yes — the fingerprint is portable. If site A and site B both use FingerprintJS Pro (or share a fraud network), they can correlate your visits even without cookies. This is one privacy concern with cross-site fingerprinting services. EU GDPR requires consent for this; enforcement is spotty.

How do I check my own browser fingerprint?

Visit fingerprint.com or coveryourtracks.eff.org (formerly Panopticlick) — both compute your fingerprint and tell you how unique it is among recent visitors. CreepJS (github.com/abrahamjuliot/creepjs) gives a deeper breakdown including each signal's entropy and detection-resistance score.

How Browser Fingerprints Are Detected (2026 Breakdown)

Daniel K.

Sun May 10 2026

Quick verdict: Modern browser fingerprinting collects 30+ signals from your browser and network and combines them via entropy weighting to produce a near-unique identifier. The dominant signals are canvas hash, WebGL renderer, audio context, TLS ClientHello, and HTTP/2 settings — together they fingerprint you with 99%+ uniqueness across a 100K-user pool. Defeating fingerprinting requires consistent spoofing of ALL layers simultaneously; spoofing one (e.g., User-Agent) while leaving the others intact actually makes you MORE identifiable as a bot.

The Fingerprinting Stack

Anti-bot services and fraud-prevention tools collect signals at three layers:

Layer	Signal source	Example signals
Network	TCP/TLS/HTTP handshake	JA3 hash, HTTP/2 SETTINGS frame, IP/ASN reputation
Browser environment	JavaScript queries	Canvas, WebGL, audio context, fonts, plugins, screen, timezone
Behavioral	User interaction patterns	Mouse path, scroll velocity, keystroke timing, click accuracy

Signals from all three layers are combined to score the request. A high-entropy combination = high confidence in identification. Low entropy = "could be many users" but still useful as a session linker.

JavaScript-Layer Signals (the most numerous)

Canvas Fingerprint

Renders a hidden image, hashes pixel data. ~99% uniqueness when combined with other signals. See Canvas fingerprinting deep-dive.

WebGL Renderer

WebGLRenderingContext.getParameter(WebGLRenderingContext.RENDERER) returns a string like "ANGLE (NVIDIA, NVIDIA GeForce RTX 3080 (0x00002484) Direct3D11 vs_5_0 ps_5_0, D3D11)". Reveals: GPU model, driver, OS rendering backend. Very high entropy.

Audio Context Fingerprint

Generate an audio signal, run it through the Web Audio API's processing pipeline, sample the output. Different OS audio implementations + CPU floating-point behavior produce slightly different signals. ~95% uniqueness.

Font List

Enumerate installed system fonts by trying to render text in each and measuring width. Most users have ~50-200 fonts; the specific set is fairly unique. Privacy-focused browsers limit access to this; commercial browsers do not.

Hardware Properties

navigator.hardwareConcurrency — CPU core count (typically 4, 8, 12, 16)
navigator.deviceMemory — RAM tier (0.25, 0.5, 1, 2, 4, 8 GB)
navigator.maxTouchPoints — touch screen support
screen.width/height/colorDepth/pixelRatio

Plugins and Mime Types

navigator.plugins and navigator.mimeTypes used to be highly identifying (Flash, Java, PDF readers); now mostly empty in modern browsers. Their EMPTINESS itself is a signal — a browser with NO PDF plugin is unusual.

WebRTC IPs

WebRTC reveals the local IP behind NAT and the public IP — even through a VPN if WebRTC is not blocked. Common privacy leak. Anti-bot services use this to detect VPN/proxy use.

Timezone & Language

Intl.DateTimeFormat().resolvedOptions().timeZone returns "America/Los_Angeles" or similar. navigator.language returns "en-US". A user with US English language but Asian timezone → suspicious.

Network-Layer Signals (hardest to fake)

JA3 TLS Fingerprint

A hash of the TLS ClientHello: cipher suite list, supported elliptic curves, extensions, signature algorithms. Python's requests and most non-browser HTTP clients produce a JA3 that is recognizably non-Chrome. Even spoofing the User-Agent does not change JA3.

