Canvas Fingerprint Test
Discover how websites track you through HTML5 Canvas rendering. Each browser produces a unique "fingerprint" based on GPU, fonts, and rendering engine.
window.fingerprint
What is Canvas Fingerprinting?
Canvas fingerprinting exploits subtle differences in how browsers render graphics. Even with identical code, your GPU, operating system, installed fonts, and graphics drivers create a unique signature that can identify your browser across websitesโwithout cookies.
Font & Emoji Rendering
Text rendering varies across operating systems and browsersThis test measures how your browser renders text and emojis. The pixel-perfect measurements reveal your operating system, installed fonts, and text rendering engine. Different OS/browser combinations produce measurably different text widths.
CPU Canvas (2D Context)
Software-rendered 2D graphics fingerprintThe 2D canvas context uses your CPU to render complex graphics with text, shapes, gradients, and shadows. Subtle differences in anti-aliasing, subpixel rendering, and color management create a unique fingerprint. This image is converted to a data URL and hashed to create your identifier.
GPU Canvas (WebGL)
Hardware-accelerated 3D graphics fingerprintWebGL uses your graphics card (GPU) to render 3D graphics. Your GPU vendor, driver version, and hardware capabilities all affect the final image. Even identical GPU models can produce different results based on driver versions and system configuration. This creates a highly unique fingerprint.
DOM Rect Fingerprint
Geometric measurements of rendered elementsThe DOM Rect fingerprint measures the precise pixel coordinates of a transformed element. Different browsers, zoom levels, and screen DPI settings produce different measurements. This seemingly simple geometric data becomes another piece of your unique browser fingerprint.
Understanding Canvas Fingerprinting
Canvas fingerprinting is one of the most effective browser tracking techniques, providing 8-12 bits of entropyโenough to uniquely identify approximately 1 in 4,096 to 1 in 16,384 browsers when combined with other signals.
What Makes Canvas Unique?
- GPU Hardware: Different graphics cards (NVIDIA, AMD, Intel) render pixels slightly differently
- Driver Versions: Graphics drivers affect anti-aliasing, color management, and subpixel rendering
- Operating System: Windows, macOS, and Linux use different rendering engines (DirectWrite, Core Text, FreeType)
- Font Rendering: Installed fonts and text rendering settings create measurable differences
- Browser Engine: Chrome, Firefox, and Safari implement canvas differently
Stability & Persistence
Canvas fingerprints are highly stable:
- โ Survives cookie deletion - No cookies involved
- โ Works in incognito/private mode - Based on hardware, not storage
- โ Consistent across sessions - Same hardware = same fingerprint
- โ Difficult to spoof manually - Requires modifying browser internals
- โ ๏ธ Changes with driver updates - New GPU drivers may alter rendering
Research Finding: A 2019 study found that canvas fingerprinting could uniquely identify 99.24% of desktop users when combined with just 2-3 other fingerprinting techniques (WebGL, fonts, screen resolution).
Major anti-bot providers rely heavily on canvas fingerprinting for bot detection and user tracking. Here's how they use it:
Cloudflare Bot Management
- Hash Comparison: Compares canvas hash against known automation profiles (Selenium, Puppeteer)
- Consistency Validation: Ensures canvas fingerprint matches other GPU signals (WebGL vendor/renderer)
- Headless Detection: Detects software rendering (SwiftShader) used by headless browsers
- Session Tracking: Links requests across sessions using stable canvas hashes
DataDome
- Cross-Signal Validation: Validates canvas consistency with User-Agent, screen resolution, and WebGL data
- Impossible Configuration Detection: Flags mismatches (e.g., software rendering claiming NVIDIA GPU)
- Behavioral Analysis: Monitors canvas stability across page loads and navigation events
- Bot Signature Database: Maintains database of automation tool canvas patterns
PerimeterX
- Canvas + Font Correlation: Links canvas rendering with detected fonts for higher accuracy
- Render Time Analysis: Measures canvas generation speed to detect automated rendering
- Pixel-Perfect Validation: Compares exact pixel data against known automation patterns
Common Blocking Scenarios
Scenario 1: Selenium with default ChromeDriver generates a canvas hash that matches Cloudflare's known automation database โ Instant block
Scenario 2: Manually spoofed canvas fingerprint doesn't match WebGL vendor/renderer โ Inconsistency detected โ Block
Scenario 3: Canvas shows software rendering (SwiftShader) but User-Agent claims physical hardware โ Headless browser detected โ Block
Learn how to programmatically test canvas fingerprinting in your browser automation scripts:
Python + Selenium Example
from selenium import webdriver
from selenium.webdriver.chrome.options import Options
# Standard Selenium setup
options = Options()
driver = webdriver.Chrome(options=options)
# Extract canvas fingerprint
canvas_hash = driver.execute_script("""
const canvas = document.createElement('canvas');
const ctx = canvas.getContext('2d');
// Draw test pattern
ctx.textBaseline = 'top';
ctx.font = '14px Arial';
ctx.fillStyle = '#f60';
ctx.fillRect(125, 1, 62, 20);
ctx.fillStyle = '#069';
ctx.fillText('Browser ๐', 2, 15);
// Generate hash from pixel data
return canvas.toDataURL();
""")
print(f"Canvas Fingerprint: {canvas_hash[:50]}...")
