how to actually stop browser fingerprinting
The defenses that work aren't the ones in the marketing. Incognito doesn't help. A VPN barely helps. The things that collapse you from uniquely identifiable to blandly anonymous are a short list of specific browser settings and two specific extensions. Here's the complete list, in order of effort vs. payoff, plus what to expect to break.
01the honest cost/benefit
Every defense on this page costs something. Some cost speed. Some break sites. Some cost convenience. The goal isn't "maximum paranoia." The goal is shedding uniqueness — moving your browser from a snowflake that can be identified across sessions to a flake that looks like everyone else in its bucket. You can keep shopping, streaming, banking, and watching YouTube while doing this. You just stop being a person-shaped dossier.
| defense | effort | site breakage | uniqueness drop |
|---|---|---|---|
| WebRTC peer-discovery block | 1 min | almost none | medium |
| Brave Shields Strict fingerprinting | 30 sec | almost none | large |
| Firefox resistFingerprinting | 1 min | some | large |
| uBlock Origin + medium mode | 10 min | some (fixable) | large |
| Arkenfox user.js (Firefox) | 30 min | some | very large |
| Tor Browser | 5 min | notable | largest |
02seal the webrtc leak first
This is the single most important fix, because it's the one that leaks your real IP while your VPN is on. If you're on a VPN and your WebRTC Local IP row in SNITCHTEST shows your actual LAN or public IP, everything else on this list is secondary.
chrome, edge, brave, opera, arc (chromium family)
Install the WebRTC Network Limiter extension published by Google itself. Open its options and pick "Use my proxy server (if present); otherwise use any other routes". That setting forces Chrome to route WebRTC through your VPN or not at all, which eliminates the leak without breaking video calls.
firefox
Visit about:config, accept the warning, and set:
media.peerconnection.ice.default_address_only = true media.peerconnection.ice.no_host = true
The first setting makes WebRTC use only the default route (the VPN, if active). The second stops WebRTC from enumerating local interfaces at all. Together they close the leak without disabling video calls.
safari
Safari disables the leak by default for non-HTTPS origins and routes conservatively on HTTPS. There's no knob. Verify with a leak test.
03enable browser-level fingerprint protection
brave (easiest)
Settings → Shields → Block fingerprinting: Strict. That's it. Brave randomizes canvas, audio, WebGL, and font enumeration per site per session, which breaks cross-site tracking without breaking the sites themselves. The default is "Standard," which is good enough for most users; Strict is better.
firefox
Visit about:config, set privacy.resistFingerprinting = true. This activates Mozilla's Tor-derived anti-fingerprinting code, which standardizes values (screen size, fonts, timezone, more) so that every user with the setting on looks like every other user with the setting on.
Cost: timezone reports as UTC, your window is forced into discrete sizes on resize, some fonts appear as "missing." A handful of sites will render slightly wrong. Most won't notice. If you want the anti-fingerprint protection without the timezone spoof (the most annoying part), use privacy.fingerprintingProtection = true in recent Firefox builds, which is a softer variant.
chrome and edge
Chrome has no built-in anti-fingerprinting and no roadmap for one. Edge has a few heuristic defenses under Tracking Prevention → Strict, but they don't rival Brave or Firefox. If you want Chromium's compatibility with real anti-fingerprinting, use Brave. This is the actual answer.
safari
Settings → Advanced → Show Develop menu. Turn on Intelligent Tracking Prevention (it's on by default since Safari 13). Turn on "Hide IP address from trackers" (Safari 15+). Safari's fingerprint defense is weaker than Brave's but it's built in and on by default, which is not nothing.
04install ublock origin (still)
uBlock Origin is the single highest-leverage privacy extension. Most fingerprinting happens inside third-party scripts loaded by tracking SDKs. Stop the scripts from loading and the fingerprinting doesn't run.
Default mode is fine. Medium mode is better. Open uBlock → Dashboard → Settings → "I am an advanced user." Back on the main popup, click the padlock next to "3rd-party scripts" and "3rd-party frames" and set both to globally blocked. Use the per-site padlocks to allow scripts on sites that actually need them. This breaks things until you adjust, then it settles into a much cleaner browsing experience.
05the firefox power-user path: arkenfox
Arkenfox user.js is a community-maintained set of about:config overrides that turn a stock Firefox into something approaching Tor Browser's protection, without the network anonymization. It's overkill for most people and it costs real convenience (you'll log into some sites every day, because it clears cookies on close). For the right user, it's the best non-Tor option that exists.
