BrowserCat
Dashboard →
guide

Master Browser Fingerprint Spoofing with Expert Techniques

Browser Fingerprint Spoofing Explained

Browser fingerprinting is a powerful technique that websites use to identify and track users by collecting various details about their browser and device. For developers, understanding how browser fingerprints work—and how to spoof or fake them—is essential for both protecting user privacy and for building web automation that can avoid detection. In this in-depth guide, we’ll explore what browser fingerprinting is, why spoofing it is important (especially for privacy and automation), and dive into the top techniques to alter or mask your browser fingerprint. We’ll include code snippets (Python, JavaScript, Puppeteer/Selenium, etc.) to demonstrate implementations, highlight tools and libraries that aid in fingerprint spoofing, look at some real-world use cases, and conclude with best practices and ethical considerations.

What is Browser Fingerprinting?

Browser fingerprinting is a method of uniquely identifying a browser or device based on its configuration and environment. Every time you visit a website, your browser reveals a lot of information about your system. This happens through HTTP headers and by running scripts in the browser. By combining enough of these data points, websites can create a “fingerprint” that distinguishes your device from millions of others. Unlike cookies, which are stored on your device and can be cleared, a browser fingerprint is stateless tracking – it doesn’t require any storage on the client side and can identify you even if you’re in incognito mode or behind a VPN.

How Does It Work?

A fingerprint is essentially a hash or profile of various attributes your browser exposes. Some examples of data that commonly make up a browser fingerprint include:

  • User-Agent string – Identifies the browser software, version, and operating system.
  • Accept Headers & Language – Which content types your browser accepts and your preferred language/locale.
  • IP Address – Gives a rough geolocation (though this can be masked by proxies/VPNs).
  • Timezone – Your device’s local timezone offset (e.g., GMT+2).
  • Screen Resolution and Color Depth – The size of your display and color depth.
  • Platform and OS details – e.g., whether you’re on Windows, Mac, Linux, phone model, etc.
  • Browser Plugins and Extensions – The list of plugins (like PDF viewer, etc.) installed in the browser.
  • Installed Fonts – The set of fonts your system has can be probed via Flash or JS/CSS tricks.
  • Canvas/WebGL rendering – How your browser draws graphics on the HTML5 canvas or WebGL (3D context) can produce a unique signature.
  • Audio stack behavior – Generating sound via the Web Audio API and measuring output can fingerprint a device’s audio stack.
  • Media Devices – Enumerating cameras/microphones (with permission) yields device IDs.
  • CSS Support – Subtle differences in supported CSS features or the results of certain CSS queries.
  • TLS Handshake – The way the browser connects over HTTPS (TLS fingerprint) can identify the client software.

These are just a few examples – in practice, hundreds of such characteristics might be combined. Each piece of information by itself might not be unique, but the combination of many variables becomes very likely to be unique to you. The Electronic Frontier Foundation’s Panopticlick project famously showed that most browsers have an almost-unique fingerprint.

Why is This Done?

Originally, browsers provided this info to help websites optimize user experience (e.g., knowing your language, time zone, or screen size helps sites present content correctly). However, these same details can be abused for tracking. Fingerprinting is attractive to advertisers and analytics companies as a more persistent alternative to cookies (which users can delete or block). It’s also used by security systems to detect fraud or bots—by noticing when a purported “new” user shares a fingerprint with a known malicious session, for instance.

The key point: Your browser fingerprint is like a digital barcode for your device. It’s passively gathered (no pop-ups or user permission needed) and often very difficult to avoid. Once a website compiles your fingerprint, they can recognize you on return visits or even track you across different websites if those sites share fingerprint data. All of this can happen without your awareness, raising serious privacy concerns.

Why Spoof Browser Fingerprints?

Privacy and Anonymity

From a privacy perspective, fingerprinting is considered a stealthy tracking method – users are often unaware it’s happening, and there’s no straightforward way to opt out. Unlike cookies or other trackers that might require consent (due to regulations like GDPR), fingerprinting can fly under the radar of consent banners. This makes it a serious threat to online privacy.

By building a unique fingerprint of your browser, websites can track your browsing behavior, build profiles of your interests, and even potentially discriminate (e.g., showing higher prices to certain user profiles). Fingerprinting data can include technical details that might be exploited (like identifying older plugin versions with security vulnerabilities).

Because of these issues, fingerprint spoofing or blocking is important for users who want to remain anonymous or untrackable. If you can prevent websites from getting a consistent fingerprint, you make it much harder for them to recognize you as the same user across visits. There are two main strategies here:

  • Uniformity: Make your fingerprint as generic as possible, so you blend in with a large crowd. For example, Tor Browser takes this approach – it aims to ensure that all Tor Browser users present an identical fingerprint, so no single user stands out. If everyone looks the same, tracking via fingerprint becomes ineffective.
  • Randomization: Alternatively, you can continually randomize parts of your fingerprint so that it’s not consistent enough to track. Some anti-fingerprinting browser extensions do this – for instance, randomly changing your reported screen size or adding noise to a canvas image each session. The goal is to break the link between consecutive visits.

Either way, spoofing helps mask your real identity. It’s an essential technique for whistleblowers, journalists, or anyone in a sensitive position who doesn’t want their device easily recognized. It’s also simply a good practice for regular users who value privacy. Web browsers like Firefox and Brave have started integrating anti-fingerprinting measures (Firefox’s privacy.resistFingerprinting setting, Brave’s fingerprinting protection mode) to help with this.

Automation and Web Scraping

For developers, another big motivation to spoof fingerprints is web automation. If you’re using tools like Selenium, Puppeteer, or Playwright to script browser actions (for web scraping, automated testing, or managing multiple accounts), you may have encountered websites that block bots and headless browsers. Modern anti-bot systems (e.g., Cloudflare, Akamai, DataDome, PerimeterX) often inspect browser fingerprints to decide if a client is likely a bot.