# Check if canvas is detectable
is_detectable = driver.execute_script("""
// Check for canvas poisoning or blocking
const canvas = document.createElement('canvas');
const dataURL1 = canvas.toDataURL();
const dataURL2 = canvas.toDataURL();
// If different, canvas is being randomized
return dataURL1 !== dataURL2;
""")
if is_detectable:
print("โ ๏ธ Canvas is being randomized/blocked")
else:
print("โ Canvas rendering is consistent")JavaScript Browser Console Example
// Test canvas fingerprint in browser console
function getCanvasFingerprint() {
const canvas = document.createElement('canvas');
const ctx = canvas.getContext('2d');
// Draw complex pattern
ctx.textBaseline = 'top';
ctx.font = '14px "Arial"';
ctx.fillStyle = '#f60';
ctx.fillRect(125, 1, 62, 20);
ctx.fillStyle = '#069';
ctx.fillText('๐ Test 123', 2, 15);
ctx.fillStyle = 'rgba(102, 204, 0, 0.7)';
ctx.fillText('abcdefghijklm', 4, 17);
// Generate hash
const dataURL = canvas.toDataURL();
return crypto.subtle.digest('SHA-256',
new TextEncoder().encode(dataURL)
).then(hash => {
return Array.from(new Uint8Array(hash))
.map(b => b.toString(16).padStart(2, '0'))
.join('');
});
}
// Run the test
getCanvasFingerprint().then(hash => {
console.log('Canvas Hash:', hash);
});Comparing Fingerprints
To check if your automation is detectable, compare your bot's canvas fingerprint with a real browser:
- Run canvas fingerprint test in your automation tool (Selenium/Puppeteer)
- Run same test in a real Chrome browser on the same machine
- Compare the hashes - if they're identical, your setup is consistent โ
- If they're different, anti-bot systems will detect the mismatch โ ๏ธ
Pro Tip: Use this tool to test your canvas fingerprint, then test your automation tool using the same device. If the hashes match, your automation has a consistent fingerprint!
There are several approaches to bypassing canvas fingerprinting, each with different trade-offs:
Manual Spoofing Approaches
1. Canvas Poisoning (High Risk โ ๏ธ)
// Inject noise into canvas data
const originalToDataURL = HTMLCanvasElement.prototype.toDataURL;
HTMLCanvasElement.prototype.toDataURL = function() {
const ctx = this.getContext('2d');
const imageData = ctx.getImageData(0, 0, this.width, this.height);
// Add random noise to pixels
for (let i = 0; i < imageData.data.length; i += 4) {
imageData.data[i] += Math.random() < 0.1 ? 1 : 0;
}
ctx.putImageData(imageData, 0, 0);
return originalToDataURL.apply(this, arguments);
};Problems:
- โ Canvas hash changes every time โ Inconsistent fingerprint detected
- โ Easy to detect: Anti-bot systems run canvas twice and compare
- โ Doesn't match WebGL or other GPU signals
2. Browser Extension Spoofing (Medium Risk โ ๏ธ)
Extensions like Canvas Defender or Canvas Blocker randomize canvas output:
- โ Easy to install and use
- โ ๏ธ Detectable by checking for extension artifacts
- โ ๏ธ May not match other fingerprints (WebGL, fonts)
- โ Not suitable for automation (Selenium/Puppeteer)
3. Selenium/Puppeteer Stealth Plugins (Low-Medium Risk โ ๏ธ)
# Using selenium-stealth
from selenium import webdriver
from selenium_stealth import stealth
driver = webdriver.Chrome()
stealth(driver,
languages=["en-US", "en"],
vendor="Google Inc.",
platform="Win32",
webgl_vendor="Intel Inc.",
renderer="Intel Iris OpenGL Engine",
fix_hairline=True,
)Limitations:
- โ ๏ธ Stealth plugins often use generic canvas fingerprints that are in bot databases
- โ ๏ธ Doesn't guarantee consistency with real browser on same hardware
- โ ๏ธ May not handle WebGL/WebGL2 properly
- โ Still detectable by sophisticated anti-bot systems
Scrapfly ASP: Automatic Canvas Handling
Scrapfly's Anti-Scraping Protection (ASP) handles canvas fingerprinting automatically with real browser profiles:
Why Scrapfly ASP Works:
- โ Real browser fingerprints from actual Chrome/Firefox installations
- โ Perfect consistency between canvas, WebGL, fonts, and all GPU signals
- โ Matches hardware - Canvas rendering aligns with reported GPU vendor/renderer
- โ No detection - Fingerprints are not in bot databases
- โ Automatic rotation - Different profiles for different sessions
- โ 99.9% success rate against Cloudflare, DataDome, PerimeterX
Example with Scrapfly:
from scrapfly import ScrapflyClient, ScrapeConfig
