Skip to main content

Learn / Canvas

What is canvas fingerprinting?

A tracking method that identifies browsers by measuring how they render hidden text and graphics.

Layer
JavaScript and browser rendering
Inputs
Fonts, GPU behavior, browser engine, operating system, graphics libraries
Why it persists
It measures how your device behaves instead of relying on a stored cookie

The basics

Canvas fingerprinting turns rendering quirks into an identifier.

The HTML5 canvas element lets a browser draw text and graphics directly in a page. That is a normal feature used for charts, visualizations, image processing, and interactive interfaces. It also gives trackers a way to measure how your device renders the same scene.

A script can ask the browser to draw text with unusual character combinations, layer colors and shapes, apply shadows or rotations, and then read the resulting image back as pixel data. The output changes slightly depending on the browser engine, installed fonts, operating system, graphics hardware, and supporting libraries.

Those changes are often subtle, but they are measurable. Once the pixel output is hashed, the result becomes a compact signal that can help distinguish one browser from another. That is why canvas fingerprinting is commonly used as one part of a broader browser fingerprint.

How it works

The process is simple, quiet, and easy to automate.

  • 1. A hidden canvas is created

    A page script creates an off-screen HTML5 canvas and instructs the browser to draw text, shapes, shadows, gradients, or blended colors where the user never sees them.

  • 2. The browser renders the scene

    Your browser hands that work to its graphics and font stack. Minor differences in fonts, antialiasing, GPU behavior, and system libraries affect the final pixels.

  • 3. The site reads the pixels back

    JavaScript extracts the rendered output with methods like toDataURL or getImageData and converts that image into a compact fingerprint value.

  • 4. The result is used for recognition

    That value can be combined with other browser signals and stored server-side to help recognize the same browser later, even if cookies are cleared.

Why it matters

It is useful because it is passive, repeatable, and hard for ordinary users to notice.

  • Persistent tracking without storage

    Canvas fingerprinting does not need a cookie written to the browser. Recognition comes from how the machine renders content, not from a value stored locally.

  • It survives common privacy habits

    Private windows, VPNs, and cookie clearing do not materially change the graphics and font behavior that canvas tests depend on.

  • It scales well for commercial tracking

    On its own, a canvas hash is not always enough. Combined with other browser and network signals, it becomes much more useful for profiling and risk scoring.

Canvas fingerprinting is not usually the only signal collected. It becomes more powerful when it is combined with header patterns, WebGL output, audio context data, timezone, screen information, and transport-layer fingerprints.

How 404 addresses it

404 reduces the usefulness of canvas output by changing the browser signals fingerprinting scripts rely on.

Canvas fingerprinting sits in the browser-exposed JavaScript layer, so the relevant defense is not just hiding your IP. 404 focuses on the signals trackers inspect directly, including canvas-related rendering surfaces and adjacent browser properties that are commonly combined into a single identifier.

That does not mean perfect protection. Some sites collect many signals at once, and fingerprinting techniques change over time. The practical goal is to make the browser less stable and less useful as a long-term identifier while keeping it usable for ordinary browsing.

See pricing How 404 works

Further reading

If you want to test your own browser, start here.