06what about a different browser entirely?
brave
The practical recommendation for most users. Chromium-compatible (extensions work, sites work) but with real fingerprint defenses on by default. Pick Strict shields and you're ahead of 99% of the internet without doing anything else.
librewolf / mullvad browser
Firefox forks with Arkenfox-level defenses baked in. LibreWolf is general-purpose; Mullvad Browser is a Tor-Project-collaborated build specifically aimed at non-Tor users who want Tor-style fingerprint protection.
tor browser
The gold standard. Every user looks identical by design. Use it for the specific sessions that need it, not for everything, because pages are slower and a lot of sites challenge Tor traffic.
safari on iPhone
Under-rated. iCloud Private Relay, if enabled, is effectively a lightweight Apple-run proxy that strips your IP from the first hop. Safari's default tracking prevention is solid. The iPhone's narrow hardware variety means your canvas/WebGL hash is already shared with millions of other iPhones.
07what doesn't work
- Incognito / InPrivate mode. Hides cookies from the local disk. Changes nothing about the network or the fingerprint. Most useful trick is testing a site while signed out.
- "Privacy-focused" search engines. Valuable for search history, irrelevant for fingerprinting.
- Consumer VPNs alone. They change your IP. The fingerprint is still yours.
- Deleting cookies every session. Cookies are the least interesting part of the dossier. The fingerprint re-identifies you inside a second.
- Fake User-Agent extensions. They change one field that servers compare against twelve other fields. Most just make you weirder and thus more unique.
08verify with a leak test
After any change, confirm it actually took effect. Run SNITCHTEST (you're on the site), EFF's Cover Your Tracks, or creepjs. The specific rows to watch for improvement:
- WebRTC local IP — should show blocked / default route only.
- Canvas / WebGL / Audio fingerprint — should change between sessions on Brave (randomized) or show standardized values on Firefox RFP.
- Timezone + language — should no longer disagree with your VPN exit country if you enabled resistFingerprinting.
- Installed fonts — the detected count should drop sharply. Full list should not be exposed.
Re-run after each change, one at a time, so you know which defense did what. When you're done, your SNITCHTEST grade should shift noticeably from red toward green.
09faq
Does incognito mode prevent fingerprinting?
No. Incognito only stops the browser from writing history and cookies to the local disk. Every network request still carries the same browser fingerprint, the same TLS signature, and the same IP address. Sites cannot tell an incognito tab from a regular tab by looking at its fingerprint.
Does a VPN hide my browser fingerprint?
No. A VPN hides your public IP address. Browser fingerprinting uses canvas, WebGL, audio, font enumeration, TLS signature, and other surfaces that a VPN has no effect on. Your fingerprint is identical whether or not the VPN is connected.
What actually stops browser fingerprinting?
The two changes that move the needle most are enabling your browser's built-in fingerprint protection (Firefox privacy.resistFingerprinting, Brave Strict fingerprinting) and installing uBlock Origin with third-party scripts disabled. Those two together typically drop a browser from uniquely identifiable to a common bucket. Tor Browser is the gold standard but comes with speed and site-compatibility costs.
Is Brave or Firefox better for anti-fingerprinting?
Both are strong and target slightly different threat models. Brave randomizes values per site per session, which confuses cross-site tracking. Firefox standardizes values so that users of the same Firefox build look identical, which is closer to the Tor approach. Either is substantially better than stock Chrome or Safari.
Why is WebRTC leaking my IP while the VPN is on?
WebRTC asks your operating system directly for every network interface, including the real one your VPN is tunneling over. That enumeration bypasses the VPN tunnel and goes straight to the web page. The fix is browser-level: block or limit WebRTC peer discovery via a browser flag or an extension. Most VPN apps do not do this for you.
Does hardening my browser break websites?
Some strict settings do break a small number of sites, mostly ones that depend on WebRTC, third-party scripts, or precise canvas rendering. Most breakage can be resolved by allowlisting a site in uBlock Origin. The default Brave Strict setting breaks far fewer sites than Firefox resistFingerprinting does, because Brave randomizes rather than freezes values.
Should I use Tor Browser for everyday browsing?
Generally not. Tor Browser's anti-fingerprinting is the strongest on the web but the price is slow pages, more CAPTCHAs, and some site breakage. A common pattern is to run Brave or hardened Firefox for daily browsing and keep Tor Browser installed for the subset of sessions that require stronger anonymity.
After you change a setting, run the audit again. The red rows should shift toward green. That's the whole feedback loop. Nothing is logged server-side.
> RUN SNITCHTEST →