A Live Demonstration

You arrived quietly.
The page knew anyway.

You did not log in. You did not fill in a form. You simply opened a URL, and within milliseconds your browser handed over dozens of pieces of personal data to the server and to the JavaScript running here. Every value below was collected passively, without asking. This is what almost every site you visit can see.

Throughout this page you will see two tags. Server means the data was extracted by the web server from your HTTP request, before any page code ran in your browser. Client means JavaScript on this page collected it after the page loaded. Server-side data cannot be blocked by ad blockers or privacy extensions.

Section 01

Network & Identity

The moment your browser made its request, the server saw your IP address. From that one number alone, anyone can derive your rough physical location, your internet provider, whether you are on a phone network or home broadband, and whether you are using a VPN. All of the values below were resolved server-side, so nothing in your browser could prevent it.

IP Trace Server

IP Address 216.73.217.113 IPV4
Reverse DNS no PTR record
CityColumbus
RegionOhio
Country 🇺🇸 United States (US)
Postal Area43216
Latitude / Longitude39.9611755, -82.9987942
ISP / CarrierAmazon.com, Inc.
Organisation / ASNAnthropic, Pbc 16509
Detected TimezoneAmerica/New_York
Currencyunknown
Calling Code+1
Your Local Time2026-07-13 20:29:53 (America/New_York)
ISP Classification Server
datacentre / hosting (amazon)
A residential IP looks very different to a datacentre IP. Banks, streaming services, and government sites use this signal to decide whether to challenge you, slow you down, or refuse the request entirely.
Proxy / Forwarding Headers Server
X_FORWARDED_FOR: 216.73.217.113
These headers indicate your traffic passed through a CDN, corporate proxy, or VPN. The chain of intermediate IPs is often visible, defeating naive anonymisation attempts.
HTTP Protocol Server
HTTP/1.1 · GET · -
Whether you connected via HTTP/1.1, HTTP/2 or HTTP/3. The exact mix of HTTP behaviours is another fingerprintable signal beyond what your browser tells the page directly.
TLS / HTTPS Server
HTTPS (details unavailable)
The exact TLS version and cipher suite negotiated. The set of ciphers your browser advertises is known as a JA3 fingerprint and is widely used by fraud-prevention services.
Referrer Server
https://walker-jones.eu/dev/infosec
If you arrived from a link, the previous URL was sent in the Referer header. Sites use this to see which campaigns, search queries, or partner sites are sending traffic. Some referrers leak private URLs.
Cookies Sent Server
0 cookies (none)
Cookies your browser already had stored for this domain were sent automatically. Third-party cookies work the same way across sites, which is how cross-site tracking works.
Section 02

HTTP Headers, In Full

Every request your browser sends carries a header bundle. Most of it is technically necessary for the web to work. Some of it is excessive: details about your browser brand and OS that no website needs to render a page correctly, but that make excellent fingerprints.

User Agent Server
Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
Identifies your browser, version and OS. Used to serve compatible content but also to narrow you to one of very few people with that exact string.
Parsed Browser Server
engine: WebKit · device: desktop · ⚠ likely bot
The server already broke your user-agent into structured fields: browser, version, OS, OS version, device class. Servers do this in microseconds, no JavaScript needed.
Accept-Language Server
not sent
Your preferred languages, in priority order. A strong demographic signal: someone who reads English then Welsh is almost certainly in the UK; English then Hindi suggests India or diaspora.
Accept-Encoding Server
gzip, br, zstd, deflate
Which compression formats your browser supports. The exact ordering varies by browser version, adding to your fingerprint.
Do Not Track Server
not sent
A polite request that most trackers simply ignore. Sending it can ironically make you slightly more identifiable.
View all 10 HTTP headers your browser just sent
HeaderValue
Accept*/*
Accept-Encodinggzip, br, zstd, deflate
Hostwalker-jones.eu
Refererhttps://walker-jones.eu/dev/infosec
User-AgentMozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
X-Forwarded-For216.73.217.113
X-Forwarded-Protohttps
X-Httpson
Authorization
X-Server-Addr
Section 03

Browser & Device

Once the page loads, JavaScript can interrogate your browser directly. Every value below came from a single line of code. None of it required permission. Combined, these signals form a fingerprint often unique to your specific machine, even across incognito sessions.

