What is Canvas Fingerprinting?
Canvas fingerprinting is a browser fingerprinting method that draws hidden text and shapes with the HTML5 Canvas API and hashes the resulting pixel data. Small differences in GPU, graphics drivers, fonts, and anti-aliasing make the output vary between devices while staying stable on any one device, producing a durable identifier.
How canvas fingerprinting works
A script creates a canvas element that is never displayed, draws test content onto it — text in specific fonts, overlapping shapes, gradients, sometimes emoji — and reads the pixels back with toDataURL or getImageData. The returned bytes are hashed, and that hash is the fingerprint. The whole process takes milliseconds and is invisible to the visitor.
The hash differs between machines because rendering passes through the device's entire graphics stack: the GPU model, driver version, operating system rasterizer, installed font files, and anti-aliasing and subpixel-smoothing settings each nudge pixel values slightly. On the same machine the output is deterministic, so the identifier is stable across visits. A related technique, WebGL fingerprinting, renders 3D scenes and additionally reads GPU vendor and renderer strings for even more entropy.
Why it matters for scraping and proxies
Canvas hashes are among the highest-entropy single signals in a fingerprinting stack, and they survive everything that cookie deletion and IP rotation are meant to reset. A scraper that rotates residential IPs but presents one unusual canvas hash from every address has effectively signed each request with the same pen, and detection systems use exactly that linkage to connect sessions.
Automation infrastructure is especially exposed. Headless browsers running on servers often render through software rasterizers instead of consumer GPU stacks, producing hashes that cluster in ranges detection vendors already catalogue. Cross-checks make it worse: a user agent claiming Chrome on Windows paired with a Linux software-rendered canvas output is a strong automation indicator.
Practical notes and misconceptions
Blocking the Canvas API outright does not restore anonymity — an empty or error response to a canvas read is rare among real visitors and is itself a signal. Noise-injection extensions that randomize pixel values are detectable too: a script can draw the same content twice and compare, since genuine hardware returns identical results while injected noise produces two different ones.
Antidetect browsers therefore aim for consistent spoofing: returning a plausible, stable hash that matches the claimed platform. The practical rule for scraping teams is that canvas evidence must agree with the rest of the presented identity — user agent, fonts, WebGL data, and exit IP location included.
Canvas Fingerprinting, answered
Why does the same canvas code produce different images on different devices?
Does blocking the Canvas API stop canvas fingerprinting?
Related terms
Theory covered. Now route something. Start free.
Residential, ISP, mobile and IPv6 networks under one account — test the concepts on real infrastructure.