Font fingerprinting is a browser tracking technique that silently reads the list of fonts installed on your device using JavaScript β no cookies, no storage, nothing you can delete. Your combination of installed fonts is surprisingly unique, and websites use it to identify you across sessions and across different websites. You can see which signals your browser exposes right now on whatsmy.fyi.
TL;DR
Font fingerprinting works by measuring how your browser renders text in hundreds of different fonts. If a font is installed, text renders at a specific width; if it is not, the browser falls back to a default font with different dimensions. By probing 300β700 font names in milliseconds, a script can assemble a detailed map of your installed fonts β a combination so distinctive it can add 10β15 bits of entropy to your fingerprint, enough to distinguish you from tens of thousands of other users.
What Is Font Fingerprinting?
Font fingerprinting exploits the fact that every device ships with a different selection of fonts. The fonts you have installed depend on your operating system, the applications you have installed, whether you have manually added custom fonts, and your system language. A fresh macOS installation ships with Apple's built-in typefaces. A Windows machine adds its own set. A Linux user running a design suite may have hundreds of additional fonts loaded from Adobe, Google, or other sources. Each combination is effectively a fingerprint.
Unlike cookies, font fingerprinting leaves nothing on your device. It does not write to local storage, set a tracker, or ask for permission. It simply reads data that is already publicly accessible through the browser's standard font rendering APIs. The Electronic Frontier Foundation's Cover Your Tracks tool consistently identifies font enumeration as a meaningful contributor to overall browser fingerprint entropy.
Font fingerprinting is one signal within the broader family of browser fingerprinting techniques. It is often deployed alongside canvas, WebGL, and audio fingerprinting to build a high-confidence cross-session identifier.
How Does Font Fingerprinting Work?
There are two distinct technical methods used in practice. Both accomplish the same goal β detecting which fonts are present β but through different browser APIs.
Method 1 β CSS Text Measurement (measureText)
The most common approach uses the Canvas API's measureText() method or CSS rendering to measure the pixel width of a string rendered in a specific font. The script renders the same string three times: once in a known fallback font (such as monospace), once in serif, and once requesting the font under test. If the width of the requested font matches the fallback exactly, the font is not installed. If the width differs, the font is present and is being used for rendering.
This comparison is performed for every font in the probe list β typically 300 to 700 font names. The entire scan completes in under 100 milliseconds and runs entirely in JavaScript without any visible effect on the page.
Method 2 β Canvas Pixel Rendering
A more precise variant draws text onto a hidden canvas element in the target font, extracts the resulting pixel data with canvas.toDataURL(), and compares the pixel output to the output produced by a known fallback. If the pixel arrays differ, the requested font was used β meaning it is installed. This method is harder to spoof because it captures subtle rendering differences rather than just measuring text width.
// Simplified font fingerprinting via measureText
function detectInstalledFonts(fontList) {
const canvas = document.createElement('canvas');
const ctx = canvas.getContext('2d');
const testString = 'mmmmmmmmmmlli'; // letters sensitive to width variation
const baseFonts = ['monospace', 'sans-serif', 'serif'];
const testSize = '72px';
// Measure each base font width (the fallback widths)
const baseWidths = {};
for (const base of baseFonts) {
ctx.font = `${testSize} ${base}`;
baseWidths[base] = ctx.measureText(testString).width;
}
const detected = [];
for (const font of fontList) {
for (const base of baseFonts) {
// If the measured width differs from the fallback, the font is installed
ctx.font = `${testSize} '${font}', ${base}`;
const width = ctx.measureText(testString).width;
if (width !== baseWidths[base]) {
detected.push(font);
break;
}
}
}
return detected; // Array of installed font names
}How Unique Is a Font Fingerprint?