Platform / OS Client
--
Operating system family. Combined with screen size and timezone, this rules out billions of other devices.
Languages Client
--
Reveals likely nationality and which other languages you read. A strong demographic signal.
Timezone Client
--
Confirms or contradicts your IP-based location. If your VPN says New York but your timezone says Berlin, trackers notice.
Screen Client
--
Window size, full screen size, colour depth, and pixel ratio. Surprisingly identifying, especially with multi-monitor setups.
CPU Cores Client
--
navigator.hardwareConcurrency exposes your logical core count. Helpful for tuning workers, useful to advertisers as a device tier proxy.
Device Memory Client
--
An approximate RAM bucket. Yet another rare-combination data point that helps fingerprint you.
Touch Support Client
--
Maximum simultaneous touch points. Distinguishes phones, tablets, and convertibles from regular desktops.
GPU / Renderer Client
--
WebGL exposes your graphics card model. Highly identifying on desktops where GPU variants are many.
Network Connection Client
--
Modern browsers expose effective network type, downlink speed and round-trip time. Useful for adaptive loading, also for device profiling.
Storage Client
--
localStorage, sessionStorage, IndexedDB. All survive page reloads and can persist hidden identifiers across visits.
Pointer Client
--
Coarse (touch) or fine (mouse). Hover capability. Tells the site whether you are on a desktop, phone, or stylus device.
Section 04

Sensors & Exotic Signals

Beyond the obvious, browsers expose a long tail of sensor and rendering APIs. Each is harmless on its own. Combined, they can identify your specific device with frightening accuracy, even if you wipe cookies, switch networks, and use private browsing.

Battery Client Mostly removed
--
Battery percentage and charging state. Was used to track users across sites by correlating exact battery values, leading most browsers to restrict or remove this API.
Gyroscope Client
tap to detect
On phones and tablets, this reveals if the device is being held still, walked with, or driven in a car. Modern browsers require user permission for this on iOS.
Audio Fingerprint Client
computing...
Your audio stack processes a silent test tone with tiny, hardware-specific differences. The result is a stable hash unique to your machine, even with cookies cleared.
Canvas Fingerprint Client
computing...
Drawing a sentence onto a hidden canvas yields different pixels for each GPU + driver + OS + font combination. One of the most powerful tracking techniques ever invented.
Installed Fonts Client
--
Some fonts are only present on certain OS versions or specific software installs. The exact list narrows you to a tiny population.
WebRTC Client
probing...
WebRTC can sometimes reveal your real IP behind a VPN, or your local-network IP. A long-standing privacy leak.
Plugins Client
--
Even modern browsers leak a small plugins list. Combined with extensions detected via side-channels, this builds further uniqueness.
Composite fingerprint generated from all of the above
computing...
If you reload, this hash will almost certainly stay the same. That is exactly the point.
A 2010 EFF study found that 84% of browsers tested had a fingerprint that was unique within the entire dataset. The maths has only got worse since.
Section 05

What Happens Next

None of this data sits idle. It is brokered, joined, sold, and resold across an ecosystem of advertisers, data brokers, fraud-prevention services, and analytics platforms. Below is the difference between the legitimate uses your browser was built for, and the abuses it now enables.

How it can be used against you

  • Behavioural advertisingYour browsing across hundreds of unrelated sites is stitched into a profile that predicts what you will buy, who you will vote for, and when you are emotionally vulnerable to a sale.
  • Price discriminationAirlines, hotels, and online stores have been caught showing different prices based on device type, location, and prior visit history.
  • Re-identification after deletingClear cookies and your fingerprint usually still matches. Trackers rebuild your identity within a few page loads.
  • Geo-restriction enforcementIP plus timezone plus language is used to block content, raise prices, or refuse service entirely.
  • Insurance and credit signalsSome scoring systems factor in device class and browsing patterns as proxies for income and risk.
  • Targeted phishingLeaked or scraped data joined with your IP makes spear-phishing emails far more believable.
  • State-level surveillanceIP plus user agent plus fingerprint is enough to identify a specific person across forums, comment sections, and leaked databases.

How to push back

  • Use a privacy-respecting browserFirefox with Enhanced Tracking Protection set to Strict, Brave, or the Tor Browser. They actively block trackers and randomise fingerprintable values.
  • Run a content blockeruBlock Origin is the gold standard. It removes the third-party scripts that do most of the tracking before they ever load.
  • Reject non-essential cookiesTedious but effective. Browser extensions like Consent-O-Matic can automate this.
  • Use a reputable VPN, but understand its limitsA VPN hides your IP from the site, but does not change your fingerprint. Pair it with a hardened browser.
  • CompartmentaliseUse container tabs (Firefox Multi-Account Containers) so banking, shopping, and social are siloed.
  • Disable risky APIsTurn off WebRTC if you do not need video calls. Disable JavaScript on untrusted sites where practical.
  • Update everythingBrowsers ship privacy fixes constantly. An out-of-date browser is a more identifiable browser.
  • Test yourselfTry coveryourtracks.eff.org or amiunique.org to see how identifiable you currently are.
Section 06

The Numbers

~84%
Browsers found uniquely identifiable in EFF fingerprinting research
300+
Tracking domains contacted by an average news website on first load
$240B
Approximate annual size of the global digital advertising market
0
Permission prompts shown for any of the data on this page

The web was originally designed to share documents. Privacy was an afterthought, then a battleground, and is now a daily negotiation between you, your browser vendor, and an industry that has every financial incentive to know more than you would willingly tell. Knowing what is being collected is the first and cheapest defence.

You cannot opt out of being seen. You can only choose how legible you make yourself.