Browser & Tracking

Canvas Fingerprint

About 3 min read

Last updated: 2026-02-28

What Is Canvas Fingerprinting

Canvas fingerprinting is a type of browser fingerprinting technique that uses the HTML5 Canvas API to have the browser draw specific shapes and text, then identifies users based on subtle differences in the results.

Even when executing the same drawing commands, differences in GPU type, graphics driver version, OS font rendering engine, and anti-aliasing implementation produce different results at the pixel level. These differences are converted into hash values and used as a "fingerprint" to identify devices.

Technical Mechanism

Canvas fingerprint generation follows these steps:

  1. Create a hidden Canvas element using JavaScript
  2. Draw specific text (using multiple fonts, sizes, and colors), shapes (gradients, curves, shadows, etc.), and image processing (blend modes)
  3. Retrieve pixel data using canvas.toDataURL()
  4. Calculate a hash of the retrieved data to create the fingerprint

This process completes in milliseconds without the user's knowledge. Since it does not store data in the browser like cookies, it is difficult for users to delete or block.

Research shows that Canvas fingerprinting alone has a uniqueness of about 50%, but when combined with WebGL information, AudioContext fingerprinting, and font lists, identification accuracy exceeds 90%.

Real-World Use Cases

  • Ad tracking: Combined with tracking pixels and cookies, it is used to re-identify users who have deleted their cookies.
  • Fraud detection: Banks and online services use it to determine whether the device at login differs from the usual one. This is one of its legitimate uses.
  • Bot detection: Automation tools and headless browsers produce Canvas rendering results that differ from real browsers, making them useful for bot identification.

While there are privacy concerns, its use for fraud detection and security purposes also has aspects that protect users.

Countermeasures

  • Tor Browser: Prompts the user for confirmation when Canvas API is called and returns blank data unless permitted. Designed so all users have an identical fingerprint.
  • Firefox's resistFingerprinting: Enabling privacy.resistFingerprinting in about:config adds noise to Canvas rendering results, reducing uniqueness.
  • Canvas Blocker extension: Blocks Canvas API calls or injects random noise to change the fingerprint with each visit.
  • Browser isolation: In a remote browser isolation environment, Canvas rendering occurs in a virtual browser in the cloud, so the user's actual device information is not leaked.

However, there is a paradoxical issue where blocking Canvas itself becomes a fingerprinting element (users who block it are a minority and therefore stand out). An approach like Tor Browser's, where "everyone is the same," is the most effective.

Practical Countermeasures and Browser-Specific Settings

Countermeasures for Canvas fingerprinting vary significantly in configuration and effectiveness depending on the browser. Familiarize yourself with the specific setup steps for each browser.

Firefox: Open about:config and set privacy.resistFingerprinting to true. Enabling this setting standardizes Canvas rendering results, unifies timezone reporting to UTC, and activates multiple protections that reduce fingerprint uniqueness simultaneously. However, some websites may display incorrectly as a side effect, requiring individual exception settings for affected sites.

Brave: Canvas fingerprint protection is enabled by default. Brave injects random noise into each Canvas API call, generating a different fingerprint with every visit to the same site. Adjust the strength under brave://settings/shields → "Fingerprint blocking."

Tor Browser: Provides the strongest protection. Uses a "uniform rendering" approach that makes Canvas rendering results completely identical for all users. Displays a confirmation dialog when Canvas API is called and returns blank data unless the user explicitly permits it. Since all users share the same fingerprint, individual identification becomes impossible.

CanvasBlocker extension: A Firefox add-on that provides fine-grained control over Canvas API behavior. Multiple modes are available: "return fake values," "block the API," or "ask for permission." Per-site whitelist settings allow Canvas to function on legitimate sites (map services, online games, etc.) while blocking it elsewhere.

To learn more about this topic, see Browser Fingerprinting: How Tracking Works and How to Defend Against It.

Common Misconceptions

Canvas fingerprinting alone can completely identify an individual
Canvas fingerprinting alone has a uniqueness of about 50%. Devices with the same GPU and drivers return the same results. Identification accuracy increases when combined with other fingerprinting techniques.
Deleting cookies prevents Canvas fingerprinting
Canvas fingerprinting stores nothing in the browser. It is generated from the device's hardware and software characteristics, so it cannot be prevented by deleting cookies or using incognito mode.
Share

Related Terms

Browser Fingerprint A technique that identifies and tracks users based on unique combinations of bro… WebRTC A browser technology that enables real-time peer-to-peer audio, video, and data … Tracking Pixel A transparent 1x1 pixel image (also called a web beacon or pixel tag) embedded i… Tor (The Onion Router) A network that achieves high anonymity by routing communications through multipl… Browser Isolation A security technology that separates web content rendering from the user's endpo… Browser An application for displaying web pages. Interprets HTML, CSS, and JavaScript fr…

Related Articles

Browser Fingerprinting: How Tracking Works and How to Defend Against It Learn how browser fingerprinting tracks users, what information is collected, the risks of uniquenes… Ad Tracking Protection: How to Stop Being Followed Online Understand how cookies and pixel tracking work, and learn effective methods to block behavioral trac… How to Protect Your Privacy Online - From Browser Settings to VPN A comprehensive guide to protecting your online privacy, covering browser configuration, VPN selecti…
← Glossary