What Is CreepJS?

Paste into ChatGPT, Claude, or any LLM

On this page

CreepJS is an open-source JavaScript test page that measures how identifiable a browser is and whether the values it reports are internally consistent. Created by Abraham Juliot and first released in 2020, it runs roughly two dozen in-browser checks - Canvas, WebGL and GPU, Web Audio, fonts, screen, navigator, timezone and more - and then does something most fingerprinting scripts do not: it cross-checks the results against each other to find contradictions. The project frames its purpose as research and education, exposing how well privacy tools and modified browsers hold up rather than acting as a production identification library. It is one of the most cited reference pages for understanding what a real browser is supposed to look like.

Type	Open-source browser-fingerprinting test page (MIT)
Author	Abraham Juliot - first released 2020
Probes	Canvas, WebGL/GPU, audio, fonts, screen, navigator, timezone (~21 checks)
Signature feature	"Lie detection" - cross-checks signals for contradictions
Outputs	Trust grade, detected "lies" list, uniqueness %, fingerprint hash

How CreepJS works

CreepJS collects a wide set of signals and then evaluates them on two axes. The first is uniqueness - how rare each value is, and how rare the combination is relative to the other visitors the page has seen, reported as a percentage where a lower number means the browser blends in with the crowd. The second, and the part it is known for, is consistency. It inspects JavaScript object prototypes to detect tampering - when a property or function has been overridden so its reported value no longer matches the behaviour of a genuine native implementation. In CreepJS terminology these contradictions are called "lies," but a lie is a technical inconsistency (the environment does not match the model of an unmodified browser), not an accusation about a person. A user-agent claiming one operating system while the GPU string, fonts and timezone point at another is the classic example.

What CreepJS reports

The report combines several outputs: an overall trust grade (shown as a letter grade with an associated percentage) that reflects how coherent the whole profile looks; a list of the specific "lies" it detected; a bot / headless rating that flags signals consistent with automated or headless browsers; and one or more fingerprint hashes (CreepJS computes both a strict identifier and a looser, more stable one to study how persistent a profile is across reloads). The exact mapping from percentage to letter grade, and the uniqueness baseline, are computed live and shift between CreepJS versions as its sample population grows - so the specific numbers a run shows are best read as relative indicators, not fixed constants.

Why CreepJS matters for web scraping

CreepJS is useful as a diagnostic. Because it surfaces contradictions rather than just collecting values, it is a fast way to check whether a browser environment tells one coherent story - the same question a lie-detection system on a protected site asks. A clean consumer browser typically scores a high trust grade with few or no lies; a headless or heavily patched environment tends to score lower and trip the headless flag. Passing CreepJS shows a profile is internally consistent, but it is not the same as the real-world verdict a live detector reaches, because that verdict also weighs server-side signals such as IP reputation and TLS fingerprint that a client-side page cannot see.

Code example

python

# CreepJS is a *diagnostic* you load in a real browser session to inspect
# your own setup - not something you embed in a site. Open the official demo
# at https://abrahamjuliot.github.io/creepjs/ and read the report:
#
#   - Trust grade   : how coherent the whole profile looks (letter + %)
#   - Lies          : specific contradictions it detected
#   - Bot / headless: signals consistent with automation
#   - Uniqueness    : how rare the fingerprint is (lower = blends in)
#
# A high grade only proves client-side consistency. A live detector also
# weighs server-side signals (IP, TLS) that CreepJS never sees, so treat it
# as one check among several, not a pass/fail oracle.

Related terms

What Is Fingerprint Lie Detection?

Fingerprint lie detection is the practice of verifying that the signals a browser reports are internally consistent and untampered, rather t…

What Is Browser Fingerprinting?

Browser fingerprinting is a technique that identifies and tracks a visitor by combining dozens of small, observable characteristics of their…

What Is Canvas Fingerprinting?

Canvas fingerprinting is a way for a website to identify your device by asking the browser to draw a tiny invisible image, then turning the …

What Is WebGL Fingerprinting?

WebGL fingerprinting reads identifying information directly from the GPU. WebGL is the browser feature that lets web pages draw 3D graphics …

What Is Headless Browser Detection?

Headless browser detection is the set of probes anti-bot systems use to distinguish a headless or instrumented Chrome session from a real us…

What Is FingerprintJS?

FingerprintJS is an open-source JavaScript library that combines many browser and device attributes into a single hashed visitor identifier.…

What Is BrowserScan?

BrowserScan (browserscan.net) is a free, hosted web page that tests how authentic and internally consistent a browser's fingerprint looks, a…

What Is Fingerprint Reconnect Stability?

Fingerprint reconnect stability is whether a browser returns a consistent fingerprint across reloads, reconnects, and sessions. A genuine de…

How Is Browser Stealth Benchmarked?

Benchmarking browser stealth means measuring how detectable an automated browser session is, rather than how fast or efficient the automatio…

Concept map

How CreepJS connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections

You are here · Anti-Bot

Tools & solutions for this topic

Frequently asked questions

What does CreepJS actually measure?

Two things: how unique a browser's fingerprint is (how well it blends into the crowd) and how internally consistent it is. The second part - cross-checking reported values for contradictions, which CreepJS calls 'lies' - is what sets it apart from a plain fingerprinting script.

What is a CreepJS "lie"?

A 'lie' is a technical inconsistency: a value the browser reports that contradicts another value or the behaviour of a genuine native API. For example, a navigator property that has been overridden so it no longer matches how an unmodified browser would respond. It describes the environment, not a person's intent.

Is a high CreepJS trust score enough to look like a real browser?

No. A high grade means the fingerprint is internally consistent on the client side, which is necessary but not sufficient. A live detector also weighs server-side signals such as IP reputation and TLS fingerprint that CreepJS cannot observe, so the two verdicts can disagree.

Is CreepJS open source?

Yes. CreepJS was created by Abraham Juliot and its code is MIT-licensed, with the official demo hosted on GitHub Pages. The project describes its goal as research and education - measuring how identifiable browsers and privacy tools are.

Last updated: 2026-06-15