INTELREAP
Deep Dive · Canvas 13

Advanced Fingerprint & Leak Detection

How Easily Can You Be Tracked?

51 live signals — audio, canvas, and font fingerprinting, bot detection, and leak checks — run the moment this page loads.

Advanced Fingerprint & Leak Detection How Easily Can You Be Tracked?
Fingerprinting Surface
Audio Fingerprint Support
Audio Fingerprint Hash
Audio Sample Rate
Audio Entropy Score
Audio Hardware Variance
Canvas Fingerprint Support
Canvas Fingerprint Hash
Canvas Rendering Anomaly
Fonts Detected
Font Uniqueness Score
Font Detection Method
Notable Fonts Found
ClientRects Support
ClientRects Hash
Sub-Pixel Rendering Variance
Bot & Automation
Webdriver Detected
Automation Signals
Bot Detection Confidence
Private Browsing Detected
Storage Quota
Incognito Detection Method
Ad Blocker Detected
Ad Blocker Detection Method
Leak & Network Signals
Accept-Language Header
Accept-Encoding Header
Total Headers Sent
IPv6 Connectivity
IPv6 Leak Detected
IPv6 Detection Source
Geolocation
Geolocation Permission
GPS Latitude
GPS Longitude
GPS Accuracy Radius
GPS vs IP Location Match
Environment Signals
Media Queries Tested
Media Queries Matched
Display Mode
Color Scheme Preference
Reduced Motion Preference
Extensions Detected
Detected Extension Names
Extension Detection Method
Speech Synthesis Voice Count
Voice List Hash
Default Voice
Audio Input Devices
Audio Output Devices
Video Input Devices
Math Engine Hash
Math Engine Consistency
Parameter by Parameter

Understanding Every Signal

What each measurement above actually means, why it's measured this way, and whether there's anything you can realistically do about it.

Fingerprinting Surface

Audio Fingerprint Hash & Sample Rate

Your browser is asked to silently render a short, heavily-distorted tone using the Web Audio API — nothing is actually played, it all happens in memory. The exact floating-point output of that rendering depends on your specific audio hardware, drivers, and CPU, so the resulting hash is often unique to your device. The sample rate (almost always 44100Hz) is reported alongside it as supporting context, not as a fingerprinting signal on its own.

Audio Entropy Score & Hardware Variance

This is a heuristic, not a measured population statistic — we don't have access to a database of every possible result to compare you against. Instead, it looks at how many decimal places of genuine precision appeared in the raw audio output. More precision suggests more hardware-specific variance was captured, and therefore more potential to be distinctive.

Canvas Fingerprint Hash & Rendering Anomaly

A hidden HTML5 canvas draws text and shapes using specific colors and font settings, then the resulting image is exported and hashed. Anti-aliasing, sub-pixel rendering, and font smoothing all vary subtly by GPU, operating system, and browser engine — enough that the hash is frequently unique. An "anomaly" simply means the exported image came back unusually small, which typically indicates a privacy extension blocked or spoofed the canvas read.

Fonts Detected & Font Uniqueness Score

We measure the rendered width and height of test text in 20 specific fonts and compare each against generic fallback fonts. If the measurement differs from the fallback, that font is installed on your system. The specific combination of installed fonts — especially less common ones — can narrow down your device, operating system, and sometimes even your region or profession.

Notable Fonts Found

This lists exactly which of the 20 tested fonts were detected as installed. A short list here usually just means a clean, default device install — it isn't a red flag on its own, only one input into the overall uniqueness picture.

ClientRects Hash & Sub-Pixel Rendering Variance

Every browser measures the exact pixel dimensions of rendered text slightly differently, down to fractions of a pixel, due to differences in font hinting and rendering engines. We measure one short string's bounding box and hash the width and height together. It's a quieter signal than canvas or audio fingerprinting, but it costs nothing extra to check and adds a bit more certainty when combined with the others.

Bot & Automation

Webdriver Detected & Automation Signals

Automated browsers controlled by tools like Selenium or Puppeteer set a flag called navigator.webdriver to true, and some leave other traces too, like an empty languages list or a "HeadlessChrome" string in the user agent. None of these alone is conclusive proof, which is why we report a confidence level rather than a flat yes or no — this matters far more to website operators screening for bots than it does to an individual visitor.

Bot Detection Confidence

High confidence means the webdriver flag itself was detected, which is a strong signal. Medium means one or more secondary signals appeared without the flag itself. Low means none of the signals we check for were present — consistent with an ordinary human-operated browser.

Private Browsing Detected & Storage Quota

This is a heuristic based on your browser's reported storage quota — private and incognito sessions typically get a much smaller quota than a normal session, often under 120MB versus several gigabytes. It isn't a guaranteed detection, since the exact threshold varies by browser and changes over time, but it's a reasonably reliable signal in practice.

Ad Blocker Detected

We insert a hidden element using classic ad-related class names like "ad-banner" and "adsbox," then check whether it got hidden. Ad blockers that filter by class name will collapse it to zero size; if nothing intervenes, the element stays at its normal size. This is the same basic technique most ad-blocker-detection scripts use.

Leak & Network Signals

HTTP Headers (Accept-Language, Accept-Encoding, and the full table)

Your own page's JavaScript can't see the headers its own request sent — only the server receiving that request can. This is the one signal on this page that needs a backend round trip rather than running purely in your browser: a small server endpoint reads the real headers and echoes them straight back to you. Accept-Language in particular can reveal your true language preferences even if you've manually changed your browser's display language to mask your region.

