What is browser fingerprinting and how unique is mine likely to be?

Eckersley's 2010 Panopticlick paper (How Unique is Your Web Browser?, Privacy Enhancing Technologies Symposium 2010, Berlin) measured 18.1 bits of identifying entropy from just 8 features (User-Agent, HTTP Accept headers, plug-ins, fonts, time zone, screen size, supercookies, cookies-enabled flag) across approximately 470,000 browsers. 84% of those browsers had unique configurations — meaning at random, only 1 in 286,777 would share a fingerprint. Among browsers with Flash or Java the figure rose to 94% unique with 18.8 bits entropy. Modern fingerprinting libraries combine 30+ signals reaching higher uniqueness. The combined value can persist across cookie clearing, incognito mode, and IP changes, which is why fingerprinting is tracked as a privacy concern alongside cookies.

What is UA-Client Hints and does it actually improve privacy?

UA-Client Hints (UA-CH) is a W3C draft (Web Incubator Community Group / WICG specification) that replaces the legacy User-Agent header with a frozen baseline value plus opt-in headers. As of Chrome 89 (3 March 2021), Chrome and Chromium-derived browsers send Sec-CH-UA and Sec-CH-UA-Mobile by default; sites that need browser version, platform, or architecture details must request them explicitly via Accept-CH. This reduces passive fingerprinting because the User-Agent string itself is no longer high-entropy — but it doesn't prevent fingerprinting via Canvas, WebGL, or fonts. Privacy improvement is partial: UA-CH constrains one axis (browser identity) while leaving the others (rendering, hardware) untouched. Firefox and Safari have not adopted UA-CH at the same depth as Chrome — Mozilla considers it an incremental change rather than a fundamental privacy win.

How do cookies and fingerprints differ legally and what consent applies?

Cookies fall under EU ePrivacy Directive 2002/58/EC Article 5(3) (amended by Directive 2009/136/EC) which requires informed user consent before storing or accessing data on the user's terminal — that's the prompt every site shows. Combined with GDPR Article 6 (lawful basis: typically consent for tracking, legitimate interest for essential function), this gives users a control point. Browser fingerprints don't store anything on the device — they read configuration the browser already exposes — but Article 5(3) was extended in 2009 to cover 'access of information' too, so technically fingerprinting for tracking purposes also requires consent. Enforcement is patchy. Do Not Track (a browser-side opt-out signal proposed at the W3C) lost momentum because too few sites honoured it; Apple deprecated DNT in Safari 12.1 (March 2019) and the W3C closed the Tracking Protection Working Group in January 2019.

Browser Privacy Check

Q: Which surfaces of my browser actually contribute to the fingerprint?

The high-entropy contributors are well-documented: Canvas pixel rendering (varies by GPU driver + font versions), AudioContext output sampling (varies by audio DSP), WebGL renderer string (gl.getParameter exposes GPU model), enumerated fonts (Canvas measureText probes installed fonts), screen resolution and color depth (window.screen), preferred languages (navigator.languages), timezone (Date.getTimezoneOffset), CPU concurrency (navigator.hardwareConcurrency), and the User-Agent string. Lower-entropy values like cookies-enabled and Do Not Track also contribute. The combination is what's unique, not any single value. Even with cookies cleared and a fresh browser session, the fingerprint persists because these surfaces don't reset. Tools that score your specific fingerprint against the global distribution exist; the EFF maintains the canonical successor to Panopticlick for that purpose.

Q: How can I reduce my browser fingerprint exposure?