There are a few reasons an automation script’s fingerprint might give it away:

  • Default or Missing Values: Many automation browsers have subtle differences. For example, Selenium Chrome in headless mode sets a JavaScript flag navigator.webdriver=true by default, which is a blatant “I am automation” signal. Headless Chrome used to include the word “HeadlessChrome” in the User-Agent string, which sites could detect easily. Also, the list of plugins or fonts might be empty or too minimal in a controlled environment, which looks suspicious.
  • Inconsistencies: If a script spoofs some things but not others, it can create mismatched data. For instance, claiming to be a mobile Safari browser via User-Agent but then having a desktop screen resolution and no touch support is a red flag. Anti-bot systems look for these inconsistencies in fingerprint data. Missing expected attributes (like no canvas support, or WebGL disabled when normally that browser would have it) can also trigger suspicion.
  • Known TLS/HTTP Patterns: Some HTTP libraries or older headless browsers make network requests that technically mimic a browser but have subtle differences in TLS handshake or header order. Anti-bot systems compile databases of known “bot” fingerprints. If your tool’s fingerprint matches one, you get blocked.

By spoofing the fingerprint, developers can make their automated tools impersonate real users more convincingly, thereby bypassing bot detections. For example, rotating the User-Agent string is a basic step to avoid naive blockers. More advanced spoofing (modifying JS APIs, canvases, etc.) can make a headless browser nearly indistinguishable from a real one. Tools like puppeteer-extra’s stealth plugin or Selenium’s “undetected” ChromeDriver apply many of these tricks out of the box.

Ethical Note: While it’s useful for legitimate reasons (e.g., testing, competitive intelligence, privacy), fingerprint spoofing can also be used maliciously – such as by fraudsters trying to appear as multiple users. Anti-fraud systems are aware of this; for instance, they note that a sophisticated fraudster would need to spoof many aspects or literally use different devices to avoid being caught. It’s an arms race, which is why understanding these techniques is valuable for both defenders and developers trying to operate legitimately without undue blocking.

Top Techniques for Browser Fingerprint Spoofing

There’s no single silver bullet to spoofing a fingerprint because, as we saw, a fingerprint is multi-faceted. Effective spoofing often means combining multiple techniques to cover different parts of the fingerprint. Below, we’ll cover the top techniques and explain how each one works, with examples and code where applicable.

1. User-Agent Spoofing

What it is: The User-Agent (UA) string is a line of text every browser sends in the HTTP request headers, identifying the browser name, version, engine, and operating system. For example, a Chrome on Windows UA might look like:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36

This string alone reveals a lot: here we see Windows 10, 64-bit, running Chrome 114. Fingerprinters use UA as one of the inputs, and some older systems rely on it heavily. Spoofing the UA is often the first and easiest step in avoiding fingerprint-based tracking or blocking.

How to spoof it: Simply put, you tell your HTTP client or browser to send a different UA string than the default. This could mean pretending to be a different browser or version. For instance, a script using an outdated library might by default send something obvious like Python-urllib/3.9 or Java/1.8.0 as the User-Agent – which is a dead giveaway that this is not a normal browser. Changing it to a common browser UA immediately makes the request less suspicious.

Most languages and tools allow overriding the User-Agent:

  • In Python (requests):

    import requests
headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) "
                  "AppleWebKit/537.36 (KHTML, like Gecko) "
                  "Chrome/108.0.0.0 Safari/537.36"
}
resp = requests.get("https://httpbin.org/headers", headers=headers)
print(resp.json()["headers"]["User-Agent"])
# Output: Mozilla/5.0 (Windows NT 10.0; Win64; x64)...Chrome/108.0.0.0 Safari/537.36

  • In JavaScript (Puppeteer):

    const browser = await puppeteer.launch({ headless: true });
const page = await browser.newPage();
await page.setUserAgent(
  "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 " +
  "(KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36"
);
await page.goto("https://bot.sannysoft.com"); // test site to see fingerprint

  • In Selenium (Python with ChromeDriver):

    from selenium import webdriver
opts = webdriver.ChromeOptions()
opts.add_argument("--user-agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 13_2) " 
                  "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109 Safari/537.36")
driver = webdriver.Chrome(options=opts)
driver.get("https://httpbin.org/headers")
# The loaded page will think we are Chrome 109 on MacOS.

Keep it consistent: The content of your spoofed UA matters. If you claim to be a certain browser/OS, it’s best to also mimic that environment in other ways (we’ll cover that in later techniques). Inconsistent spoofing can backfire – research has shown that if your spoofed info doesn’t match other signals, you might actually stand out more than if you hadn’t spoofed at all. For example, very few real users have “Safari on Windows” as their UA, so if you use an impossible or rare combination, your fingerprint becomes unique in a different way. The safest approach is to pick common, plausible UAs. Many developers maintain lists of recent popular UA strings (for Chrome, Firefox, mobile Safari, etc.) and randomly choose one for each session. This makes your traffic look heterogeneous and closer to real-world distribution.

Limitations: Spoofing the UA is trivial (browsers themselves even allow it via devtools or add-ons), but it’s not sufficient by itself against serious fingerprinting. Modern anti-bot systems treat UA as just one of many clues. They will compare the UA to other properties – for instance, if UA says Chrome 108 on Windows but the TLS handshake or JS features don’t align with Chrome 108, it’s a red flag. Nevertheless, UA spoofing is important; it’s the first layer of lying about your browser’s identity. Just remember to change other things too – which leads us to the next techniques.

2. Canvas Fingerprinting Manipulation

What is Canvas fingerprinting? This is a more sneaky technique that uses the HTML5 <canvas> element to generate a fingerprint. The idea: the website runs a script that draws a hidden image or text on a canvas and then reads the pixel data (using canvas.toDataURL() or getImageData()). Because of differences in rendering (due to your exact browser version, OS graphics stack, GPU, fonts, antialiasing settings, etc.), the resulting pixel array will be slightly different on each device. The script usually hashes that pixel data to produce a short fingerprint string. It’s essentially asking your browser “Draw this image and tell me how it looks” – and each browser might produce a unique signature. This happens invisibly in the background (no visual indicator).

