How device fingerprinting works in anti-bot stacks, traced through FingerprintJS open-source and Pro: the signal set, the entropy budget that makes a visitor ID unique, why client-side hashes drift, and how it differs from bot detection.
Traces how rendering text and shapes to an HTML5 canvas and hashing the toDataURL output yields a stable per-device value, the GPU, driver and font causes behind the variation, the 2012 origin, and how much entropy it really carries.
A primary-source reference on WebGL fingerprinting: the UNMASKED_RENDERER and UNMASKED_VENDOR strings, supported extensions, shader precision formats, rendered-image hashing, and the browser mitigations that bucket or hide them.
Traces how rendering an oscillator through OfflineAudioContext and a DynamicsCompressor produces a stable per-device float, the floating-point and FFT causes behind the variation, the 2016 origin, and how much entropy it really carries.
Traces how the installed-font set became a high-entropy fingerprint, the text-width and ClientRects measurement that reads it without any font API, the @font-face/local() side channel, and the browser defenses that tried to close it.
A reference to the navigator object's fingerprinting surface: userAgent, platform, languages, hardwareConcurrency, deviceMemory, vendor, productSub, and webdriver, plus the cross-property consistency checks that catch a spoof.
Traces how screen width, height, availWidth, colorDepth and devicePixelRatio became fingerprint entropy, why zoom, multi-monitor and OS scaling make them unstable, and how the same numbers turn into a bot tell.
Traces how four read-only battery properties became a cross-site tracking vector, the 2015 Olejnik research that proved it, the in-the-wild scripts Princeton caught, and the Firefox and WebKit removals that followed.
Traces how getClientRects() and measureText() turn fractional layout geometry into a stable device label, why two machines render the same glyph to different floating-point boxes, and why spoofing the values consistently is so hard.
Traces how Intl.DateTimeFormat, getTimezoneOffset, Accept-Language and navigator.languages get read together against IP geolocation, and how the gaps between them catch proxies and spoofed browsers.
Traces how WebRTC ICE candidate gathering uses STUN to surface local and real public IPs in JavaScript regardless of an HTTP proxy or VPN, the mDNS hostname mitigation Chrome shipped in 2019, and how anti-fraud systems use the mismatch.
How the same emoji codepoint and ZWJ sequence render to different pixels and bounding-box widths across OS emoji fonts, and how canvas and getClientRects turn that variation into a platform-revealing fingerprint.
Traces what navigator.hardwareConcurrency and navigator.deviceMemory actually expose, the caps and power-of-two quantization browsers apply, and how impossible or mismatched values flag VMs and automation.
Traces how canPlayType, MediaSource.isTypeSupported, MediaCapabilities.decodingInfo, and the EME key-system probe report which codecs and DRM a device admits to, why those answers vary by OS, browser, and hardware, and how much entropy they carry.
A source-level read of the open-source FingerprintJS agent: its entropy sources, how x64hash128 turns them into a visitorId, the confidence formula, and what Fingerprint Pro adds server-side with Smart Signals and bot detection.
A primary-source reference on the 2017 Cao, Li, and Wijmans cross-browser fingerprint: the WebGL rendering tasks, audio and CPU signals, and why OS- and hardware-level features survive a browser switch.
Traces the central tension in device fingerprinting: each added signal raises Shannon entropy and uniqueness but lowers stability, why detectors weight stable signals, and how the math from Panopticlick onward sets the budget.
Traces how the speechSynthesis.getVoices() list reveals OS, locale, and version through bundled TTS voices, the async-loading quirk that returns an empty array on first call, the entropy it carries, and the browser defenses.
How a device fingerprint plus proxy, velocity, and history signals turns into a fraud risk score, traced through Sift, SEON, and Fingerprint Pro, and where it diverges from bot detection.