What Is Hardware Fingerprinting?

Paste into ChatGPT, Claude, or any LLM

On this page

Hardware fingerprinting reads device capability signals - CPU cores, RAM, and screen metrics - that JavaScript exposes directly. These are values any website can read from the browser without permission. The main ones are navigator.hardwareConcurrency (the number of logical CPU cores), navigator.deviceMemory (RAM, reported only as one of 0.25/0.5/1/2/4/8), and the screen object (resolution, color depth, available area, and device pixel ratio). On their own each value is low-entropy - meaning it barely narrows down who you are - but they have to be coherent with each other and with the platform the browser claims to be. Certain combinations - especially server-grade core counts paired with mobile user-agents (the text a browser sends to identify itself) - are reliable signs of a bot.

CPU	navigator.hardwareConcurrency - logical core count
RAM	navigator.deviceMemory - bucketed to 0.25 / 0.5 / 1 / 2 / 4 / 8 GB
Display	screen.width/height, colorDepth, devicePixelRatio, availWidth/Height
Bot tell	64+ cores with a phone UA; or hardwareConcurrency = 1
Coherence	Cores, RAM, GPU, and screen must describe one plausible device

What the hardware APIs report

A handful of properties summarise the device:

navigator.hardwareConcurrency - the number of logical cores, which sites use to decide how many background workers to spin up. Real consumer devices cluster at 4, 8, 10, 12, 16. A value of 1 or 2 is unusual on modern hardware; 32, 64, or 96 indicates a server.
navigator.deviceMemory - approximate RAM, deliberately rounded for privacy to one of 0.25, 0.5, 1, 2, 4, or 8 (capped at 8). A phone reporting 8 with a desktop screen, or a desktop reporting 0.5, is suspicious.
The screen object - width/height, availWidth/availHeight (the screen minus OS taskbars), colorDepth (almost always 24), and devicePixelRatio (1 on standard displays, 2 on Retina, 1.5/1.25 on scaled Windows).

None is unique, but together with the GPU and platform they describe a class of device, and that class has to be internally consistent.

The cloud-server signature

The most actionable hardware tell is the cloud instance that is either too small or too big to be a real device. Scrapers run on VPS and container hosts whose hardwareConcurrency reflects the VM size - often 1, 2, or alternatively 32/64 on big boxes - and whose headless browser (a browser running with no visible window) reports a default or zero-size screen. Combinations that no real user produces:

hardwareConcurrency: 1 with a desktop Chrome UA (real desktops are multi-core).
hardwareConcurrency: 64 with an Android UA (no phone has 64 cores).
screen.width: 800, height: 600 or 0x0 with a flagship-phone UA.
deviceMemory: 8 (the cap) on every request from a fleet, while real traffic spreads across buckets.

These are cheap server-side checks that catch entire scraping fleets sharing one VM profile.

Coherence and stability

Spoofing the values is easy; spoofing them coherently is the hard part. The core count, RAM bucket, GPU tier (read from WebGL/WebGPU), screen resolution, and device pixel ratio must all describe one believable machine that also matches the User-Agent and Client Hints (extra device-detail headers Chrome sends). A request claiming an iPhone should report the core count and screen metrics of that specific iPhone, not generic desktop values.

Two further traps: the values must be stable within a session (real hardware does not gain or lose cores mid-visit), and they must match what timing-based probes infer - a timing attack can estimate the true core count by loading up all the workers and measuring how they run, catching a browser that claims 8 cores but schedules like 2. This is why hardware spoofing works best as part of a complete device profile rather than field-by-field edits.

Code example

javascript

// Cheap hardware signals an anti-bot script collects
const hw = {
  cores: navigator.hardwareConcurrency,   // 4/8/12/16 real; 1 or 64 suspicious
  memory: navigator.deviceMemory,         // 0.25..8 (bucketed); 8 is the cap
  screen: [screen.width, screen.height].join('x'),
  avail: [screen.availWidth, screen.availHeight].join('x'),
  depth: screen.colorDepth,               // ~always 24
  dpr: window.devicePixelRatio            // 1 / 2 / 1.5
};

// Server-side incoherence checks (pseudo)
function hardwareSuspicious(hw, ua) {
  if (/Android|iPhone/.test(ua) && hw.cores > 16) return true;  // phone with server cores
  if (/Windows|Macintosh/.test(ua) && hw.cores <= 1) return true; // desktop with 1 core
  if (/iPhone/.test(ua) && hw.dpr < 2) return true;             // iPhone is always >=2 dpr
  if (hw.screen === '0x0' || hw.screen === '800x600') return true; // headless default
  return false;
}

Related terms

What Is Browser Fingerprinting?

Browser fingerprinting is a technique that identifies and tracks a visitor by combining dozens of small, observable characteristics of their…

What Is Screen Resolution Fingerprinting?

Screen resolution fingerprinting reads the display measurements a browser reports - screen.width/height, availWidth/availHeight, colorDepth,…

What Is WebGL Fingerprinting?

WebGL fingerprinting reads identifying information directly from the GPU. WebGL is the browser feature that lets web pages draw 3D graphics …

What Is Timing & Cache Side-Channel Fingerprinting?

Timing-based fingerprinting uses high-resolution clocks to measure how long operations take, turning microarchitectural and rendering behavi…

What Is Fingerprint Clustering?

Fingerprint clustering is the practice of grouping fingerprints from millions of real visitors by similarity, then rejecting any new visitor…

What Is Headless Browser Detection?

Headless browser detection is the set of probes anti-bot systems use to distinguish a headless or instrumented Chrome session from a real us…

What Is Anti-Bot Detection?

Anti-bot detection is the set of techniques websites use to tell automated traffic apart from real human visitors — and then block, challeng…

How Browser Fingerprinting Works

Browser fingerprinting is how a site combines signals — canvas, WebGL, audio, fonts, navigator probes, TLS (the encryption layer behind http…

Anti-Bot Vendor Detection Cheatsheet

A useful first step when working with any protected site you are authorized to access is identifying which anti-bot vendor sits in front of …

How Do Websites Detect Web Scrapers?

Websites spot scrapers by gathering hundreds of small clues about each visitor, then scoring how human the whole picture looks. No single cl…

Concept map

How Hardware Fingerprinting connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections

You are here · Anti-Bot

Tools & solutions for this topic

Frequently asked questions

How much entropy is in hardwareConcurrency and deviceMemory?

Little on their own - real devices cluster at a few core counts, and deviceMemory is rounded to just six possible values, so neither narrows you down much. Their value is coherence and anomaly detection: catching impossible combinations (a phone UA with 64 cores) and fleets of cloud scrapers that all share one VM profile. They are corroborating signals, not unique identifiers.

Can I just set hardwareConcurrency to 8 to look normal?

You can, but it has to be coherent with everything else - the GPU tier, screen size, device pixel ratio, User-Agent, and Client Hints all have to describe the same machine - and it has to survive a timing attack that estimates the real core count by loading up all the workers. Spoofing one field at a time tends to create a contradiction somewhere.

What screen size should a headless scraper use?

A common real resolution for the claimed device, with matching availWidth/availHeight and device pixel ratio - never the headless default of 0x0 or 800x600. For a desktop, 1920x1080 at dpr 1 is the safest common choice; for a specific phone, use that phone's real metrics.

Last updated: 2026-05-31