How to spoof or prevent it: You have a few options to foil canvas fingerprinting:

  • Block it – Easiest on the user side: some browsers (Tor Browser, Firefox with resistFingerprinting) will prompt you when a site tries to read canvas data or will return a blank image. This prevents the site from getting a fingerprint. However, outright blocking might also signal to the site that you’re using anti-fingerprinting (which could itself be seen as suspicious or just result in reduced functionality).
  • Fake it – A better approach is to allow the canvas read but alter the result in a consistent way. The goal is to give the site some canvas fingerprint, but not your real one. One method is to add a tiny amount of noise to the canvas output. This noise can be random per browser (so your fingerprint is not your real one) but fixed during a session (so you appear consistently as some other device). Another method is to override the canvas API to always produce a specific constant image (for example, one known from a generic device).

Because this is done via JavaScript, we can inject our own JS to tamper with the Canvas APIs. For example, we can override the toDataURL or getImageData methods that fingerprinting scripts use:

// Inject this script early (e.g., via Puppeteer or an extension)
const context2D = HTMLCanvasElement.prototype.getContext;
HTMLCanvasElement.prototype.getContext = function(type, ...args) {
    const ctx = context2D.apply(this, [type, ...args]);
    if (type === '2d') {
        const originalToDataURL = this.toDataURL;
        const originalGetImageData = ctx.getImageData;
        // Override toDataURL
        this.toDataURL = function(...args) {
            const data = originalToDataURL.apply(this, args);
            // e.g., modify the data string by flipping one byte (simple noise)
            return data.replace(/^data:image\/png;base64,/, '$&spoof'); 
            // (This example adds a dummy 'spoof' text into the data URI for illustration.
            // A real implementation would manipulate actual pixel bytes.)
        };
        // Override getImageData
        ctx.getImageData = function(...args) {
            const imageData = originalGetImageData.apply(this, args);
            // tweak pixel data slightly
            for (let i = 0; i < imageData.data.length; i += 4) {
                imageData.data[i] ^= 0x01; // flip the least significant bit of red channel
            }
            return imageData;
        };
    }
    return ctx;
};

In this snippet, whenever a canvas 2D context is requested, we patch its methods:

  • toDataURL() will return a modified image (we tampered with the base64 string slightly here for demonstration).
  • getImageData() returns pixel data but we flip a tiny bit in each pixel.

The effect is that the fingerprinting script gets a consistently wrong result. The hash they compute will not match the real image produced by your hardware. By adding an arbitrary but deterministic distortion, your fingerprint becomes something artificial. If done right, every time the script runs in your browser, it sees the same fake fingerprint (so you appear as one stable anonymous identity), but it’s not actually your device’s true fingerprint (so you’re protected from tracking).

Tip: The modification should be small enough not to break legitimate uses of canvas (some sites might legitimately use canvas for graphics). The above example’s alteration of one pixel bit would not produce a visible difference to the user but would change the hash. Real extensions like CanvasBlocker or Canvas Defender use more sophisticated noise functions (like per-session random seeds). These tools essentially implement the kind of overrides shown above.

Using Puppeteer or Selenium: If you’re automating, you can inject such scripts at the page start. For Puppeteer, you can use page.evaluateOnNewDocument(<script>) so that it runs before any page script. For Selenium (Chrome), you can use the Chrome DevTools Protocol to do similar injection, or use a custom extension.

By manipulating canvas outputs, you can either:

  • Randomize them (great for privacy – you look like a new device every time, so tracking fails).
  • Spoof a specific fingerprint (useful for automation – you can make your script always appear as, say, a particular MacBook with Chrome).

Canvas fingerprinting is one of the more popular tracking techniques, so defeating it is high priority for anti-tracking tools. It’s fairly effective to spoof because we have full control via JS to intercept those calls.

3. WebRTC IP Spoofing

The issue: WebRTC (Web Real-Time Communication) is a browser feature that allows peer-to-peer connections (for video calls, etc.). A side effect of WebRTC is that it can expose your local and public IP addresses to web scripts (via STUN requests and ICE negotiation). This is often called the WebRTC IP leak. Even if you’re behind a VPN or proxy, a site might use WebRTC to get your real IP. Beyond IP, the presence of certain network interfaces or how WebRTC negotiates can also serve as fingerprint data.

For instance, a script can create a hidden RTCPeerConnection and gather ICE candidates, which include your IP addresses. If it sees a private IP like 192.168.1.5 and a public IP that’s different from your apparent one, it knows you’re likely using a VPN. Even just the fact that WebRTC is disabled can be a clue – most regular users have it enabled (since it’s on by default in browsers), so disabling it might make you stand out if not many others do.

Why it matters: For privacy, WebRTC leaks are a big deal – it defeats the purpose of an IP-masking tool if a site can just get your IP through the browser. For automation, if you use proxies, WebRTC could betray that by leaking a different IP. Also, anti-bot services might fingerprint the WebRTC behavior of headless browsers.

Spoofing techniques:

  • Disable WebRTC – The brute-force solution. If you don’t need WebRTC, you can turn it off. In Firefox, you can set media.peerconnection.enabled = false in about:config (or via Selenium’s Firefox profile preferences). In Brave and Chrome-based browsers, there’s no single switch to turn it fully off, but you can configure it to limit IP leaking. For example, in Brave’s settings you can choose “Disable non-proxied UDP” which stops WebRTC from revealing your local IP. There are also extensions like WebRTC Leak Prevent or WebRTC Control that toggle this behavior.

    Code example (Firefox Selenium):

    from selenium.webdriver import FirefoxProfile, FirefoxOptions
profile = FirefoxProfile()
profile.set_preference("media.peerconnection.enabled", False)
profile.update_preferences()
driver = webdriver.Firefox(firefox_profile=profile, options=FirefoxOptions())

    This will launch Firefox with WebRTC completely disabled (any attempt to use it will fail or yield no results).

