Traces how the three Accept request headers, their exact default values, q-value syntax, and ordering form a per-browser signature, and how a missing or mismatched triad marks a request as a non-browser client.
Traces how HTTP/2's single multiplexed connection replaced HTTP/1.1's pool of short-lived sockets, and how that one architectural change turned per-connection setup frames into a stable, reusable client fingerprint.
Traces how the initial TTL, TCP window size, MSS, and the order of TCP options in a single SYN packet identify the sending operating system, and why that identity is set by the kernel rather than the browser.
How p0f reads a single SYN packet to name the operating system behind it, traced from Michal Zalewski's 2000 release through the v3 rewrite, the signature grammar, and why TTL, window size, and option order still leak OS identity in 2026.
Traces how the order of TCP options in a SYN packet, the window-scale shift count, the SACK-permitted flag, NOP padding, and the timestamp clock identify an operating system, and how per-connection randomization changed what the timestamp leaks.
How tunnels and VPNs shift MTU and MSS, why a non-standard MSS in a SYN packet betrays an encapsulated path, and how path-MTU discovery behavior turns a packet-size value into a signal.
Traces how rendering text and shapes to an HTML5 canvas and hashing the toDataURL output yields a stable per-device value, the GPU, driver and font causes behind the variation, the 2012 origin, and how much entropy it really carries.
A primary-source reference on WebGL fingerprinting: the UNMASKED_RENDERER and UNMASKED_VENDOR strings, supported extensions, shader precision formats, rendered-image hashing, and the browser mitigations that bucket or hide them.
Traces how rendering an oscillator through OfflineAudioContext and a DynamicsCompressor produces a stable per-device float, the floating-point and FFT causes behind the variation, the 2016 origin, and how much entropy it really carries.
Traces how the installed-font set became a high-entropy fingerprint, the text-width and ClientRects measurement that reads it without any font API, the @font-face/local() side channel, and the browser defenses that tried to close it.
A reference to the navigator object's fingerprinting surface: userAgent, platform, languages, hardwareConcurrency, deviceMemory, vendor, productSub, and webdriver, plus the cross-property consistency checks that catch a spoof.
Traces how screen width, height, availWidth, colorDepth and devicePixelRatio became fingerprint entropy, why zoom, multi-monitor and OS scaling make them unstable, and how the same numbers turn into a bot tell.
Traces how getClientRects() and measureText() turn fractional layout geometry into a stable device label, why two machines render the same glyph to different floating-point boxes, and why spoofing the values consistently is so hard.
Traces how Intl.DateTimeFormat, getTimezoneOffset, Accept-Language and navigator.languages get read together against IP geolocation, and how the gaps between them catch proxies and spoofed browsers.
How the same emoji codepoint and ZWJ sequence render to different pixels and bounding-box widths across OS emoji fonts, and how canvas and getClientRects turn that variation into a platform-revealing fingerprint.
Traces what navigator.hardwareConcurrency and navigator.deviceMemory actually expose, the caps and power-of-two quantization browsers apply, and how impossible or mismatched values flag VMs and automation.
Traces how canPlayType, MediaSource.isTypeSupported, MediaCapabilities.decodingInfo, and the EME key-system probe report which codecs and DRM a device admits to, why those answers vary by OS, browser, and hardware, and how much entropy they carry.
A source-level read of the open-source FingerprintJS agent: its entropy sources, how x64hash128 turns them into a visitorId, the confidence formula, and what Fingerprint Pro adds server-side with Smart Signals and bot detection.
A primary-source reference on the 2017 Cao, Li, and Wijmans cross-browser fingerprint: the WebGL rendering tasks, audio and CPU signals, and why OS- and hardware-level features survive a browser switch.
Traces the central tension in device fingerprinting: each added signal raises Shannon entropy and uniqueness but lowers stability, why detectors weight stable signals, and how the math from Panopticlick onward sets the budget.
Traces how the speechSynthesis.getVoices() list reveals OS, locale, and version through bundled TTS voices, the async-loading quirk that returns an empty array on first call, the entropy it carries, and the browser defenses.
A primary-source reference on keystroke dynamics: how dwell time, flight time, and digraph latencies are measured, the path from telegraph fists to LSTM auth at internet scale, and where the accuracy claims actually hold.
Traces how the 1,216-byte X25519MLKEM768 key share splits the ClientHello across packets, why classic TLS libraries without it now stand out, and what matching a 2026 Chrome handshake actually requires.
A message-by-message walk of the RFC 8446 handshake: ClientHello, HelloRetryRequest, ServerHello, EncryptedExtensions, Certificate, and Finished, marking exactly which bytes a passive observer can read and which the key schedule has already locked away.