Browser fingerprint detection research and sources
The public research, captured payloads, detector teardowns, and open-source projects behind the audit's claims about which fingerprint signals are read in practice.
Where these checks come from
Findings that say “read in the wild by” cite one of the sources below, with the probe name or field key so you can check the claim rather than take our word for it. Everything here is public research. We have no vendor’s source code, and naming a system is neither an endorsement nor an accusation — it is a statement about what the published artifacts show it collecting.
Most checks on this page cite nothing at all, and that is the honest result: they are derived from what the web platform itself guarantees — that two APIs describing one fact have to agree — rather than from watching any particular detector.
Kasada
cited by 64 checksA deployed bytecode-VM anti-bot. Its payload script collects 427 browser probes per page load, and the published teardown enumerates every one of them — which makes it a ground-truth list of what a commercial detector actually reads.
Read from a public reverse-engineering writeup and the decompiled script it publishes. We have no access to Kasada's source or its server-side scoring.
PerimeterX / HUMAN
cited by 40 checksA deployed collector. Its ev1/ev2 payloads carry 200+ fields under obfuscated keys; a public RE study decodes them against real captures, so each field can be traced to the browser API that produced it.
Read from a public reverse-engineering study and the deployed scripts it archives. Field keys cited in the findings are that study's decodings, not documentation from the vendor.
DataDome
cited by 15 checksA deployed collector. A public RE project publishes a real captured payload — 232 fields under six-character obfuscated keys, with the values a live browser actually sent — so a field can be matched to the API that produced it by its own value. A companion project disassembles the bytecode VM that builds it.
Read from a public captured payload and a public VM disassembly. Field keys cited in the findings are our readings of that capture, not documentation from the vendor, and the keys are per-deployment rather than stable — a key quoted here identifies a signal, not a permanent name for it.
Akamai
cited by 15 checksBot Manager v2. A public analysis of its ~512KB sensor script inventories the signal categories it collects — browser fingerprint, hardware, behavioural, JavaScript environment, timing and network — which is why findings cite it for a category rather than a field key.
The weakest of the sources cited here, and worth saying so: it is a categorised inventory rather than a decoded payload, so it establishes that Akamai reads a signal without pinning the exact probe. Findings citing it say only what that inventory says.
CreepJS
cited by 38 checksAn open-source fingerprint research tool, and the origin of the lie-detection method this whole page is built on: compare a browser against itself rather than against a population.
A research tool, not a commercial detector. Where a finding names CreepJS it means the technique is demonstrated there — not that anything is scoring you with it.
Scrapfly
cited by 2 checksA scraping-API vendor that publishes detection research and a public browser-fingerprint tool. Their write-up of the Math.tanh OS oracle — V8 swapping to std::tanh in Chrome 148, exposing the host C library's rounding — is the source of this audit's OS check; their fingerprint tool's signal inventory (EME/DRM, WebGPU, media devices) confirms which surfaces a commercial detector reads.
Rebrowser
cited by 1 checkAn open-source patch set for Puppeteer and Playwright that documents how CDP-driven automation leaks — Runtime.enable exposing execution contexts, sourceURL traces, main-world execution — and patches each. Its write-ups are the source for this audit's CDP-leak checks, read as a catalogue of what those leaks look like from the detector's side.
A stealth-tooling project, not a detector. Where a finding names Rebrowser it means the leak is documented there; the check measures the leak, it does not use their patches.
reCAPTCHA / BotGuard
cited by 1 checkGoogle's reCAPTCHA anti-bot. A public reverse-engineering project disassembles and emulates its “old” BotGuard bytecode VM until a token is produced, and ships the real loader script — which is where the one signal we take from it lives: the loader depends on Trusted Types producing a genuine, eval-able TrustedScript.
A token solver, not a signal payload, so it exposes only the surface its own loader touches rather than a field inventory. Cited by a single finding, on the strength of the loader's visible dependency, not a decoded probe list.
CloakBrowser issues
cited by 9 checksThe public issue tracker of a stealth browser. Each bug report where a detector caught the browser is a detection signal stated from the wrong side — read inverted, the tracker is a catalogue of what real anti-bots check, confirmed against a shipping product.
A bug tracker, not a detector. A cited issue establishes that some real system caught this signal against CloakBrowser; it does not name which vendor, and the reporter's diagnosis is theirs, not ours.