This is why anti-bot services trivially distinguish Python scrapers from real browsers. Defeating it requires libraries that impersonate Chrome's TLS stack (curl_cffi, tls-client, undici with custom settings).

HTTP/2 SETTINGS Frame

HTTP/2 connections start with a SETTINGS frame announcing client preferences (max concurrent streams, header table size, initial window size). The values and ORDER are part of the fingerprint. Chrome's order is distinctive; Python libraries use different defaults.

Header Order

Browsers send HTTP headers in a specific order (Host, Connection, sec-ch-ua, sec-ch-ua-mobile, sec-ch-ua-platform, Upgrade-Insecure-Requests, User-Agent, Accept, ...). Curl and requests use different orders. Detectable.

IP / ASN Reputation

The IP itself is a signal. AWS/GCP/Azure ASNs are flagged automatically. Mobile carrier ASNs are trusted. Residential ISP ASNs are middle. This is why residential proxies matter — they shift you from "obviously bot" to "ambiguous."

Behavioral Signals

Mouse path entropy: real users move the mouse in Bezier-like curves; bots move in straight lines or instantly.
Click accuracy: real users miss the target by a few pixels then correct; bots click dead center.
Scroll velocity: real users scroll non-uniformly; bots use scrollTo with instant changes.
Time on page: bots often hit Next in < 1 second; humans take longer.
Keystroke timing: real typing has variable inter-key latency; bot-filled forms have uniform or instant filling.

Behavioral signals fire AFTER you arrive on the page, supplementing the network/JS fingerprint with "how does this user behave."

Combining Signals: Entropy Math

Each signal has an "entropy" — the information it contributes about which user you are. Approximate values:

Signal	Entropy (bits)	Notes
User-Agent	~7	Coarse: OS family + browser version
Screen resolution	~5	~30 common values
Timezone	~3	~24 main values
Language list	~6	Plus dialect
Canvas hash	~17	Near-unique among ~100K users
WebGL renderer	~12	GPU + driver
Audio context	~9	OS audio stack
Font list	~13	50-200 fonts varies
Plugins/MIME	~5	Mostly empty modern
JA3 TLS	~12	Browser+version
HTTP/2 settings	~5	Library detection

Total: ~94 bits combined. To uniquely identify one user in a 100K population needs only ~17 bits. The fingerprinting system has 5x more entropy than it needs — even with several signals spoofed, you remain identifiable.

This is why partial spoofing is worse than no spoofing. Real browser-A has consistent signals across all 30 dimensions. Bot pretending to be browser-A has Chrome UA + Chrome canvas + Linux WebGL + Python TLS — the INCONSISTENCY itself is a flag.

The Major Fingerprinting Services

FingerprintJS / Fingerprint Pro: open-source library + commercial API. Used by many sites to identify returning users.
ThreatMetrix (now LexisNexis): enterprise fraud detection, banking-grade.
iovation (TransUnion): device-based fraud prevention.
Sift: e-commerce fraud / account abuse detection.
FingerprintJS Bot Detection (different product than the user identifier): specifically targets bot detection.
Built into: Cloudflare Bot Management, DataDome, PerimeterX (HUMAN), Akamai Bot Manager. They all roll their own fingerprinting on top of the above.

How Bots Defeat Fingerprinting

Antidetect browsers spoof JS-layer signals consistently per profile. See top antidetect browsers.
TLS-impersonating libraries (curl_cffi) match Chrome's JA3.
Residential / mobile proxies defeat IP reputation. See LTE proxies.
Real browsers via Playwright (with stealth plugins) give correct network-layer signals automatically.
Human-like behavioral patterns — randomized delays, mouse movement before clicks, slow scroll.

For tough targets, you need ALL of the above. Spoofing the UA alone is worse than nothing.