Three browser-native paths exist. Firefox's privacy.resistFingerprinting preference dates from Firefox 41 (2015) under the Tor Uplift project; letterboxing — applying multiples of 200×100 px to window dimensions — shipped in Firefox 67 on 21 May 2019. The pref also rounds performance.now() and animation timestamps to 16.67 ms, reports the timezone as UTC, and spoofs the User-Agent to a Tor-Browser-like value. Safari's Intelligent Tracking Prevention (announced WWDC June 2017, shipped Safari 11 September 2017) keeps third-party cookies accessible for 24 hours after the user's last first-party interaction, partitions them between 24 h and 30 days, and purges them after 30 days of inactivity. Chrome's Privacy Sandbox initially proposed Topics API for interest-based ad targeting and FedCM for federated identity; Google retired Topics and Protected Audience in October 2025, with FedCM and CHIPS surviving. UA-Client Hints (Chrome 89, 3 March 2021) freeze the User-Agent string and expose Sec-CH-UA / Sec-CH-UA-Mobile / Sec-CH-UA-Platform headers on opt-in. Browser extensions can spoof additional surfaces but break some sites; the trade-off depends on your threat model.

About this tool

Browser fingerprinting builds a unique identifier from configuration details that websites can read without explicit consent: User-Agent string, screen resolution, installed fonts, WebGL renderer, Canvas rendering, AudioContext sampling, and hardware signals like CPU cores. Eckersley's 2010 Panopticlick study (How Unique is Your Web Browser?, PETS 2010) measured 18.1 bits of identifying entropy across about half a million users — 84% of browsers had unique configurations, distinguishable from one in 286,777 others. This tool inspects what your current browser exposes: WebRTC IP leaks (which can bypass a VPN), DNS resolver path, Canvas+Audio fingerprint signature, WebGL renderer, font enumeration, and hardware specs. All inspection runs locally — no fingerprint data leaves your browser. Results highlight the riskier surfaces so you can apply mitigations: Firefox's privacy.resistFingerprinting (v67+, May 2019, from the Tor Uplift project), Safari's Intelligent Tracking Prevention (since Safari 11/iOS 11, September 2017), Chrome's Privacy Sandbox (Topics API retired October 2025; FedCM retained), or browser extensions that spoof signals. Cookies fall under ePrivacy Directive Art. 5(3) consent, but fingerprints run passively — knowing yours is the first step to reducing it.

How to run a privacy check

Open the page — the tool inspects your current browser session automatically (no input needed).
Review your fingerprint surface report: Canvas / AudioContext / WebGL / font / screen signals + WebRTC leak status + DNS resolver path.
Compare against the Eckersley 2010 baseline (18.1 bits = 1-in-286,777 uniqueness) to gauge your relative anonymity.
Apply mitigations per browser: Firefox privacy.resistFingerprinting, Safari ITP, Chrome UA-CH + Privacy Sandbox, or extension-based spoofing.

Common use cases

Auditing a hardened browser profile before privacy-sensitive work.
Confirming a VPN or Tor setup is actually masking the expected fingerprint surfaces.
Checking for WebRTC IP leaks that bypass a VPN tunnel via STUN.
Verifying that an extension (Brave Shields, Privacy Badger, NoScript) is delivering the expected mitigation.

Frequently asked questions

What is browser fingerprinting and how unique is mine?

Eckersley 2010 (Panopticlick, PETS) measured 18.1 bits entropy across 8 features — 84% of browsers were unique among ~470,000 surveyed. Modern libraries combine 30+ signals reaching higher uniqueness.

Which surfaces of my browser actually contribute to the fingerprint?

Canvas pixel rendering, AudioContext sampling, WebGL renderer string, enumerated fonts, screen + color depth, languages, timezone, CPU cores, and User-Agent. The combination is what is unique — not any single value.

How can I reduce my browser fingerprint exposure?

Firefox privacy.resistFingerprinting (v67+, May 2019, Tor Uplift project), Safari ITP (since Safari 11, September 2017), Chrome Privacy Sandbox + UA-Client Hints (Chrome 89, March 2021).

What is UA-Client Hints?

A W3C draft replacing the legacy User-Agent header. Chrome 89 (3 March 2021) sends Sec-CH-UA and Sec-CH-UA-Mobile by default; sites must request browser version/platform via Accept-CH opt-in.

Cookies vs fingerprints — what consent applies?