  • Mock or Fake WebRTC – If completely disabling is not desirable (it might break some site features or signal anti-fingerprinting measures), another way is to intercept the API similar to canvas. You could redefine window.RTCPeerConnection to a dummy function that doesn’t actually reveal anything useful. For example:

    // Simple WebRTC faker
class FakeRTCPeerConnection {
  constructor() {
    console.log("RTCPeerConnection called");
  }
  createDataChannel(label) { return {}; }
  createOffer() { return Promise.resolve({ sdp: "" }); }
  setLocalDescription() { /* no-op */ }
  // ... other needed methods stubbed out
}
window.RTCPeerConnection = FakeRTCPeerConnection;
window.webkitRTCPeerConnection = FakeRTCPeerConnection;

    This would prevent any real peer connection from being made. The site would think WebRTC exists (so you don’t appear to have it off), but it wouldn’t get any ICE candidates.

  • Using Anti-detect Browser settings: Many anti-detect browsers provide an option to set a custom WebRTC IP. For example, you can configure “WebRTC IP override” to your proxy’s IP. This way, if a site tries to get your IP via WebRTC, it will only see the proxy IP you want it to see (or some constant dummy IP), not your real one.

Testing WebRTC leaks: As a developer, you can check how your setup fares by visiting test pages. For instance, browserleaks.com/webrtc will show what IP addresses can be obtained via WebRTC. If you see your real IP there while using a spoofing setup, you know you need to adjust something.

In summary, WebRTC spoofing is mainly about protecting your IP information and ensuring it matches your intended identity. If you’re using a proxy and you can’t fully disable WebRTC, try to ensure that any IP revealed is the proxy’s IP (not your local network address).

4. TLS Fingerprint Spoofing

This is a more advanced and low-level technique, but increasingly relevant. When your client initiates an HTTPS connection, it performs a TLS handshake with the server. During this handshake, the client sends a ClientHello message that includes details like the TLS version it supports, a list of cryptographic cipher suites it can use, and various extensions (ALPN, SNI, etc.). It turns out the combination and order of these can act as a fingerprint. Security researchers introduced the concept of JA3 fingerprints, which hash the critical parts of the ClientHello. Different HTTP clients have different JA3 hashes – for example, Chrome 100 might have one fingerprint, Firefox 100 another, Python’s requests library (using OpenSSL) yet another.

Why it matters: Even if you perfectly spoof all JavaScript-visible aspects, if you are not using a real browser under the hood, the TLS fingerprint could expose you. Imagine you set your User-Agent to mimic Chrome, but you’re actually using a Python HTTP client – the server might notice “Hmm, this TLS handshake doesn’t look like Chrome at all.” Some sophisticated anti-bot systems and fraud detection services do check this. In some cases, just the TLS fingerprint mismatch is enough to flag a client as automation.

How to spoof TLS fingerprint: Unlike the previous techniques, this one can’t be done with a simple JS override, because it happens at the network protocol level before any page loads. There are a few approaches:

  • Use real browser networking: The easiest way (from a user perspective) is to actually use a browser’s network stack instead of a bare HTTP client. If you’re using Puppeteer/Playwright or Selenium with Chrome/Firefox, you automatically get the real browser’s TLS handshake. So that will match the fingerprint for that browser version. The problem arises if you’re using something like requests (Python) or another custom client in the backend. In that case, one method is to switch to a tool that can mimic browsers.

  • Curl Impersonate / cURL with custom TLS: A notable project is cURL Impersonate, which is a modified version of cURL that can imitate browsers’ TLS handshakes and HTTP quirks. There’s a Python wrapper called curl_cffi that integrates this. With it, you can do:

    import requests  # this is actually from curl_cffi which monkey-patches requests
# Example: impersonate Chrome 110
resp = requests.get("https://example.com", impersonate="chrome110")

    Under the hood, this uses a custom TLS library configuration so that the ClientHello matches Chrome 110’s fingerprint. It will even set relevant HTTP headers to match Chrome. In BrightData’s testing, this was effective at avoiding TLS fingerprint-based bot detection.

  • Custom OpenSSL configuration: If you’re working at a lower level, you might manually configure the cipher suites and TLS version in something like requests or httpx. For instance, you can set requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS to a specific cipher list string. But matching a browser exactly is hard – you’d need the right order and extension support.

  • Proxy-level spoofing: In some cases, people use a TLS-terminating proxy that translates the fingerprint. For example, an upstream proxy could accept your client’s connection but then initiate a new connection to the target with a different fingerprint. There’s enterprise solutions and also open ones that attempt JA3 modification, but those are quite specialized.

Note: This aspect of fingerprinting is often overlooked because it’s not visible via JavaScript on the page (it’s on the server side). But as developers concerned with stealth, it’s something to consider. If you’re using headless Chrome with default settings, you’re likely fine (since headless Chrome nowadays has the same TLS fingerprint as regular Chrome of the same version). But using languages’ built-in HTTP libraries without considering TLS can undermine your other spoofing.

5. JavaScript-Based API Alterations

This category covers a broad set of techniques where you modify the browser’s JavaScript environment to lie about various fingerprintable values. We already touched on this with Canvas and WebRTC, but there’s a lot more that scripts can glean:

Consider some of the properties and methods fingerprinting scripts often use:

