Web Scraping APIs

What Is Browser Fingerprinting?

What Is Browser Fingerprinting? — conceptual illustration
On this page

Browser fingerprinting is a technique that identifies and tracks a visitor by combining dozens of small, observable characteristics of their browser and device into a single distinctive signature. Unlike cookies, a fingerprint is built from data the browser exposes by default — User-Agent, installed fonts, canvas and WebGL rendering quirks, audio context output, screen resolution, TLS handshake order — and persists even when the user clears cookies or switches to incognito mode.

Quick facts

Also known asDevice fingerprinting, passive fingerprinting
Common signalsCanvas, WebGL, AudioContext, fonts, TLS/JA4, HTTP/2 frames
Used byCloudflare, DataDome, PerimeterX, Akamai, fraud-prevention vendors
Cookie-freeYes — fingerprints survive incognito mode and cookie clearing

How browser fingerprinting works

Sites collect fingerprint data through two channels. Active fingerprinting runs JavaScript in the browser to read APIs: `navigator.userAgent`, `screen.width`, `Intl.DateTimeFormat().resolvedOptions()`, hashed canvas output from drawing a test image, WebGL renderer name, AudioContext outputs, the list of installed fonts. Passive fingerprinting reads what the browser sends without being asked: the order of HTTP/2 frames, the TLS ClientHello cipher and extension order (the JA3/JA4 fingerprint), the exact HTTP header casing and order. Each signal alone is weak — millions of users share the same User-Agent — but combine fifteen of them and you have a 30-bit identifier that's unique among hundreds of millions of visitors.

Why fingerprinting matters for scraping

Fingerprinting is how modern anti-bot systems tell a real Chrome user from Playwright pretending to be one. Even if your scraper rotates IPs, sets a real User-Agent, and uses a headless browser, mismatches between the layers leak the truth. A Linux Chrome User-Agent paired with a Windows TLS fingerprint is a tell. A canvas hash that matches none of the millions seen from real Chrome installs is a tell. A `navigator.plugins` array of length zero in a browser that should have plugins is a tell. Anti-bot scoring engines aggregate these signals and decide whether to serve the page, challenge with a CAPTCHA, or block outright.

How to evade fingerprinting (as a scraper)

There's no "set User-Agent to Chrome and you're done" answer. The serious approach is to run a real browser (not headless, or `--headless=new` at minimum), patch the known leak points with a stealth plugin, and ensure all the layers agree: TLS fingerprint matches the User-Agent's browser, canvas hash matches a real installation, timezone matches the proxy's geo, language headers match. For all but the easiest sites, getting this right manually is months of work — which is why fingerprinting-aware scraping APIs exist. They maintain pools of vetted real-browser fingerprints and rotate them across requests.

Privacy and ethical context

Fingerprinting was originally developed for fraud prevention — banks use it to detect stolen credentials being replayed from a new device. It's also widely used for ad tracking, which has drawn regulatory pushback under GDPR and the ePrivacy Directive. Browsers are pushing back too: Safari's ITP, Firefox's resistFingerprinting mode, and Chrome's Privacy Sandbox all aim to flatten the most identifying signals. For scraping, this is good news — fingerprints become harder for sites to use reliably as real-user diversity narrows.

Code example

javascript
// A few of the signals a fingerprinting script collects and hashes.
const signals = {
  userAgent: navigator.userAgent,
  platform: navigator.platform,
  languages: navigator.languages,
  hardwareConcurrency: navigator.hardwareConcurrency,
  deviceMemory: navigator.deviceMemory,
  timezone: Intl.DateTimeFormat().resolvedOptions().timeZone,
  screen: [screen.width, screen.height, screen.colorDepth],
  // Canvas, WebGL, fonts and audio add many more entropy bits.
};

// These are combined into one stable hash that survives cookie clearing.
const fingerprint = JSON.stringify(signals);