Font enumeration contributes substantial entropy to the browser fingerprint. The table below summarises key research findings.
| Finding | Value | Source |
|---|---|---|
| Entropy added by font list alone | 10β15 bits | EFF Panopticlick study |
| Average fonts installed per desktop device | 50β200 | BrowserLeaks / field research |
| Fonts probed by a typical fingerprinting script | 300β700 | BrowserLeaks Font Test |
| Time to complete full font probe | < 100 ms | BrowserScan / field measurement |
| Websites in top 10,000 using font detection | ~38% | Browser Fingerprinting Survey (arXiv) |
| Users uniquely identified with fonts + 4 other signals | > 99% | Commercial fingerprinting platforms |
The 10β15 bits of entropy provided by fonts alone means your font list distinguishes you from roughly 1,000 to 32,000 other users. When combined with canvas output, WebGL renderer data, screen dimensions, and timezone, the combined fingerprint approaches the uniqueness of a cookie β without storing anything on your device.
Who Uses Font Fingerprinting in the Real World?
Advertising Networks and Cross-Site Tracking
Ad-tech platforms embed font detection scripts inside third-party ad tags and tracking pixels. As third-party cookies are phased out across Chrome, Safari, and Firefox, font fingerprinting has grown in importance as a stable cross-session identifier. Unlike cookies, it cannot be cleared, blocked by a cookie notice, or expired. Major data brokers layer font lists with dozens of other signals to build persistent profiles that follow users across the web.
Fraud Detection and Risk Scoring
Security platforms use font fingerprints to detect account takeovers and credential stuffing. If a returning user's font list differs dramatically from the stored profile β for example, because an attacker is using a fresh virtual machine with minimal fonts β it raises a risk signal. Font consistency across sessions is a valuable passive signal for legitimate device verification.
Paywall and Anti-Bot Enforcement
Publishers and subscription services use font fingerprinting to enforce article limits on users who reset their metered access by clearing cookies. Because the font profile reflects the underlying operating system and installed applications rather than browsing state, it persists through cookie deletion, private mode, and even some VPN configurations.
Design and Creative Tools
A small number of legitimate web applications β such as online design editors β use font detection to show only the fonts a user actually has installed, avoiding broken previews. This use case is typically disclosed and benefits the user directly. It is the exception rather than the rule.
Is Font Fingerprinting Legal?
Under the GDPR, font fingerprinting constitutes processing of personal data when the resulting identifier can be linked to an individual. The French data protection authority (CNIL) has explicitly classified browser fingerprinting β including font enumeration β as requiring informed consent unless a narrow legitimate interest exemption applies, such as fraud prevention. Under the US CCPA and CPRA, font fingerprint data is treated as personal information subject to opt-out rights.
The W3C Fingerprinting Guidance identifies font enumeration as a "high-entropy passive fingerprinting surface" and advises browser vendors to restrict access to locally installed fonts. Enforcement remains inconsistent globally.
How to Protect Yourself from Font Fingerprinting
These options are ranked from strongest protection to most practical for daily use.
- Tor Browser (strongest protection): Tor Browser restricts pages to a fixed set of fonts shipped with the browser itself. Your locally installed fonts are completely invisible to websites, and every Tor user presents an identical font list β making font-based identification impossible. The trade-off is slower browsing due to the Tor network.
- Brave Browser (recommended for daily use): Starting with version 1.39, Brave randomizes the font list exposed to web pages. Instead of revealing your real installed fonts, it returns a shuffled and trimmed subset that changes per site and per session. This prevents cross-site tracking while keeping the browser fully functional.
- Firefox with
privacy.resistFingerprinting: When this flag is enabled inabout:config, Firefox restricts font access to the standard set of fonts shipped with your operating system β custom or application-installed fonts are hidden. Some pages that rely on locally installed fonts for rendering may behave unexpectedly. - Avoid installing unusual fonts: Each additional non-standard font increases the uniqueness of your font fingerprint. Designers and typographers who install large professional font libraries are significantly more identifiable than users who stick with system-default fonts. If privacy is a priority, minimise extra font installations.
- Use a VPN β but understand its limits: A VPN masks your IP address but has absolutely no effect on the font list your browser exposes. It removes one layer of tracking but does not address fingerprinting. You can verify whether your VPN is working correctly on whatsmy.fyi.