  • navigator.platform – returns a string like "Win32" or "Linux x86_64" or "MacIntel". If you changed your UA to Windows but navigator.platform still says "Linux", that’s a giveaway. So spoofers may override this property.
  • navigator.language and navigator.languages – indicate the browser’s language preferences (e.g., "en-US"). If you claim to be a French browser in headers but this says English, it’s inconsistent.
  • navigator.plugins – returns a list of installed browser plugins (like PDF viewer, etc.). Headless browsers often have this empty, whereas real browsers have a few default plugins. Scripts check the length of this list.
  • navigator.webdriver – as mentioned, is true in Selenium/Chrome by default. Should be set to false or undefined to appear human.
  • screen.width, screen.height, window.innerWidth, etc. – give screen resolution and window size. Real users don’t usually have weird small resolutions unless on mobile; headless might default to 800x600 or some constant. It’s good to set your headless window size to a common value (like 1920x1080) and ensure these properties reflect it.
  • deviceMemory and hardwareConcurrency – these give hints about device RAM and number of CPU cores. Many headless Chrome instances report 8 cores because they run on powerful servers, whereas typical user devices might have 4. Spoofing these to a typical value can help.
  • Date().getTimezoneOffset() – reveals the local time zone offset. If your IP (geo-location) says you’re in New York but your timezone offset is for Los Angeles, that’s a discrepancy. You can spoof this by running your automation in a specific timezone or overriding the Date methods. (Chrome has a --timezone flag or in Puppeteer page.emulateTimezone('America/New_York') for example.)
  • Intl.DateTimeFormat().resolvedOptions().timeZone – reveals the IANA timezone string (e.g., "America/New_York"). Also spoofable via similar means.
  • window.outerWidth/outerHeight vs innerWidth/innerHeight – In headless or virtualized environments, these might not match typical values; some detection scripts look for the unusual ratio or size.
  • WebGL informationwebgl.getParameter(ext.UNMASKED_VENDOR_WEBGL) returns your GPU vendor (e.g., “Intel Inc.” or “NVIDIA”) and renderer. Virtual machines or headless often have “Google Inc.” or “SwiftShader” here, which is an obvious sign of a headless Chrome using software GL. Spoofers intercept WebGLRenderingContext.getParameter to feed a common GPU name.
  • AudioContext fingerprint – Some scripts play an inaudible sound and sample it to fingerprint. You could override AudioContext.prototype.getOutputTimestamp or similar to fudge the timing or data. This is a lesser-known vector but has been used because different hardware produce different floating-point rounding differences in audio output.

Implementing JS alterations: The approach is similar across these: use Object.defineProperty to redefine the property or method on the window or navigator or relevant prototype.

For example, using Puppeteer to spoof some of these at page start:

await page.evaluateOnNewDocument(() => {
    // Navigator overrides
    Object.defineProperty(navigator, 'platform', { get: () => 'Win32' });  // claim Windows
    Object.defineProperty(navigator, 'language', { get: () => 'en-US' });
    Object.defineProperty(navigator, 'languages', { get: () => ['en-US', 'en'] });
    Object.defineProperty(navigator, 'webdriver', { get: () => undefined }); // hide automation flag

    // Plugins & MIME types (provide a fake list with common plugins)
    Object.defineProperty(navigator, 'plugins', {
      get: () => [ { name: "Chrome PDF Plugin", filename: "internal-pdf-viewer", description: "PDF Viewer" } ]
    });
    Object.defineProperty(navigator, 'mimeTypes', {
      get: () => [ { type: "application/pdf", suffixes: "pdf", description: "", enabledPlugin: navigator.plugins[0] } ]
    });

    // Hardware
    Object.defineProperty(navigator, 'hardwareConcurrency', { get: () => 4 });
    Object.defineProperty(navigator, 'deviceMemory', { get: () => 8 });

    // WebGL Vendor/Renderer spoof
    const getParameter = WebGLRenderingContext.prototype.getParameter;
    WebGLRenderingContext.prototype.getParameter = function(param) {
      // 0x1F00 is VENDOR, 0x1F01 is RENDERER in WebGL enum
      if (param === 0x1F00) return "Intel Inc.";
      if (param === 0x1F01) return "Intel Iris OpenGL Engine"; 
      return getParameter.apply(this, [param]);
    };
});

This script does a lot: it makes the environment report a typical Windows+Chrome setup with 4 cores, 8GB RAM, English language, an Intel GPU, and it removes the webdriver flag. The plugin list fakes a PDF plugin (which Chrome usually has).

Many of these tweaks are inspired by the open-source puppeteer-extra-plugin-stealth, which covers a broad range of evasions. In fact, stealth plugins or Selenium Stealth libraries will implement most of these for you, so you don’t have to reinvent the wheel each time.

Puppeteer Stealth example: The stealth plugin sets navigator.webdriver to false, runs --disable-blink-features=AutomationControlled (to remove the “Chrome is being controlled by automated test” hint and also patch UA), fakes out chrome.app and chrome.runtime objects (to fool detection of Chrome extensions missing in headless), etc. It also patches WebGL and other APIs as above. Using such a plugin is as simple as:

const puppeteer = require('puppeteer-extra');
const StealthPlugin = require('puppeteer-extra-plugin-stealth');
puppeteer.use(StealthPlugin());
const browser = await puppeteer.launch({ headless: true });

After this, any page you visit will have those stealth modifications applied. Many developers rely on this because it bundles dozens of small fixes (like the ones we outlined). According to ZenRows, using these stealth techniques significantly lowers the chance of anti-bot detection, as Puppeteer’s usual “bot-like” patterns are mitigated.

Important caution: As with canvas, overriding too much or incorrectly can break sites. Always test on a variety of sites after heavy modifications. Some sites might be expecting certain properties. For example, if you remove all plugins, a site that tries to use the PDF plugin might error. The ideal spoof is to provide believable values rather than null values. That’s why we often populate fake plugin data instead of leaving it empty.

6. Other Effective Spoofing Methods

Beyond the major categories above, there are several additional techniques and considerations to make your spoofing more effective:

  • Time Zone & Locale Consistency: As mentioned, ensure your reported time zone and locale match your IP’s location (if you’re using proxies). If you are scraping a site with a proxy in Europe, but your browser says timezone UTC-8 (PST), it might flag you. Many automation frameworks allow setting timezone. For instance, in Playwright:

    browser_context = browser.new_context(timezone_id="Europe/Berlin", locale="de-DE")

    This ensures Intl.DateTimeFormat and related functions align with Germany, if that’s where your IP is.

  • Font Fingerprinting: Some scripts load a hidden text in various fonts and measure widths (to see which fonts are available). You can’t easily add fonts to a headless system on the fly, but you can restrict or lie about fonts. Firefox’s resistFingerprinting makes the browser only report a generic font list to sites. In an anti-detect browser, you might be able to specify a font list. This is niche but if you know the site uses it, consider using a browser that can handle it (Tor Browser effectively does by standardizing fonts).

  • CSS Media Queries: This is a clever trick: a site can use CSS like @media (max-width: 1000px) { body::after { content: "small"; } } and then use JS to read the content of that pseudo-element to infer your screen width. Even if you spoof screen.width, if your actual window is smaller, such a query might reveal truth. The best defense is to actually set your window size to what you claim, or intercept matchMedia calls similarly to return spoofed results.