Related terms

What Is Anti-Bot Detection?
Anti-bot detection is the set of techniques websites use to distinguish automated traffic from human users — and to block, challenge, or thr…
What Is Cloudflare Turnstile?
Cloudflare Turnstile is a CAPTCHA-replacement service that verifies a visitor is a human without showing a traditional puzzle. It runs a ser…
What Is a Headless Browser?
A headless browser is a real web browser — Chrome, Firefox, or WebKit — that runs without a visible graphical interface, controlled entirely…
What Is a Web Scraping API?
A web scraping API is a managed HTTP service that fetches a target URL on your behalf and returns the rendered HTML, JSON, or parsed data. I…
What Is an Anti-Scraping Mechanism?
An anti-scraping mechanism is any technical control a website uses to detect, slow, or block automated requests. Modern sites stack multiple…
What Is WebGL Fingerprinting?
WebGL fingerprinting reads identifying information directly from the GPU. The browser exposes the graphics card vendor and renderer string (…
What Is AudioContext Fingerprinting?
AudioContext fingerprinting plays a silent waveform through the Web Audio API, then reads back the resulting floating-point samples and hash…
What Is Function.toString() Inspection?
Function.prototype.toString() inspection is the technique anti-bot scripts use to detect runtime JavaScript patches. Every JS function expos…
What Is a WebRTC IP Leak?
A WebRTC IP leak is the most-overlooked failure mode in browser-based scraping in 2026: WebRTC reveals your real local and public IP via STU…
What Is WASM Fingerprinting?
WebAssembly fingerprinting is a 2026 detection layer that probes the actual CPU through WASM SIMD instructions and uses WebAssembly.Memory({…
What Is Font Fingerprinting?
Font fingerprinting identifies a device by discovering which fonts are installed and measuring how the system renders text. The script rende…
What Is Math & JS Engine Fingerprinting?
Math fingerprinting identifies a runtime by computing transcendental functions (sin, cos, tan, exp, log, pow) at fixed inputs and reading th…
What Is Fingerprint Lie Detection?
Fingerprint lie detection is the practice of verifying that the signals a browser reports are internally consistent and untampered, rather t…
What Is Timing & Cache Side-Channel Fingerprinting?
Timing-based fingerprinting uses high-resolution clocks to measure how long operations take, turning microarchitectural and rendering behavi…
What Is Fingerprint Clustering?
Fingerprint clustering is the practice of grouping fingerprints from millions of real visitors by similarity, then rejecting any new visitor…
What Is JA4 Fingerprinting?
JA4 is a TLS client fingerprint that replaced JA3 after Chrome began randomising the order of its TLS extensions. JA3 hashed the extension l…
What Is Fingerprint Entropy?
Fingerprint entropy measures how much identifying information a browser attribute carries, expressed in bits. A signal that splits the popul…
How Does Deobfuscation Work?
Deobfuscation is the process of turning deliberately unreadable code back into something a human can read and reason about. Obfuscators neve…

Concept map

How Browser Fingerprinting connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections
You are here · Web Scraping APIs
Building map…

Tools & solutions for this topic

Frequently asked questions

How unique is a browser fingerprint?

EFF's Cover Your Tracks finds that 80–90% of browsers have a fingerprint that's unique within their visitor set. The exact uniqueness depends on the depth of signals collected — fifteen well-chosen signals are enough to identify most users.

Does using a VPN change my fingerprint?

A VPN changes your IP, not your fingerprint. The canvas hash, TLS signature, screen resolution, and fonts are all the same. Sites correlate the VPN IP with the fingerprint and often flag the mismatch.

Can I spoof a browser fingerprint?

You can spoof any individual signal, but anti-bot vendors check internal consistency. Spoofing User-Agent without spoofing TLS, canvas, WebGL, and Audio in a matching way produces a fingerprint that doesn't exist in the wild — which is itself a strong bot signal.

What's a TLS fingerprint?

It's the JA3 or JA4 hash derived from the order and contents of the TLS ClientHello packet. Chrome, Firefox, Safari, curl, and Python's requests each have a recognizably different ClientHello — sites use this to spot non-browser clients regardless of User-Agent.

Last updated: 2026-05-28