what your browser reveals: the 27 signals
Your browser exposes about 27 distinct fingerprinting signals to every site you visit — from WebRTC leaks of your real IP, to a canvas and WebGL rendering hash, to your fonts, TLS handshake, headers, and timezone. No single one identifies you. Their combination does: peer-reviewed research (AmIUnique, EFF) finds roughly 89% of browsers are uniquely identifiable from these signals alone, with no cookie required. Here is the full reference of what each signal is and what it reveals, updated July 2026.
How unique is my browser?
Browser fingerprinting doesn't need cookies. It reads dozens of small, individually-boring facts about your device and combines them into a hash that is, for most people, unique. The landmark studies quantify it: the EFF's Panopticlick found the average browser carried enough entropy to be one-in-hundreds-of-thousands, and the AmIUnique study (Laperdrix, Rudametkin & Baudry, 2016) found ~89.4% of browsers were uniquely identifiable. Every signal you expose narrows the crowd you hide in.
The 27 signals, and what each reveals
| Category | Signal | What it reveals |
|---|---|---|
| Network & IP | WebRTC host candidate | Your device's local/LAN IP address |
| WebRTC srflx (public IP) | Your real public IP — even behind a VPN | |
| Connection API signal | Network type and effective speed | |
| Server-observed WAN IP | The IP the server actually sees | |
| ASN / carrier | Your ISP or mobile carrier | |
| Edge geolocation | Approximate city from your IP | |
| Geo ↔ timezone consistency | Whether your IP location matches your clock (VPN tell) | |
| Connection & TLS | TLS handshake signature | A JA3-style fingerprint of your TLS client |
| HTTP protocol | HTTP/1.1, /2, or /3 in use | |
| TCP round-trip time | A rough distance/latency signal | |
| Device & hardware | Canvas fingerprint | A near-unique hash of how your GPU/driver renders text |
| AudioContext fingerprint | A hash of your audio stack's output | |
| WebGL vendor / renderer | Your exact GPU model | |
| Font enumeration | Which fonts you have installed | |
| Hardware concurrency | Your CPU core count | |
| Battery API | Charge level and charging state | |
| Screen dimensions | Resolution, color depth, pixel ratio | |
| Locale & headers | Timezone | Your local timezone |
| localStorage isolation | Whether storage is partitioned (tracking-resistance tell) | |
| User-Agent truthfulness | Whether your UA string has been spoofed | |
| Request header order | A fingerprint of your browser build | |
| UA vs headers agreement | Mismatches that expose spoofing | |
| Accept-Language leak | Your language preferences | |
| Preference signals | Do Not Track signal | Ironically, a rare DNT flag adds entropy |
| Color-scheme preference | Light/dark mode | |
| Reduced-motion preference | Accessibility setting | |
| Connection downlink | Estimated bandwidth |
Does a VPN stop browser fingerprinting?
No. A VPN swaps your IP, which hides exactly one of the 27 signals — and a WebRTC leak can undo even that by exposing your real public IP straight to the page. The other ~25 signals (canvas, WebGL, fonts, TLS handshake, headers, timezone, hardware) live above the network layer and a VPN never touches them. Fingerprinting is a device-identity problem, not a network problem.
What actually reduces your fingerprint?
The signals that leak the most entropy are canvas, WebGL, fonts, and WebRTC. Practical defenses: use a browser that randomizes or blocks canvas/WebGL (the Tor Browser and, partially, Brave and Firefox with resistFingerprinting), disable WebRTC or restrict it to relay-only, and avoid installing exotic fonts. The counter-intuitive part: the harder you try to look unusual (rare UA, odd settings), the more unique you become. Blending in beats standing out.
SNITCHTEST runs all 27 of these checks live in your browser and shows you exactly what leaks. Nothing is sent to a server.
> RUN SNITCHTEST →