  • HTTP Headers: Fingerprint is not just JS – some is from HTTP. Ensure headers like Accept-Language match the navigator.language you set. Check that your Accept headers (like accepted MIME types) look like a normal browser’s. Most HTTP libraries let you set these, or if you use a real browser, it handles it. If using a low-level client, you might consider copying a real browser’s header order and content exactly. (Some anti-scraping solutions check header ordering which can differ by client).

  • Touch/Pointer Events: If you claim to be a mobile browser (in UA), some sites will check if you have touch events enabled (via ontouchstart in window or maxTouchPoints in navigator). Puppeteer’s device emulation or setting --enable-touch-events can make your environment support touch. Otherwise, don’t claim mobile UA if you can’t simulate touch.

  • Browser Extensions: Interestingly, having no extensions can be fingerprintable because almost everyone has at least one (like PDF plugin, or others). Of course, in automation you typically have none. We faked the PDF plugin above to mitigate this. Some anti-fingerprinting extensions like “Trace” will actually add fake plugin entries.

  • Client Rectangles & DOM consistency: Some anti-bot scripts create a bunch of DOM elements and measure their bounding rectangles to detect known discrepancies in headless Chrome. For example, one known bug was that a certain fixed element had 15px difference in Chrome headless. These issues are mostly patched in newer headless modes, but just to note, there’s a whole field of subtle DOM differences that can fingerprint automated browsers. Using the latest headless (Chrome’s new headless “stealth” mode as of v109+) or running in headful mode invisibly (with xvfb or a virtual display on Linux) can avoid these issues.

  • Using Virtual Machines or Containers: In extreme cases, people run a whole OS virtual machine to truly mimic a different device. There are anti-detect browser VMs (like FraudFox, VirtualBox setups with spoofed hardware). Those go beyond browser fingerprint to device fingerprint (MAC addresses, etc.). If you need a completely separate device identity, that’s another level. But for most web purposes, you can achieve the needed separation with the techniques we’ve covered and perhaps a good anti-detect browser software.

Finally, after applying various spoofing techniques, it’s good practice to test your resulting fingerprint. You can use tools like AmIUnique.org or FingerprintJS’s demo or CreepJS (which is a comprehensive fingerprint test by a researcher) to see what kind of fingerprint your browser has and how unique it is. If something is still blatantly unique or revealing (like webdriver=true), you know you missed a spot.

Tools and Frameworks for Fingerprint Spoofing

You might be thinking, “Wow, there are a lot of things to tweak!” – and you’re right. Doing all of the above manually is time-consuming and error-prone. Thankfully, there are tools, libraries, and browsers that help manage or automate fingerprint spoofing. Here we provide an overview of some useful ones:

Browser Extensions (Manual Browsing)

If you’re a user or developer just wanting to protect your browser sessions, several extensions can assist:

  • CanvasBlocker (Firefox) – It prevents or fakes canvas readouts to block canvas fingerprinting. Highly configurable (noise, ask for permission, etc.).
  • Trace (Chrome/Firefox) – A comprehensive anti-fingerprint extension that covers multiple vectors (User-Agent spoof, IP leak prevention, referer trimming, etc.).
  • Chameleon (Firefox) – Randomizes many fingerprint attributes on the fly (UA, timezone, platform, etc.) based on profiles. A popular choice for defeating advanced fingerprinting.
  • Privacy Badger / uBlock Origin – These are more known for blocking trackers, but they also block some fingerprinting scripts and domains. They don’t spoof data, but they can reduce tracking.
  • NoScript – By blocking all scripts by default, you essentially block most fingerprinting. But this breaks a lot of site functionality, so it’s a heavy-handed approach.
  • User-Agent Switcher – Simple extension just to rotate/spoof UA string. (Only addresses UA, so limited protection by itself.)
  • WebRTC Leak Prevent – As mentioned, toggles WebRTC behavior in Chrome to avoid IP leaks.
  • JShelter (formerly Firefox’s JSRand or Farbling) – This is a newer extension that implements “farbling” (randomizing) many API outputs on each site, to constantly give a unique fake fingerprint.

For any extension solution, remember that if you use too many or weird combos, the fact that you have those extensions can itself be fingerprintable! Extensions can be detected by websites (though it’s getting harder). Brave browser’s approach is to not rely on extensions but build in protections – it either blocks or lies in a standardized way for certain APIs and periodically randomizes others to throw off trackers.

Automation Tools and Libraries

If you’re coding a solution, consider these tools that have built-in fingerprint spoofing or stealth capabilities:

  • puppeteer-extra-plugin-stealth (Node.js) – An essential plugin for Puppeteer that automatically applies dozens of spoofing patches (navigator properties, plugins, iframe content window hacks, etc.). Using it can dramatically improve Puppeteer’s undetectability. It’s open source, so you can see exactly what it changes.
  • puppeteer-with-fingerprints (Node.js) – A plugin that goes further by fetching real fingerprint profiles from an API (FingerprintSwitcher) and applying them. As shown by ZenRows, you can fetch a profile for “Chrome on Windows” and it will set all corresponding properties (user agent, screen size, plugins, fonts, etc.) to match a real browser fingerprint. This ensures consistency across all data points. It’s a paid service for some features, but the concept is that you’re basically cloning a real device’s fingerprint.
  • Playwright stealth – While Playwright doesn’t have an official plugin, community efforts exist to port Puppeteer stealth to Playwright. Alternatively, you can use Playwright’s API to manually set things (they have browserContext.addInitScript to run JS on every page, similar to evaluateOnNewDocument).
  • undetected-chromedriver (Python) – A patched version of Selenium’s ChromeDriver that applies stealth techniques automatically. It handles things like removing the enable-automation flag, spoofing user agent, etc. Using it is as simple as: 
    import undetected_chromedriver as uc
driver = uc.Chrome()
driver.get("https://example.com")
    Under the hood it’s launching Chrome in a way that’s harder to detect. As ScrapingBee’s tests showed, tools like this can help achieve a lower detection score in something like CreepJS.
  • selenium-stealth (Python library) – It’s a helper for Selenium that can modify navigator flags, user agent, etc., similar to puppeteer-extra but for Selenium.
  • Browser automation services – Some cloud scraping services (like ScrapingBee, ZenRows, BrightData’s Browser) offer APIs where they manage a real browser with proper fingerprint spoof for you. They often let you specify what kind of device to impersonate. This offloads the work from you if you just want results.
  • curl_cffi / requests-impersonate (Python) – As discussed, this is great for TLS spoofing and general header imitation of browsers. If you don’t actually need to run JS in the browser and just need to fetch pages, this can save you from running a full browser by making your Python request look browser-like at the network level.
  • Mitmproxy with scripts – Mitmproxy (a Python proxy) can intercept requests and you can script modifications, including altering TLS ClientHello (though that’s quite advanced) or injecting JS into pages on the fly to overwrite fingerprinting functions. This is advanced and beyond typical use, but mentionable for completeness.

