What is Browser Fingerprinting and How to Reduce It
Browser fingerprinting tracks you without cookies by combining your GPU, fonts, screen settings, and 50+ other signals into a unique ID. Here's what it is, why it's hard to block, and the practical steps that actually work.
What is Browser Fingerprinting and How to Reduce It
Browser fingerprinting identifies you without planting anything on your device. No cookies, no storage, no tracking pixels -- just your browser answering questions it was never designed to refuse. Run our free browser fingerprint test and you will see exactly how many signals your browser is leaking right now.
Quick Answer: What is Browser Fingerprinting?
Browser fingerprinting is a tracking technique that combines technical attributes of your browser and hardware -- canvas rendering output, installed fonts, GPU model, timezone, screen dimensions, and 50+ other signals -- into a single composite identifier. Because the combination is statistically unique, it functions as an ID without requiring cookies or local storage.
Unlike cookies, fingerprints cannot be deleted. They survive private browsing mode, clearing cookies, and switching networks.
How the Fingerprint is Built
Each signal alone is not very unique. Combined, they are.
Canvas fingerprint
Your browser is asked to render text and shapes on an invisible canvas element. The exact pixel output depends on your operating system, GPU, and font rendering engine. The resulting image is hashed into a short string that acts as a hardware signature.
WebGL render hash
A shader program renders a triangle on an off-screen WebGL canvas. The pixel values are read back and hashed. GPU driver differences -- even between two machines with the same GPU model -- produce different outputs.
Audio context fingerprint
The OfflineAudioContext API processes an audio signal through a compressor node. How your CPU handles the floating-point arithmetic is hardware-dependent, producing a value that differs per device.
Font enumeration
By measuring how your browser renders text in different typefaces, a script can determine which fonts are installed on your OS. The list differs meaningfully between Windows, macOS, and Linux.
Timezone and locale
Your IANA timezone, date format, number format, and language settings are all exposed without any permission prompt. If your timezone does not match your VPN exit country, the mismatch is itself a fingerprinting signal.
Navigator and hardware properties
navigator.userAgent, navigator.hardwareConcurrency (CPU cores), navigator.deviceMemory, screen resolution, colour depth, and device pixel ratio are all readable by any script on any page you visit.
Why Cookies Are Not the Whole Picture
Cookie consent banners have trained users to believe that clicking "Reject All" protects them from tracking. It does not protect against fingerprinting.
Fingerprinting requires no consent because it stores nothing. The tracker reads data your browser volunteers as part of normal operation. GDPR and CCPA have limited legal coverage for fingerprinting -- enforcement is rare and technically complex to prove.
What Your Privacy Score Means
Our browser fingerprint test calculates a privacy score from 0 to 100 and converts it to a letter grade:
| Grade | Score | Meaning |
|---|---|---|
| A+ | 85-100 | Strong protection in place |
| A | 75-84 | Good protection, minor gaps |
| B | 60-74 | Some protection, improvable |
| C | 45-59 | Moderate exposure |
| D | 30-44 | High exposure |
| F | 0-29 | Minimal protection |
If your score is below 60, the fixes below will move the needle significantly.
How to Reduce Your Browser Fingerprint
Use Firefox with resistFingerprinting
The single most effective change. In Firefox, go to about:config and set:
privacy.resistFingerprinting = true
This enables Firefox's built-in fingerprinting resistance mode. It normalises canvas output, returns a fixed set of fonts, reports a clamped timezone (UTC), and clamps CPU/memory values to fixed numbers. Your fingerprint becomes nearly identical to all other Firefox users with this setting enabled -- which is the goal.
Firefox also ships with Enhanced Tracking Protection. Set it to "Strict" in Preferences > Privacy & Security.
Use the Brave browser
Brave takes a different approach: rather than reporting fixed values, it randomises canvas, WebGL, and audio fingerprints on a per-session basis. Each time you open Brave, those signals produce different outputs, making cross-session linking impossible. Enable "Strict" fingerprinting protection in Brave Shields.
Enable Global Privacy Control
GPC (Sec-GPC: 1) is a browser signal that is legally enforceable in California under CCPA and in the EU. It tells sites not to sell or share your personal data.
- Brave and Firefox ship with GPC support.
- Firefox: set
privacy.globalprivacycontrol.enabled = truein about:config. - Chrome: install the GPC extension.
Fix the WebRTC IP leak
WebRTC can expose your real IP address even behind a VPN. See our dedicated guide: How to Fix WebRTC IP Leaks.
Short version:
- Firefox: set
media.peerconnection.enabled = falsein about:config. - Chrome: install uBlock Origin and enable "Prevent WebRTC from leaking local IP addresses" in its settings.
Block tracking scripts
Most fingerprinting code is delivered via third-party scripts. Blocking those scripts before they run is more effective than trying to spoof their results.
- uBlock Origin (Firefox/Chrome) in medium or hard mode blocks the majority of fingerprinting domains.
- Brave Shields blocks them by default.
Match your timezone to your VPN exit node
If you use a VPN, set your OS timezone to match the country of your VPN exit node. Otherwise the mismatch signals that you are using a VPN -- and potentially reveals your real location.
Revoke unnecessary permissions
Visit chrome://settings/content or Firefox's Permissions settings and revoke:
- Location (geolocation)
- Clipboard read
- Camera and microphone (unless needed)
- Notifications
Permissions granted to one site persist until revoked. Check them periodically.
What Does Not Help (Common Misconceptions)
Incognito / private mode does not prevent fingerprinting. Your hardware and browser version are the same whether you are in a private window or not. Canvas and WebGL output are unchanged.
Clearing cookies has no effect on fingerprinting. The fingerprint is computed fresh on every page load from browser APIs -- nothing is read from storage.
A VPN alone does not prevent fingerprinting. VPNs hide your IP address. They do nothing about canvas hashes, fonts, or GPU signatures. A fingerprint can re-identify you even if your IP changes every hour.
Spoofing your user agent string helps only marginally. User agent is one signal out of fifty. Changing it while leaving canvas and font signals intact makes you more unique, not less.
For Website Owners: Reducing What You Expose
If you run a website, you can limit the fingerprinting surface available to third-party scripts embedded on your pages.
The Permissions-Policy header lets you disable APIs that fingerprinting scripts commonly exploit:
Permissions-Policy: camera=(), microphone=(), geolocation=(), usb=()
A strong Content Security Policy restricts which third-party scripts can load at all. If a fingerprinting script cannot load, it cannot run.
Scan your site's security headers to see what you are currently exposing.
The Practical Bottom Line
No single change makes you completely untrackable. The goal is to be indistinguishable from the crowd -- to blend in with millions of other users rather than stand out.
The highest-impact changes, in order:
- Use Firefox with
privacy.resistFingerprinting = true, or use Brave - Install uBlock Origin and set it to at least default mode
- Fix the WebRTC IP leak
- Enable Global Privacy Control
- Revoke permissions you do not actively use
Run the browser fingerprint test again after making these changes to see your updated score.
See the complete security headers checklist to protect your own site's visitors. Or scan your site for missing headers now.
Related articles
Free tool
Check your own security headers
Instant grade, plain-language explanations, and a full remediation plan - no signup needed.
Scan your site now →