canvas fingerprinting explained

Canvas fingerprinting is the single most identifying browser-tracking technique in widespread use in 2026. It does not use cookies. It does not care about incognito mode. A VPN does not touch it. The hash it produces is stable across sessions, stable across years, and in most cases uniquely identifies one device among hundreds of thousands. This page explains how it works, why it's unique, who uses it, and the defenses that actually work.

What it is in one sentence

Canvas fingerprinting asks your browser to draw a specific image, reads the pixel data back, and hashes it. The hash is unique to your combination of GPU, driver, operating system, and browser — which means it is unique to your device. Cross-site trackers use the hash as an identifier that works without cookies.

How the technique works

The HTML5 Canvas API lets a page draw arbitrary graphics — shapes, text, gradients, images — into an off-screen buffer, then read the resulting pixels back as a binary blob. It was designed for games, charts, image editing, and anything that needs programmatic pixel output. In 2012, researchers at UC San Diego noticed that the "read the pixels back" step produces slightly different results on different machines, and that the differences are stable.

The typical attack code looks roughly like this:

const canvas = document.createElement('canvas');
const ctx = canvas.getContext('2d');
ctx.textBaseline = 'top';
ctx.font = '14px Arial';
ctx.fillStyle = '#f60';
ctx.fillRect(125, 1, 62, 20);
ctx.fillStyle = '#069';
ctx.fillText('snitchtest.com 🔍', 2, 15);
ctx.strokeStyle = 'rgba(102, 204, 0, 0.7)';
ctx.arc(50, 50, 40, 0, Math.PI * 2, true);
ctx.stroke();
const dataUrl = canvas.toDataURL();
const hash = sha256(dataUrl);

The specific text, shapes, and colors matter because they exercise different paths in the browser's rendering pipeline. The resulting pixel values depend on everything downstream: how the CPU performs floating-point rounding for the arc, how the GPU handles sub-pixel positioning of the text, how the OS applies font hinting, what color profile is active, even whether hardware acceleration is enabled. All of those combine into a bitmap. The bitmap is hashed. The hash is the fingerprint.

Why the hash is unique

A canvas render depends on roughly a dozen independent variables, each with many possible values:

• GPU model — ~2,000+ distinct GPUs in consumer use
• GPU driver version — dozens per GPU
• Operating system + version — differs in font rendering, sub-pixel positioning, color management
• Browser + version — each ships its own skia/CoreGraphics/Cairo renderer path
• Installed fonts — affects the exact glyph rendering even when the font name is "Arial"
• Display color profile — sRGB vs wide-gamut vs calibrated
• Hardware acceleration state — can be on, off, or software fallback
• Anti-aliasing mode — grayscale vs subpixel vs off

Multiply the combinations: the canvas hash has enough entropy to uniquely identify one device among hundreds of millions. Empirical research from the Cover Your Tracks research corpus finds canvas fingerprinting alone contributes 8–10 bits of identifying entropy — roughly equivalent to narrowing your identity to 1 in 250 other users. Combined with other fingerprint surfaces (WebGL renderer, audio hash, font list) the total typically exceeds 20 bits, which is unique-per-device in any population the tracker is likely to query.

Who actually uses this

Commercial fingerprinting services that openly offer canvas-based device identification include FingerprintJS (formerly fingerprintjs2), ThreatMetrix (now part of LexisNexis), Incapsula (now Imperva Bot Management), and DataDome. FingerprintJS publishes the most widely-used open-source canvas fingerprinting library; their commercial API is used by thousands of sites for fraud detection, bot blocking, and account takeover prevention.

Beyond the commercial products, the technique is baked into custom implementations at large advertisers and publishers. Academic measurement studies from 2021 onward have found canvas fingerprinting code on 15–25% of the top 10,000 websites, typically loaded by third-party ad or fraud-detection scripts. It is also used legitimately for bot detection: an impersonator running headless Chrome has a canvas hash distinctive from a real browser, so canvas fingerprinting helps distinguish scripted traffic from real users.

Why you can't block it at the network layer

Canvas fingerprinting runs entirely inside the browser. The render happens locally, the hash is computed locally, and the hash travels out as a single short string inside a regular HTTP request — indistinguishable from any other piece of JavaScript's output. A DNS-layer blocker like Pi-Hole can block the script that runs the fingerprint (if the script comes from a known tracker domain), but cannot block the technique itself when it's inlined by a first-party site.

Browser extensions with content filtering (uBlock Origin) can block known fingerprinting libraries by script URL, but a determined first-party operator can inline the code and evade that defense too. The only reliable layer for stopping canvas fingerprinting is the browser itself.

Defenses that actually work

Three approaches exist, with meaningful tradeoffs:

Randomization (Brave's approach). Brave's Strict Shields mode injects small random noise into the canvas output on every read. The randomization is per-site + per-session, so the hash that site A sees differs from the hash site B sees, and both differ from what site A sees tomorrow. Cross-site tracking via the hash is broken. Downside: the hash is still unique, just unique to a different identity each time — making you stand out as "a Brave user" rather than making you blend in. Brave mitigates this by having a large enough user base that "a Brave Strict user" is itself a common bucket.

Standardization (Firefox's approach). Firefox's privacy.resistFingerprinting setting (about:config) returns a standardized canvas output — or blocks the read entirely and prompts the user to allow — so all Firefox RFP users produce the same hash. Cross-site tracking via canvas is broken because every user looks identical. Downside: a handful of sites that depend on real canvas rendering (charts, games) render wrong. Tor Browser uses this approach at maximum strictness.

Extension-based blocking (uBlock Origin medium mode, CanvasBlocker for Firefox). Extensions can intercept the canvas API calls at the JavaScript layer and either return a spoofed value or prompt the user. This works on browsers that don't ship native defenses (Chrome, default Safari) but is fragile against techniques that detect the spoofing (spoofed canvas returns have telltale patterns).

What does not work: clearing cookies (irrelevant — canvas doesn't use cookies), incognito mode (doesn't change the canvas render), a VPN (changes your IP, doesn't touch the browser), fake User-Agent extensions (changes UA string, canvas is independent), turning off JavaScript (works but breaks the web).

Practical recommendation

For users who want maximum anti-fingerprint protection without switching to Tor: Brave with Strict Shields is the practical answer. The randomization breaks cross-site correlation while keeping the browser functional on every site, and the Brave user population is large enough to provide meaningful cover. For users who want the strictest possible standardized defense: Firefox with privacy.resistFingerprinting enabled, accepting that a few sites will render slightly wrong and that you'll appear as "a Firefox RFP user" (which is itself distinctive but small).

For everyone else — anyone using default Chrome, Edge, Safari, or Firefox without RFP — canvas fingerprinting is effectively unblocked. Verify by running SNITCHTEST — the canvas fingerprint row shows whether yours is locked, spoofed, or randomized.

FAQ

Related reading: The Dossier Your Browser Hands Out for Free · How to Stop Fingerprinting · Browser Privacy Glossary