How servers catch a proxy by comparing where an IP claims to be against how long packets actually take to arrive. The speed-of-light floor, TCP-handshake timing, the TCP-vs-TLS cross-layer split, and JA4L.
Traces how rendering text and shapes to an HTML5 canvas and hashing the toDataURL output yields a stable per-device value, the GPU, driver and font causes behind the variation, the 2012 origin, and how much entropy it really carries.
A primary-source reference on WebGL fingerprinting: the UNMASKED_RENDERER and UNMASKED_VENDOR strings, supported extensions, shader precision formats, rendered-image hashing, and the browser mitigations that bucket or hide them.
Traces how rendering an oscillator through OfflineAudioContext and a DynamicsCompressor produces a stable per-device float, the floating-point and FFT causes behind the variation, the 2016 origin, and how much entropy it really carries.
Traces how the installed-font set became a high-entropy fingerprint, the text-width and ClientRects measurement that reads it without any font API, the @font-face/local() side channel, and the browser defenses that tried to close it.
A reference to the navigator object's fingerprinting surface: userAgent, platform, languages, hardwareConcurrency, deviceMemory, vendor, productSub, and webdriver, plus the cross-property consistency checks that catch a spoof.
Traces how screen width, height, availWidth, colorDepth and devicePixelRatio became fingerprint entropy, why zoom, multi-monitor and OS scaling make them unstable, and how the same numbers turn into a bot tell.
Traces how four read-only battery properties became a cross-site tracking vector, the 2015 Olejnik research that proved it, the in-the-wild scripts Princeton caught, and the Firefox and WebKit removals that followed.
Traces how getClientRects() and measureText() turn fractional layout geometry into a stable device label, why two machines render the same glyph to different floating-point boxes, and why spoofing the values consistently is so hard.
Traces how Intl.DateTimeFormat, getTimezoneOffset, Accept-Language and navigator.languages get read together against IP geolocation, and how the gaps between them catch proxies and spoofed browsers.
Traces how WebRTC ICE candidate gathering uses STUN to surface local and real public IPs in JavaScript regardless of an HTTP proxy or VPN, the mDNS hostname mitigation Chrome shipped in 2019, and how anti-fraud systems use the mismatch.
How the same emoji codepoint and ZWJ sequence render to different pixels and bounding-box widths across OS emoji fonts, and how canvas and getClientRects turn that variation into a platform-revealing fingerprint.
Traces what navigator.hardwareConcurrency and navigator.deviceMemory actually expose, the caps and power-of-two quantization browsers apply, and how impossible or mismatched values flag VMs and automation.
Traces how canPlayType, MediaSource.isTypeSupported, MediaCapabilities.decodingInfo, and the EME key-system probe report which codecs and DRM a device admits to, why those answers vary by OS, browser, and hardware, and how much entropy they carry.
A source-level read of the open-source FingerprintJS agent: its entropy sources, how x64hash128 turns them into a visitorId, the confidence formula, and what Fingerprint Pro adds server-side with Smart Signals and bot detection.
A primary-source reference on the 2017 Cao, Li, and Wijmans cross-browser fingerprint: the WebGL rendering tasks, audio and CPU signals, and why OS- and hardware-level features survive a browser switch.
Traces the central tension in device fingerprinting: each added signal raises Shannon entropy and uniqueness but lowers stability, why detectors weight stable signals, and how the math from Panopticlick onward sets the budget.
Traces how the speechSynthesis.getVoices() list reveals OS, locale, and version through bundled TTS voices, the async-loading quirk that returns an empty array on first call, the entropy it carries, and the browser defenses.
Traces what mouse, keystroke, and touch dynamics actually measure, how continuous authentication differs from a login check, how BioCatch and BehavioSec build the profile, and why behavioral data sits in a regulatory grey zone.
A primary-source reference on keystroke dynamics: how dwell time, flight time, and digraph latencies are measured, the path from telegraph fists to LSTM auth at internet scale, and where the accuracy claims actually hold.
A reference on the detection side of mouse dynamics: the curvature, velocity, acceleration and pause features detectors extract, the classifiers that separate human from bot, and the Balabit dataset that anchors the literature.
A reference on touch dynamics as a behavioral biometric: the raw signals a phone exposes (pressure, contact area, velocity, curvature, tap timing), the features built on top of them, and how the same signals drive auth and bot detection.
How DeviceMotion and DeviceOrientation readings separate a handheld phone from an emulator, why flat or looped sensor streams give automation away, and how the iOS and Android permission models gate the whole signal.
A reference on session-replay pipelines: the DOM snapshot plus incremental-mutation model, the mouse, scroll, focus and input events that get streamed, the FullStory and Hotjar lineage versus fraud-vendor use, and the privacy leaks.