- Browser extensions (limited effectiveness): Extensions like CanvasBlocker (Firefox) can intercept
measureText()and canvas calls and return spoofed values. However, font spoofing is an active arms race β some fingerprinting scripts detect implausible results and fall back to other methods. Extensions are a supplementary measure, not a primary defence.
Frequently Asked Questions
Does font fingerprinting work in incognito or private mode?
Yes. Private browsing prevents your browser from saving history, cookies, and session data β but it does not change which fonts are installed on your system. Your font fingerprint is identical in a private window and in a normal window. Only browsers with active font protection, such as Brave or Tor Browser, present a different font profile in private mode.
Can a VPN stop font fingerprinting?
No. A VPN encrypts your traffic and changes your visible IP address, but it has no access to your browser's rendering engine. Font fingerprinting reads data from your operating system's font registry through the browser's JavaScript API β a layer entirely unaffected by your network configuration. To protect against font fingerprinting, use Brave, Firefox with privacy.resistFingerprinting, or Tor Browser.
How many fonts does a fingerprinting script actually check?
Typical production scripts probe between 300 and 700 font names. The probe list includes common system fonts (Arial, Times New Roman, Georgia), OS-specific fonts (San Francisco on macOS, Segoe UI on Windows), application fonts installed by Adobe Creative Cloud, Microsoft Office, or Google Drive, and language-specific fonts for Chinese, Arabic, Hebrew, and other scripts. The full scan completes in under 100 milliseconds and is entirely invisible to the user.
Is font fingerprinting different from canvas fingerprinting?
They are related but distinct. Canvas fingerprinting reads pixel-level rendering differences caused by your GPU, graphics driver, and OS text renderer. Font fingerprinting specifically detects which fonts are installed by measuring text dimensions or comparing canvas pixel output per font. They are frequently deployed together because they are complementary: canvas captures hardware-level variation, while font enumeration captures software-level variation from installed applications. See the canvas fingerprinting guide for a detailed comparison.
Are designer or developer machines more trackable via fonts?
Yes, significantly. A designer running Adobe Creative Cloud may have 500 or more additional fonts loaded beyond the system default. A developer who has installed programming fonts like JetBrains Mono, Fira Code, or Cascadia Code adds additional unique signals. Each non-standard font narrows the pool of users who share the same font profile, making individual identification much easier. Heavy font users who value privacy should use Brave's font randomisation or Tor Browser.
Does clearing cookies or resetting my browser remove my font fingerprint?
No. Font fingerprinting derives its identifier from the operating system's font registry, not from any data stored in the browser. Clearing cookies, deleting local storage, resetting browser settings, or even reinstalling the browser has no effect on the font list your system exposes. The fingerprint changes only if you install or remove fonts, or switch to a browser that actively restricts font enumeration.
What is the difference between font fingerprinting and browser language fingerprinting?
Both are passive fingerprinting signals that reveal information about your system without requiring user action. Font fingerprinting enumerates your installed typefaces β a software-level signal influenced by your applications and language preferences. Browser language fingerprinting reads the Accept-Language HTTP header and the navigator.languages API to detect your preferred languages β a configuration-level signal. Both contribute to the same composite fingerprint. See the browser language fingerprinting guide for more detail.
Related Articles
- What Is Browser Fingerprinting? How Sites Track You Without Cookies β the complete guide to all fingerprinting signals combined
- What Is Canvas Fingerprinting? How Websites Track You Without Cookies β how the HTML5 Canvas API creates a unique identifier from GPU rendering
- What Is Audio Fingerprinting? How AudioContext Tracks Your Browser β how your device's audio stack produces a persistent identifier
- What Is Browser Language Fingerprinting? How Your Language Settings Track You β how
Accept-Languageandnavigator.languagesreveal your identity - What Is WebGL Fingerprinting? How Your GPU Identifies Your Browser β how the 3D graphics API exposes your GPU vendor, model, and driver version