Anti-Detect Browsers and Multi-Profile Tools

For managing multiple identities or for a turnkey solution, there’s a class of software called anti-detect browsers. These are browsers (often Chromium-based) that are modified to allow easy fingerprint customization, targeted at marketers, researchers, or sometimes less savory uses like creating multiple ad accounts.

Some known names include:

  • Incogniton – Allows creating separate profiles each with its own fingerprint configuration. As their documentation says, each profile runs in a container with unique browser headers and attributes, making it hard to link profiles to each other. It supports automation via API with Selenium/Puppeteer, which is useful for scaling tasks.
  • Multilogin – One of the pioneers, offering browsers called Mimic (for Chrome-based) and Stealthfox (for Firefox-based). It provides a GUI to tweak everything or generate random but plausible fingerprints. Often used for multi-account management.
  • Ghost Browser, VMLogin, Kameleo, GoLogin, AdsPower, OctoBrowser – various solutions with similar concepts: they either use real browser engines with isolation, or some use a browser in a virtual machine. They often bundle proxy management as well, since using distinct IPs with distinct fingerprints is key.
  • Tor Browser – While not typically framed as “anti-detect” (it’s more about privacy/anonymity), Tor Browser is effectively an anti-fingerprint browser. It’s designed so that all users look identical. It’s great for privacy because it’s very hard to distinguish one Tor user from another if they’re all using the same version. The Tor Project pioneered many fingerprinting defenses like script hooking to mask timezones back in 2007. However, note that using Tor Browser on the open web may trigger captchas or blocks for other reasons (because websites treat Tor users warily, fingerprint aside).

Using these tools can simplify your workflow: rather than coding the spoof for each script, you configure the environment once and then just run your tasks. For example, with Incogniton, you could set up 5 browser profiles (each appearing as a different device/browser combo) and then use their API to launch each profile and perform actions. Websites would see 5 distinct users. This approach is effective for things like managing multiple social media accounts without getting them banned for being on the same device.

Real-World Applications and Case Studies

To solidify our understanding, let’s look at a few scenarios where browser fingerprint spoofing comes into play:

  • Privacy Advocates & Journalists: Privacy-conscious users often employ tools like Tor Browser precisely to avoid fingerprint-based tracking. Tor’s strategy of making all users look the same is an example of fingerprint spoofing at scale – instead of trying to be random, they try to be uniform. This has been effective in confounding advertisers who rely on fingerprinting. For instance, if you use Tor Browser, your fingerprint (user agent, screen size, etc.) will report generic values (often Windows 10 + Firefox, 1000×1000 window, UTC timezone, etc.) that do not reflect your actual device, but match other Tor users. This has allowed activists and journalists to browse without standing out, though at the cost of some usability (and potentially being flagged by sites as Tor traffic).

  • Web Scraping without Getting Blocked: A small e-commerce aggregator built a web scraper using Puppeteer to monitor product prices on competitor websites. Initially, they ran headless Chrome with default settings and got blocked almost immediately by anti-bot walls (such as Cloudflare and DataDome). By analyzing the detection, they realized the headless fingerprint was the culprit – the script had navigator.webdriver=true and the user agent contained HeadlessChrome which was known to those systems. They implemented Puppeteer stealth plugin and also started rotating user agents and IP proxies. As a result, the scraper’s fingerprint now looked much closer to a normal user’s: no webdriver flag, a proper Chrome UA, a random screen size, and even a filled navigator.plugins list. The outcome was a successful bypass of bot detection, allowing them to gather pricing data uninterrupted.

  • Multi-Account Management in Marketing: Digital marketers who manage multiple accounts (say, multiple social media or ad accounts) often face a challenge: platforms don’t want one person controlling many accounts, so they fingerprint to detect if accounts are from the same device. One real-world example is an affiliate marketer running several accounts on a marketplace site. By using an anti-detect browser (like Multilogin or Incogniton) they created separate profiles for each account, each with its own fingerprint and each routed through a distinct proxy. Account A always appeared as (for example) Chrome on macOS from New York, Account B as Firefox on Windows from London, etc. Over time, none of their accounts were flagged for being related, because the platform had no fingerprint or IP link between them. Incogniton’s team notes that this ability to have “multiple totally unconnected browser profiles” is exactly what their software is built for – and many users leverage it to avoid bans when multi-accounting. This is effectively fingerprint spoofing as a service, and it has proven very effective in marketing and e-commerce domains (though one must be cautious to stay within legal and ethical boundaries of those platforms).

  • Fraud and Cybersecurity: On the flip side, cybercriminals have used fingerprint spoofing to try to defeat fraud detection. For example, automated credit card testing bots might try to randomize their fingerprint to avoid being recognized and blocked after a few attempts. Anti-fraud companies like DataDome have responded by using more fingerprint signals and machine learning to catch even those attempts. There was a case where a bank’s anti-fraud system noticed that even though a fraudster tried to spoof his browser info, some minor fingerprint elements (like the ordering of CSS properties support and a subtle canvas quirk) linked multiple fraudulent transactions together. This allowed the bank to recognize a pattern and stop a batch of fraud. The cat-and-mouse nature of this field means fingerprint spoofing is constantly evolving.

