Browser Fingerprint Visualizer — What Websites Know About You

What is this? These signals are sent by your browser automatically with every HTTP request and are exposed to every JavaScript file loaded on any page you visit — no interaction required.

User Agent is the most information-dense single string your browser transmits. It contains your browser name and full version number, the rendering engine and its version, your operating system name and version, and sometimes device class. A 2024 Chrome user agent looks like:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 From this one string, a tracker knows: you are on Windows 10 or 11, using Chrome 124, on a 64-bit processor. That alone narrows you from ~5 billion internet users to a much smaller cohort.

Language preferences (navigator.language and navigator.languages) reveal your primary locale and ordered fallback list. A list of ["fr-CH","fr","de","en"] strongly implies Switzerland. Your language list is set by your OS and browser preferences — it persists across reboots and private browsing sessions.

Timezone via Intl.DateTimeFormat().resolvedOptions().timeZone returns your IANA timezone string (e.g. Europe/Zurich). Unlike your IP address — which a VPN can mask — your browser timezone comes from your OS clock settings and cannot be hidden without special extensions or a browser mode that lies about it. Timezone cross-referenced with IP gives extremely accurate location.

Do Not Track is an HTTP header that browsers can send to request sites not track you. It is entirely ignored by the advertising industry and is actually counterproductive: enabling it makes you one of a smaller set of users who opted in, which is itself a rare signal that narrows the crowd you blend into.

What is this? The Web Audio API is designed for processing and synthesising sound in the browser. Like canvas, it produces results that vary slightly between devices — even with identical JavaScript instructions — because of differences in audio processing pipelines, sample rate handling, and floating-point arithmetic implementations.

The technique: an OscillatorNode generates a known frequency (e.g. 10,000 Hz triangle wave). An AnalyserNode measures the frequency spectrum. The floating-point values returned differ fractionally between CPU architectures, operating systems, and audio driver implementations. These differences are microscopic — but when hashed, they produce a stable, unique fingerprint that pairs with the canvas hash to give extremely high confidence identification.

This technique was first documented in research by Englehardt & Narayanan (2016) and is actively used by commercial tracking scripts today. It does not require microphone permission — it synthesises audio entirely internally, in a virtual audio graph, and reads back the processed numbers. No sound is played.

Browser defences: Firefox with privacy.resistFingerprinting disables the AudioContext API entirely. Brave adds per-session noise to the returned values. Safari limits the precision of returned floats. Chrome currently has no built-in protection.

How font detection works (no permission required): Each font is probed by rendering a test string on an offscreen canvas in three fonts: the font being tested, plus two fallback fonts (serif and sans-serif). If the pixel-width or rendered height of the test string differs from the fallback measurement, the font is installed. This requires only the Canvas API — no font enumeration API, no file system access.

Why this is identifying: Your font set is a direct record of your software history. Office 2016 installs Calibri, Cambria, and Franklin Gothic. Adobe Creative Suite installs dozens of unique fonts. Developers often have Fira Code, JetBrains Mono, or Cascadia Code. The specific intersection of fonts you have is highly personal and stable across years — you don't uninstall fonts often.

Across 52 probed fonts, most users detect between 6 and 20. The exact subset you have is often unique within 1 in 1,000 visitors. Combined with other signals, it dramatically narrows who you are.

Defence: Firefox with privacy.resistFingerprinting only reports fonts that the OS bundled — it hides every application-installed font. Brave does the same. There is no extension-based fix that works well — you would need the browser itself to intercept canvas text measurement calls.

What this reveals: Modern browsers expose hundreds of API flags via JavaScript. Their presence or absence is not random — it reflects your exact browser version, operating system, and whether you have privacy extensions installed. Trackers cross-reference these flags against known browser fingerprint databases to identify your browser type and version with high confidence, even when your user agent string is spoofed.

Key high-risk flags:

WebRTC — Real-Time Communication API. Even behind a VPN, a WebRTC STUN request can reveal your local network IP address (e.g. 192.168.1.x) and sometimes your real public IP. This is a well-known VPN bypass vector. Firefox has a setting to limit this; Chrome does not block it by default.

localStorage / sessionStorage / indexedDB — These are persistent storage mechanisms. If cookies are blocked, trackers often store identifiers here instead. They persist across private browsing sessions in many browsers unless the user explicitly clears site data.

Battery API (navigator.getBattery()) — Exposed battery charge level and charge/discharge rate. Research in 2015 showed that battery drain patterns are unique enough per device to track users across different websites and even different browsers. Most browsers have since removed or restricted this API.

SharedArrayBuffer — Enables high-resolution timing, which is required for Spectre-class side-channel attacks. It is disabled by default unless a page opts in with Cross-Origin Isolation headers. Its presence or absence is a signal of the exact browser configuration.

Permissions API — Browsers report whether specific permissions (notifications, geolocation, camera) are already granted, denied, or prompt state. A user who has previously granted camera access to this device has a different profile than one who has never been asked.

Connection information: While the Network Information API (navigator.connection) is Chrome-only, browsers universally expose the protocol version via the current page's URL scheme and HTTP/2 support. Your effective connection type (wifi, 4g, ethernet) correlates with location and device type — nobody uses an ethernet connection from a phone.

Permission state is readable via navigator.permissions.query() for most APIs. A site can silently check whether you have previously granted camera, microphone, geolocation, or notification permissions — without triggering the permission prompt. The pattern of what you've granted is identifying: a developer who granted notifications to a CI/CD tool has a different profile than an average user who has never granted any permissions.

Referrer and navigation: The document.referrer tells the current page which URL you came from. The performance.navigation API distinguishes direct load, link click, form submit, browser back/forward, and refresh. These can be used to build a session graph of your browsing path.

What is entropy in this context? Shannon entropy (measured in bits) quantifies how much information a signal carries. If a signal has 1 bit of entropy, it splits the population in half — like a coin flip. 10 bits means 1 in 1,024 people match your value. 33 bits would uniquely identify 1 person in 8 billion.

These estimates are based on EFF Panopticlick research, Laperdrix et al. (AmIUnique), and Englehardt & Narayanan (OpenWPM) crawl data. Real-world entropy depends on which population is visiting your site — the entropy of "Chrome on Windows" differs between a security blog and a mainstream news site.

The signals below are additive — not every combination is independent, but in practice the overlapping information is small. A tracker combining all visible signals routinely achieves 30–70 bits of effective entropy, which is enough to uniquely identify most users even without cookies. This is why fingerprinting is now the dominant tracking technique as third-party cookies are phased out.

The fundamental tension: Every change you make to your browser to become less unique is itself a signal. A user running Tor Browser with JavaScript disabled is highly private but easily identified as a "Tor Browser user" — they blend in with other Tor users, not with the general web population. The goal of anti-fingerprinting is not to have no fingerprint, but to have a common one — to blend into the largest possible crowd.

Why extensions often backfire: A "privacy" extension that spoofs your canvas output produces a different canvas hash every time — but if you are the only one using that exact extension version, your canvas hash being different every load is itself a pattern. The most effective defences are browser-level, standardised, and shared by millions of users simultaneously.