Anti-Bot

What Is Hardware Fingerprinting?

What Is Hardware Fingerprinting? — conceptual illustration
On this page

Hardware fingerprinting reads device capability signals - CPU cores, RAM, and screen metrics - that JavaScript exposes directly. The main values are navigator.hardwareConcurrency (logical CPU cores), navigator.deviceMemory (RAM, bucketed to 0.25/0.5/1/2/4/8), and the screen object (resolution, color depth, available area, device pixel ratio). Individually these are low-entropy, but they must be coherent with each other and with the claimed platform, and certain combinations - especially server-grade core counts with mobile user-agents - are reliable bot tells.

Quick facts

CPUnavigator.hardwareConcurrency - logical core count
RAMnavigator.deviceMemory - bucketed to 0.25 / 0.5 / 1 / 2 / 4 / 8 GB
Displayscreen.width/height, colorDepth, devicePixelRatio, availWidth/Height
Bot tell64+ cores with a phone UA; or hardwareConcurrency = 1
CoherenceCores, RAM, GPU, and screen must describe one plausible device

What the hardware APIs report

A handful of properties summarise the device:

  • navigator.hardwareConcurrency - the number of logical cores, used by sites to size worker pools. Real consumer devices cluster at 4, 8, 10, 12, 16. A value of 1 or 2 is unusual on modern hardware; 32, 64, or 96 indicates a server.
  • navigator.deviceMemory - approximate RAM, deliberately bucketed for privacy to one of 0.25, 0.5, 1, 2, 4, or 8 (capped at 8). A phone reporting 8 with a desktop screen, or a desktop reporting 0.5, is suspicious.
  • The screen object - width/height, availWidth/availHeight (minus OS taskbars), colorDepth (almost always 24), and devicePixelRatio (1 on standard displays, 2 on Retina, 1.5/1.25 on scaled Windows).

None is unique, but together with the GPU and platform they describe a class of device, and that class has to be internally consistent.

The cloud-server signature

The most actionable hardware tell is the under- or over-provisioned cloud instance. Scrapers run on VPS and container hosts whose hardwareConcurrency reflects the VM size - often 1, 2, or alternatively 32/64 on big boxes - and whose headless browser reports a default or zero-size screen. Combinations that no real user produces:

  • hardwareConcurrency: 1 with a desktop Chrome UA (real desktops are multi-core).
  • hardwareConcurrency: 64 with an Android UA (no phone has 64 cores).
  • screen.width: 800, height: 600 or 0x0 with a flagship-phone UA.
  • deviceMemory: 8 (the cap) on every request from a fleet, while real traffic spreads across buckets.

These are cheap server-side checks that catch entire scraping fleets sharing one VM profile.

Coherence and stability

Spoofing the values is easy; spoofing them coherently is the hard part. The core count, RAM bucket, GPU tier (from WebGL/WebGPU), screen resolution, and device pixel ratio must all describe one believable machine that also matches the User-Agent and Client Hints. A request claiming an iPhone should report the core count and screen metrics of that specific iPhone, not generic desktop values.

Two further traps: the values must be stable within a session (real hardware does not change cores mid-visit), and they must match what timing-based probes infer - a timing attack can estimate the true core count by saturating workers, catching a browser that claims 8 cores but schedules like 2. This is why hardware spoofing works best as part of a complete device profile rather than field-by-field edits.

Code example

javascript
// Cheap hardware signals an anti-bot script collects
const hw = {
  cores: navigator.hardwareConcurrency,   // 4/8/12/16 real; 1 or 64 suspicious
  memory: navigator.deviceMemory,         // 0.25..8 (bucketed); 8 is the cap
  screen: [screen.width, screen.height].join('x'),
  avail: [screen.availWidth, screen.availHeight].join('x'),
  depth: screen.colorDepth,               // ~always 24
  dpr: window.devicePixelRatio            // 1 / 2 / 1.5
};

// Server-side incoherence checks (pseudo)
function hardwareSuspicious(hw, ua) {
  if (/Android|iPhone/.test(ua) && hw.cores > 16) return true;  // phone with server cores
  if (/Windows|Macintosh/.test(ua) && hw.cores <= 1) return true; // desktop with 1 core
  if (/iPhone/.test(ua) && hw.dpr < 2) return true;             // iPhone is always >=2 dpr
  if (hw.screen === '0x0' || hw.screen === '800x600') return true; // headless default
  return false;
}

Related terms

What Is Browser Fingerprinting?
Browser fingerprinting is a technique that identifies and tracks a visitor by combining dozens of small, observable characteristics of their…
What Is Screen Resolution Fingerprinting?
Screen resolution fingerprinting reads the display geometry a browser reports - screen.width/height, availWidth/availHeight, colorDepth, dev…
What Is WebGL Fingerprinting?
WebGL fingerprinting reads identifying information directly from the GPU. The browser exposes the graphics card vendor and renderer string (…
What Is Timing & Cache Side-Channel Fingerprinting?
Timing-based fingerprinting uses high-resolution clocks to measure how long operations take, turning microarchitectural and rendering behavi…
What Is Fingerprint Clustering?
Fingerprint clustering is the practice of grouping fingerprints from millions of real visitors by similarity, then rejecting any new visitor…
What Is Headless Browser Detection?
Headless browser detection is the set of probes anti-bot systems use to distinguish a headless or instrumented Chrome session from a real us…
What Is Anti-Bot Detection?
Anti-bot detection is the set of techniques websites use to distinguish automated traffic from human users — and to block, challenge, or thr…
What Is Browser Fingerprinting Evasion?
Browser fingerprinting evasion is the practice of configuring an automated browser so that the combined fingerprint it presents — canvas, We…
Anti-Bot Vendor Detection Cheatsheet
The first step of any scrape against a protected site is identifying which anti-bot vendor is in front of it. The vendor determines almost e…
How Do Websites Detect Web Scrapers?
Websites detect scrapers by collecting hundreds of signals across the network, transport, browser, and behavioral layers, then scoring the c…

Concept map

How Hardware Fingerprinting connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections
You are here · Anti-Bot
Building map…

Tools & solutions for this topic

Frequently asked questions

How much entropy is in hardwareConcurrency and deviceMemory?

Little on their own - real devices cluster at a few core counts and deviceMemory is bucketed to six values. Their value is coherence and anomaly detection: catching impossible combinations (a phone UA with 64 cores) and fleets of cloud scrapers that all share one VM profile. They are corroborating signals, not unique identifiers.

Can I just set hardwareConcurrency to 8 to look normal?

You can, but it must be coherent with everything else - the GPU tier, screen size, device pixel ratio, User-Agent, and Client Hints all have to describe the same machine - and it must survive a timing attack that estimates the real core count by saturating workers. Field-by-field spoofing tends to create a contradiction somewhere.

What screen size should a headless scraper use?

A common real resolution for the claimed device, with matching availWidth/availHeight and device pixel ratio - never the headless default of 0x0 or 800x600. For a desktop, 1920x1080 at dpr 1 is the safest common choice; for a specific phone, use that phone's real metrics.

Last updated: 2026-05-30