Browser Fingerprinting Explained: How Sites Track You Without Cookies

You clear your cookies, switch to incognito mode, and even spin up a VPN — yet the ad for those running shoes you looked at last Tuesday still follows you around. That's not a coincidence. It's browser fingerprinting, a tracking technique that doesn't need cookies, accounts, or even your IP address to recognise you across sessions and sites.

What is browser fingerprinting?

Browser fingerprinting is the process of collecting dozens of small, technical attributes about your browser and device, then combining them into a unique signature that identifies you. Each individual property — your screen resolution, time zone, installed fonts, GPU model — isn't unique by itself. But mash 20 or 30 of them together and you get something distinctive enough to pick one user out of millions.

Unlike cookies, fingerprints are stateless. The site doesn't store anything on your machine. It just re-reads your browser's properties on every visit and matches the resulting hash against a database. That's why clearing cookies or going incognito does almost nothing to stop it.

How a fingerprint actually gets built

A tracking script typically runs JavaScript on page load that probes:

• User-Agent string — browser name, version, OS
• Screen properties — resolution, colour depth, available width/height
• Time zone and language — Intl.DateTimeFormat().resolvedOptions().timeZone
• Installed fonts — detected by measuring text width in hidden elements
• Hardware concurrency — number of logical CPU cores
• Device memory — approximate RAM in GB
• Canvas rendering — drawing text/shapes and hashing the pixel output
• WebGL renderer and vendor — your GPU model exposed via WEBGL_debug_renderer_info
• AudioContext fingerprint — subtle differences in how audio is processed
• Media devices — number of cameras, mics, speakers

These values get concatenated and hashed (often via something like SHA-256), producing a fingerprint ID that's stable across sessions.

The big three: canvas, WebGL, and audio fingerprinting

Canvas fingerprinting

The script draws a specific string of text — usually with emojis and unusual characters — onto a hidden HTML5 <canvas>. Because GPU drivers, anti-aliasing settings, font rasterisation, and sub-pixel rendering differ per machine, the resulting pixel data varies subtly. Hash that pixel buffer and you get a value that's identical across visits from the same device but different across different ones.

WebGL fingerprinting

Same idea, but using 3D rendering. The script renders a scene and reads back the result. It also queries the GPU vendor and model directly — values like ANGLE (NVIDIA, NVIDIA GeForce RTX 3070 Direct3D11) are surprisingly specific.

Audio fingerprinting

An OscillatorNode generates a tone that gets processed through an audio context. The numeric output of that processing differs slightly per device due to floating-point and DSP differences. Hash it and you've got another stable signal.

How unique are you, really?

Research from the EFF's Panopticlick project and follow-ups by Mozilla found that the average browser is unique among hundreds of thousands of others — usually with more than 18 bits of entropy. Once you cross about 22 bits, you're effectively identifiable in any web-sized dataset.

If you want hard numbers for your own browser, run it through AXOX Hub's Browser Fingerprint Analyzer. It shows you exactly which attributes your browser is leaking, the entropy each contributes, and the resulting hash. It's the fastest way to see what trackers see.

Why this matters for site owners and developers

Fingerprinting isn't just an ad-tech concern. If you run a site, you're probably touching it from at least one of these angles:

• Fraud and bot detection — services like reCAPTCHA Enterprise and FingerprintJS use it to flag account takeover and card-testing attacks
• Analytics platforms — some vendors quietly fingerprint to deduplicate users when cookies fail
• Compliance risk — under GDPR and the ePrivacy Directive, fingerprinting requires the same consent as cookies. Many sites still get this wrong
• A/B testing tools — may rely on fingerprints when third-party cookies are blocked

If your stack includes any of these, you should know what's being collected and document it in your privacy policy.

Detecting fingerprinting on a site

1. Open Chrome DevTools and go to the Network tab
2. Filter by JS and reload the page
3. Look for scripts from known fingerprinting domains — fpjs.io, fingerprintjs.com, iesnare.com, perimeterx.net
4. In the Sources tab, search loaded scripts for telltale strings: toDataURL, getImageData, WEBGL_debug_renderer_info, OscillatorNode, enumerateDevices
5. In Firefox, enable privacy.resistFingerprinting in about:config and compare what breaks — that tells you what the site relied on

Reducing your own fingerprint surface

You can't disappear entirely, but you can blunt the signal:

• Use a mainstream browser config — counterintuitively, the more customised your setup, the more unique you become. Tor Browser works by making everyone look the same, not by hiding everything
• Enable Firefox's resistFingerprinting or use Brave's strict shields, which add randomisation to canvas and audio outputs
• Block third-party fingerprinting scripts with uBlock Origin's privacy lists or Disconnect
• Avoid niche extensions that inject detectable changes into the DOM
• Don't rely on incognito — it changes nothing about your fingerprint
• Use the same default fonts your OS ships with where possible

What developers should do when building tracking-aware sites

• Treat any fingerprinting library as PII-adjacent. Get explicit consent before loading it
• Document every attribute your fraud or analytics tools collect, and disclose it in your privacy notice
• If you use fingerprinting purely for security (not marketing), say so clearly — many regulators accept legitimate interest for fraud prevention but not for ads
• Test your site with strict privacy browsers (Brave, Tor, Firefox with RFP) to make sure core flows don't break when fingerprints are randomised
• Audit third-party tags quarterly — vendors quietly add fingerprinting modules in updates

Curious what your current browser actually reveals? Run it through the free Browser Fingerprint Analyzer at AXOX Hub and see your full signature — canvas hash, WebGL renderer, font list, entropy score, and all.