  • Research and QA Testing: Researchers studying fingerprinting often build spoofing tools to test the effectiveness of fingerprinting defenses. For instance, the developers of CreepJS (a fingerprint testing page) tried various stealth tools themselves. They found that even with tools like undetected-chromedriver and headless, achieving a 0% detection score on CreepJS is very hard – meaning some fingerprint clues usually slip through. However, running in a real browser (headful mode) with proper spoofing can get closer. Quality Assurance teams also sometimes need to test how their site behaves for different devices/locales without actually having 50 devices – so they use fingerprint spoofing to simulate, say, an iPhone Safari or an older Android browser. This is a benign use case where being able to quickly swap fingerprints (with tools or manual overrides) aids testing.

Each of these cases highlights a common theme: consistency and believability in spoofing are key to success. Whether for good or bad, those using fingerprint spoofing effectively ensure that all the pieces of their presented identity align well, and they keep up with new fingerprint vectors as they arise.

Best Practices and Ethical Considerations

Finally, let’s summarize some best practices when implementing browser fingerprint spoofing, and touch on the ethical side:

Best Practices:

  • Keep Your Spoof Consistent: As emphasized, make sure the various attributes of your fake fingerprint don’t contradict each other. If you change one thing (e.g., UA), adjust related things (navigator properties, etc.). Many tools help with this by providing coordinated profiles. Inconsistencies can make you more detectable.

  • Use Common Profiles: Don’t try to be a unicorn. It’s safest to mimic popular browser/OS combinations. Also, moderate values (screen size, core count, etc.) that don’t sit at extremes are less likely to raise flags. (Ex: 1920×1080 is common; 1111×777 is not, unless you want to appear as a resized window.)

  • Leverage Established Libraries: There’s no need to re-invent every wheel. Libraries like puppeteer-extra-stealth or Selenium stealth scripts are battle-tested against many detection scripts. They often incorporate community discoveries of new fingerprinting tricks and provide fixes. Keeping those libraries updated will automatically improve your stealth.

  • Test, Test, Test: After spoofing, check how websites see you. Use multiple fingerprint test sites (they often focus on different aspects) to ensure nothing obvious is leaking. If one site still sees HeadlessChrome in your UA or your real canvas hash, then your spoofing isn’t working as intended. Also test real target websites if possible, to see if you get through or if they still detect automation (some might give clues in responses or logs).

  • Avoid Overdoing Randomness (for automation): While high randomness is good for privacy (so you’re never the same person twice), for a single automation session or a series of actions, you often want to appear as one persistent user. So within one browser session or one account session, keep the fingerprint stable. You might randomize between sessions, but not on every page load (unless you know the site doesn’t mind). Frequent uncontrolled changes can look weird (e.g., your device seems to “change” mid-visit).

  • Monitor Performance and Errors: Some spoofing (especially heavy JS patches) can slightly degrade performance or cause console errors. Keep an eye on your automation logs or the browser’s console. For example, messing with prototypes might inadvertently break some functionality or throw exceptions if not perfectly implemented. Aim for minimal interference beyond the necessary lies.

  • Stay Updated on Techniques: The fingerprinting landscape changes – new browser APIs (like WebGPU, Canvas fingerprint v2, etc.) give new opportunities for tracking. Keep an eye on research and community forums (like anti-detect communities or privacy research blogs) for news. For instance, if tomorrow all browsers start exposing a “DeviceSerialID” (hypothetically) and trackers start using it, you’d want to know and spoof or disable it.

Ethical Considerations:

  • Respect Terms of Service: If you’re using fingerprint spoofing to scrape or automate a site, be mindful of that site’s ToS and robots.txt. While spoofing can hide you, it doesn’t necessarily make what you’re doing legal or allowed. Companies are increasingly sensitive about unauthorized scraping or account automation. Use these techniques responsibly and within the bounds of the law.

  • Security Implications: While protecting privacy is good, note that widespread fingerprint spoofing can also aid malicious actors. As a developer or engineer, consider the flip side – if you run a website, you should know that users might be spoofing. Don’t use fingerprinting as the sole security check for high-risk actions (use multi-factor auth, behavior analysis, etc., because fingerprints can be faked). So develop a holistic approach for bot detection if you’re on that side.

  • User Consent and Transparency: If you are implementing fingerprint spoofing in a product (say, a browser extension that helps users spoof), be transparent about what it does and the possible side effects (some sites might break or show captchas). Users should have control – for example, the Tor Browser clearly states that certain features are disabled or spoofed for their own good. Surprise changes can confuse users or webmasters.

  • Avoid Collateral Damage: Some anti-fingerprinting measures can impact website revenue (like blocking scripts that are actually harmless analytics) or functionality. If you’re just coding for yourself, no problem. But if releasing to others, consider balancing privacy with web compatibility. For instance, Safari’s approach to fingerprinting is to reduce entropy of certain APIs rather than outright lie, trying to find a balance.

  • Personal Data and Fingerprinting: Remember that some jurisdictions consider fingerprints to be personal data since they can identify you. If you’re a developer handling others’ fingerprints (or spoofing them), treat it with care akin to personal data.

In conclusion, browser fingerprint spoofing is a powerful tool – whether for enhancing privacy or enabling legitimate automation, it lets you control the identity your browser presents. As developers, by understanding the intricacies of fingerprinting, we can better protect ourselves and our users, or create systems that are robust to evasion. Use these techniques ethically: protect privacy, enable innovation, but don’t abuse them for wrongdoing. And if you’re building anti-fingerprinting defenses, you now have insight into what you’re up against and can design smarter systems (or decide not to rely on fingerprinting alone).

By following the practices outlined and using the right tools, you can significantly reduce your browser’s uniqueness or make your scripts blend into the crowd, striking a balance between stealth and functionality. Happy (ethical) spoofing!

Automate Everything.

Tired of managing a fleet of fickle browsers? Sick of skipping e2e tests and paying the piper later?

Sign up now for free access to our headless browser fleet…

Get started today!