You opened a website. You didn't sign up, you didn't log in, you didn't even click anything. And yet the site already knows more about you than you might expect — what browser you're using, what operating system, what language you speak, what time zone you're in, what size your screen is, and roughly where in the world you are.
This isn't tracking in the cookies-and-pixels sense. It's automatic. The information is sent as part of every HTTP request your browser makes, and there is no way to access the web without sending it. Understanding what's visible — and what isn't — is the foundation of browser privacy.
The moment your browser loads a page, the server receives:
Your browser sends a "user agent" header identifying itself. A typical one looks like this:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36That single string tells the website: your operating system (Windows 10, 64-bit), your browser (Chrome 120), and the rendering engine (WebKit, based on Blink). It's how sites decide whether to show you the mobile or desktop version, what features to enable, and which polyfills you need.
Your browser sends an "Accept-Language" header listing the languages you understand, in order of preference. Sites use this to choose which language version of content to show you. It can also be used to fingerprint you — fewer than 1 in 1,000 visitors have your exact combination of language preferences.
As covered in our IP address guide, your public IP reveals your approximate location (typically city-level) and ISP. Combined with the user agent and language, this lets sites narrow down who you are surprisingly effectively.
JavaScript can read your computer's timezone setting. Most sites do this — it's how they show times in your local zone. But it also confirms your geographic location: if your IP says Berlin but your timezone is Asia/Tokyo, sites notice.
Sites can read your screen resolution, available area, pixel ratio (Retina vs standard), and the size of your browser window. This is used for responsive design, but also for fingerprinting — your exact screen configuration is often unique.
If you've visited the site before, it can read any cookies it set previously. It can also read localStorage and sessionStorage, which persist even when cookies are blocked.
The above is sent automatically. The following requires either user permission or specific browser APIs that some sites exploit:
WebRTC is a browser technology for video and audio calls. It can reveal your private network IP address (typically 192.168.x.x) — and crucially, it can do this even when you're using a VPN.
This is one of the most common ways VPN protection silently fails. Many users believe their VPN is hiding their identity, when in fact websites are reading their real local IP through WebRTC. Browser extensions like uBlock Origin can disable WebRTC to prevent this. Some VPN providers also have built-in WebRTC leak protection.
The Battery Status API used to let sites read your battery level and charging status. It turned out this was useful for tracking (the exact battery percentage at a given moment is a near-unique identifier). Most browsers have now removed or restricted this API.
When your browser renders graphics — even invisibly — the exact pixel output depends on your GPU, drivers, OS, and font installation. Two computers will produce slightly different output even when asked to draw the same thing. Sites can render a hidden canvas and hash the output, producing a unique fingerprint that doesn't depend on cookies at all.
Sites can detect which fonts are installed on your system. This is genuinely useful for typography fallbacks but is also a strong fingerprinting signal — your exact font set is often unique.
Combine user agent, language, timezone, screen resolution, pixel ratio, plugins, fonts, canvas rendering, and WebGL output, and you typically get a unique signature for each user. This is "browser fingerprinting" — tracking that works even when cookies are blocked and identifiers are cleared.
The Electronic Frontier Foundation's Panopticlick research found that around 80% of visitors have a unique browser fingerprint. Cover Your Tracks (the modern version) lets you see how identifiable yours is.
Use a privacy-focused browser. Brave, Firefox with hardened settings, and Tor Browser all provide stronger defaults against fingerprinting. Safari has good defaults but is iOS/Mac only.
Block JavaScript on untrusted sites. Most fingerprinting techniques require JavaScript. Extensions like NoScript or uBlock Origin let you control which sites can run scripts.
Disable WebRTC. If you don't use video calling in your browser, disable WebRTC entirely. uBlock Origin has a checkbox for this.
Use a VPN with WebRTC protection. A VPN alone doesn't stop WebRTC leaks. Check that your VPN provider explicitly blocks WebRTC, or use a browser extension to disable it.
Resist canvas fingerprinting. Some browsers (Brave, Firefox with privacy.resistFingerprinting enabled, Tor Browser) add small randomisations to canvas output, breaking the fingerprint.
Browser privacy is a layered problem. No single setting fixes everything — it's a stack of decisions about how identifiable you want to be.
The best way to understand this is to see it. Go to criply.co/network/browser-info and you'll see exactly what your current browser, with your current settings, reveals to every website you visit. Nothing on that page is sent to our servers — the information is collected and displayed entirely in your browser.
7 practical ways to work with PDFs faster. Free, instant download.
Use our free Browser Info tool — works in your browser, nothing to install.
Browser Info — Free