Cookies fall under EU ePrivacy Directive Art. 5(3) requiring informed consent + GDPR Art. 6 lawful basis. Fingerprints are passive but the 2009 ePrivacy amendment extended Art. 5(3) to cover 'access of information' too.

Why fingerprinting works — and what each browser-native mitigation actually does

Each browser configuration is a vector of dozens of values: User-Agent (header sent by every request), screen resolution and color depth (window.screen), system fonts (rendered via Canvas measureText), WebGL renderer string (gl.getParameter), CPU cores (navigator.hardwareConcurrency), preferred languages (navigator.languages), timezone (Date.getTimezoneOffset), Canvas pixel rendering (reflects GPU + driver + font version), and AudioContext sampling output (DSP characteristics). Eckersley 2010 reported 18.1 bits combined entropy across 8 features alone; modern libraries combine 30+ signals reaching higher uniqueness. Mitigation strategies layer differently. Firefox's privacy.resistFingerprinting preference dates from Firefox 41 (2015) under the Tor Uplift project; letterboxing — which snaps window dimensions to multiples of 200×100 px — shipped in Firefox 67 (21 May 2019). The pref also rounds high-resolution timers (performance.now()) to 16.67 ms, forces the timezone to UTC, and spoofs the User-Agent to a Tor-Browser-like value. Safari's Intelligent Tracking Prevention (announced WWDC June 2017, shipped Safari 11 September 2017) takes the cookie-side approach: third-party cookies are accessible for 24 hours after the user's last first-party interaction, partitioned between 24 hours and 30 days, and purged after 30 days of inactivity. Chrome's Privacy Sandbox initially proposed Topics API for interest-based ad targeting and FedCM for federated identity; Google retired Topics and Protected Audience in October 2025, leaving FedCM and CHIPS as the surviving components. UA-Client Hints (Chrome 89, 3 March 2021) reduce the User-Agent surface by freezing the UA string and exposing Sec-CH-UA / Sec-CH-UA-Mobile / Sec-CH-UA-Platform on opt-in basis.

Browser fingerprint surface inspection (Canvas, WebGL, AudioContext, fonts, UA, screen, hardware)
WebRTC IP leak detection (STUN-based real-IP exposure)
DNS resolver path inspection (clear-text vs encrypted DoH/DoT)
Eckersley 2010 entropy reference baseline (18.1 bits / 8 features / n≈470,000)
Mitigation guidance per browser (Firefox/Safari/Chrome native flags)
Client-side analysis only (no fingerprint data leaves your browser)

Free. No signup. Browser tools (subnet, JWT, password strength) run locally; lookup tools query public APIs (Cloudflare DoH, RDAP, certificate logs). Full per-tool breakdown at /methodology/.

Sources (6)

Eckersley, P. (2010). How Unique Is Your Web Browser?. Privacy Enhancing Technologies Symposium (PETS) 2010, LNCS 6205, Springer Berlin Heidelberg, pp. 1–18.
Mozilla (2019). Resist Fingerprinting (privacy.resistFingerprinting preference, Firefox 67+ from Tor Uplift project). support.mozilla.org/kb/resist-fingerprinting + Bugzilla 1333933.
Apple Inc. (2017). Intelligent Tracking Prevention. webkit.org/blog (announced WWDC June 2017, shipped Safari 11 / iOS 11 September 2017).
W3C / WICG (2021). User-Agent Client Hints. wicg.github.io/ua-client-hints (shipped Chrome 89, March 2021).
European Parliament & Council (2016). Regulation (EU) 2016/679 (General Data Protection Regulation). Article 6 lawful basis for processing, eur-lex.europa.eu.
European Parliament & Council (2002). Directive 2002/58/EC (ePrivacy Directive), amended by Directive 2009/136/EC. Article 5(3) terminal device data consent, eur-lex.europa.eu.

These are the IETF RFCs, NIST publications, and W3C standards the tool implements or queries. Locate them on the IETF Datatracker (datatracker.ietf.org) or the official standards body.