client = ScrapflyClient(key='YOUR_API_KEY')
# Automatic canvas fingerprint handling
result = client.scrape(ScrapeConfig(
url='https://protected-site.com',
asp=True, # Enable Anti-Scraping Protection
render_js=True, # Enable JavaScript rendering
country='US'
))
print(result.content) # Successfully bypassed canvas detection!Success Rate Comparison
| Method | Cloudflare | DataDome | PerimeterX | Complexity |
|---|---|---|---|---|
| Canvas Poisoning | 5% | 2% | 3% | High |
| Browser Extensions | 40% | 30% | 35% | Low |
| Stealth Plugins | 60% | 45% | 50% | Medium |
| Scrapfly ASP | 99.9% | 99.8% | 99.9% | None (Automatic) |
Get Started with Scrapfly
Skip the complexity of manual canvas spoofing. Let Scrapfly handle all browser fingerprinting automatically.
Start Free Trial Read ASP DocumentationQ: Can two browsers have the same canvas fingerprint?
A: Yes, but it's rare. Browsers with identical hardware (same GPU, drivers, OS version) will produce identical canvas fingerprints. Studies show approximately 1-3% probability of collision for identical hardware/software configurations. However, combining canvas with other fingerprints (WebGL, fonts, screen) makes the probability of collision negligible.
Q: Does incognito/private mode change my canvas fingerprint?
A: No. Canvas fingerprinting is based on hardware and software rendering, not browser storage or cookies. Incognito mode provides no protection against canvas fingerprinting. Your canvas hash will be identical in normal and private browsing modes.
Q: How stable is canvas fingerprinting over time?
A: Very stable. Canvas fingerprints remain consistent unless you:
- Update your graphics drivers
- Update your operating system (major version)
- Change your GPU hardware
- Install/uninstall system fonts
- Update your browser to a version with different rendering engine
In practice, canvas fingerprints are stable for 3-12 months for most users.
Q: Can VPNs or proxies help avoid canvas tracking?
A: No. Canvas fingerprinting is entirely client-sideโit measures how your browser renders graphics locally. VPNs only change your IP address and network location. Your canvas fingerprint remains identical whether you use a VPN or not. To change your canvas fingerprint, you need to modify browser rendering, not network traffic.
Q: What browsers are most susceptible to canvas fingerprinting?
A: All major browsers support canvas fingerprinting:
- Chrome/Edge: Highly fingerprintable, no built-in protection
- Firefox: Some protection via
privacy.resistFingerprinting(standardizes canvas output) - Safari: Limited protection, canvas still fingerprintable
- Brave: "Farbling" adds random noise to canvas, but detectable
- Tor Browser: Best protection, standardizes all canvas output
For web scraping: Use Scrapfly's ASP to handle canvas fingerprinting across all browsers automatically.
Q: Can I disable canvas to avoid tracking?
A: Not recommended. Disabling canvas entirely breaks many websites (charts, visualizations, games). More importantly, having no canvas support is itself a strong fingerprint that makes you extremely identifiable and suspicious to anti-bot systems. It's better to have a consistent, realistic canvas fingerprint than no canvas at all.
Q: How do anti-bot systems detect canvas spoofing?
A: Anti-bot systems use multiple detection methods:
- Consistency checks: Compare canvas with WebGL, GPU vendor, renderer
- Repeat testing: Generate canvas multiple times, check for randomization
- Known patterns: Compare against database of automation tool fingerprints
- Impossible configs: Flag mismatches (software rendering + hardware GPU claim)
- Timing analysis: Measure canvas generation speed (too fast = bot)
How to Protect Against Canvas Fingerprinting
- Browser Extensions: Use privacy-focused extensions like Canvas Blocker or Privacy Badger that randomize or block canvas fingerprinting
- Tor Browser: Built-in protection against canvas fingerprinting by standardizing canvas output
- Brave Browser: Farbling technology adds slight random noise to canvas output
- Firefox: Enable
privacy.resistFingerprintingin about:config - Anti-detect Browsers: For web scraping, use tools like Scrapfly that handle fingerprint spoofing automatically