IPv6 Connectivity & IPv6 Leak Detected

Some VPNs only tunnel IPv4 traffic, leaving a device's native IPv6 connection exposed and able to bypass the VPN entirely — defeating its purpose without any obvious warning. This check asks our backend to report which IP version your specific request actually arrived over. Worth knowing honestly: this result depends partly on whether the hosting infrastructure between you and our server fully supports IPv6 end to end, so treat "IPv4 Only" as informative rather than a hard guarantee that IPv6 is unavailable to you elsewhere.

Geolocation

Geolocation Permission

This page never asks your browser for a fresh location permission prompt of its own. It only reads real GPS coordinates if you'd already granted location access to this site previously, somewhere else. If the permission state is "prompt" or "unsupported," that's simply reported as-is — we'd rather show an honest gap than push for a permission grant that isn't already there.

GPS Latitude, Longitude & Accuracy Radius

When available, this is your device's actual GPS-reported position, accurate to within the radius shown — typically a few meters on a phone with a clear sky view, much wider indoors or on a laptop with no GPS hardware at all, where it falls back to Wi-Fi or IP-based estimation.

GPS vs IP Location Match

Your IP address resolves to a location based on your ISP's registered infrastructure, which can be a city or more away from where you actually are. Comparing that against your real GPS position, when both are available, is one of the more reliable ways to catch a VPN or proxy in use — a large mismatch between the two is a meaningful signal that your apparent network location isn't your real one.

Environment Signals

Media Queries Tested & Matched

We check your browser's response to 15 specific CSS media features — things like color scheme preference, hover capability, pointer precision, and display mode. None of these need a stylesheet at all; they're tested directly through the same JavaScript API your browser already exposes. The specific combination of which features match can hint at your device type and accessibility settings.

Display Mode, Color Scheme & Reduced Motion Preference

Display mode tells us whether you're viewing this in an ordinary browser tab or as an installed app. Color scheme and reduced motion reflect your operating system's accessibility settings, which sites can use to adapt automatically — and which also feed into the broader fingerprint, since most users never change these from their device's default.

Extensions Detected & Detection Method

This checks for a short list of well-known browser extensions by attempting to load each one's own internal resource files, which only succeeds if that exact extension is installed. It only works in Chromium-based browsers, since the technique relies on a URL scheme specific to that browser family — Firefox and Safari correctly report "not applicable" rather than a fake zero.

Speech Synthesis Voice Count, Hash & Default Voice

Your operating system's installed text-to-speech voices vary by platform, region, and language packs installed, and the exact list is visible to any page without asking permission. We hash the sorted list of voice names into a single fingerprint value, since the precise combination is often distinctive even when individual voices like a default English voice are common.

Audio Input, Output & Video Input Device Counts

The number of microphones, speakers, and cameras connected to your device is visible without requiring camera or microphone permission — only the device names require that. A laptop with a built-in camera and mic typically shows small counts like one of each; a desktop with multiple monitors and audio outputs often shows more.

Math Engine Hash & Consistency

Transcendental math functions like tangent, sine, and logarithm can differ in their very last decimal digits depending on the exact JavaScript engine and CPU architecture running them. We run a small fixed set of these calculations and hash the combined result — a quiet but genuine signal that requires no special permissions and costs almost nothing to check.

Bigger Picture

What You Can Actually Do About This

A VPN doesn't help here, and that's worth knowing plainly

Every other panel on IntelReap focuses on your network connection — your IP, your ISP, whether a VPN is active. None of that touches what's measured on this page. Audio rendering, canvas drawing, and font lists are properties of your browser and device, not your network path, so they look identical whether you're on your home connection or routed through five different VPN servers. If reducing your fingerprint specifically matters to you, the tools that help are browser-level, not network-level: Firefox's strict tracking protection and resistFingerprinting setting, or privacy-focused browsers like Brave and Tor Browser, which deliberately randomize or normalize many of the signals measured here.

Blocking everything can backfire

It's tempting to assume disabling every fingerprinting surface is automatically safer, but an unusually large number of disabled APIs is itself a distinguishing pattern — very few ordinary visitors have audio, canvas, and WebGL all blocked simultaneously. The browsers that handle this well, like Tor Browser, work by making everyone's fingerprint look the same as everyone else's, rather than making any one visitor's fingerprint look empty.

Fingerprinting & Leak Detection — Frequently Asked Questions

Browser fingerprinting is a tracking technique that identifies your device using a combination of subtle hardware and software characteristics — such as audio rendering, canvas drawing, and installed fonts — instead of cookies. These characteristics are often unique enough to identify you even if you clear cookies or use a VPN.
Privacy-focused browsers and extensions can randomize or block some fingerprinting signals, particularly canvas and audio fingerprinting. However, blocking too aggressively can itself become a distinguishing signal, since very few real users have every fingerprinting surface disabled at once.
A high score means more of your tested signals are distinctive rather than common, which makes you easier to re-identify across visits and sites. It is not dangerous by itself, but it does mean less anonymity than a low score.
No. A VPN changes your IP address and apparent location, but fingerprinting techniques like audio, canvas, and font detection read characteristics of your browser and device, not your network connection, so they work identically whether or not a VPN is active.
Methodology Sources
01 W3C Web Audio API and Canvas 2D Context specifications
02 W3C Geolocation API and CSS Media Queries specifications
03 Published browser fingerprinting research on canvas, audio, and font-based device identification