If you’ve ever tried to stop web tracking, you’ve probably tried disabling JavaScript. But I learned a frustrating lesson after running a single fingerprint test: even when a single line of JavaScript isn’t running, your browser can still be recognizable. HTTP headers, your IP address, and characteristics of your network connection are passive signals that still carry enough data to make your browser stand out from others. Rather than relying on old tricks, your best shot at privacy is to change how your browser appears to the crowd. A few tricks have helped me so far.
I turned off JavaScript expecting to disappear
A fingerprinting test showed me privacy isn’t controlled by a single setting
I thought disabling JavaScript was my cheat code for browser privacy. I reasoned that without running scripts, canvas fingerprinting and behavioral tracking would be impossible; there would be no way for ad networks to profile me secretly. I assumed it was the one switch to flip for me to vanish.
I decided to put my theory to the test rather than assume. I ran BrowerLeaks and Cover Your Tracks fingerprinting tests with JavaScript enabled and with it disabled, then compared the results.
On BrowserLeaks, they reported that JavaScript had been disabled. On the WebGL test, I got False (JavaScript disabled), and the canvas fingerprinting test returned JavaScript Disabled. These were results that simply meant the tool couldn’t run the tests successfully because I had disabled JavaScript.
However, the results on Cover Your Tracks clearly stated: Our tests indicate that you have you are not protected against tracking on the Web.
I wasn’t anonymous, and my browser was still uniquely identifiable on the web even after I had triggered this near-nuclear option. From that point, I understood fingerprinting isn’t a clever trick I could simply disable. In reality, it mimics fingerprints in a literal sense: various small details that only make sense when brought together.
I stopped using “Incognito Mode” for privacy after learning about fingerprinting
It’s just not doing what you think it is.
Your browser shares more than scripts ever could
Passive signals keep identifying you long after JavaScript is gone
We often lump fingerprinting in with cookies, even though it operates on a totally different principle. While cookies store identifiers on the device, fingerprinting doesn’t need to store any data. It’s simply observing the characteristics the browser provides by default and stitching the pieces together. They often become a unique profile that makes you recognizable on subsequent visits.
Several of the characteristics included in fingerprinting are unrelated to JavaScript. Browser requests typically include HTTP headers that disclose valuable data points like browser type, accepted languages, and supported compression formats. The User-Agent string (now being supplemented by Client Hints) exposes browser and OS versions. Separately, CSS can reveal some of the fonts installed on your system. None of these requires any scripts.
There is also activity beneath the page level — before any content loads, the browser and server perform a TLS handshake. The way your browser performs this handshake is sufficiently consistent to serve as an identifier, known as a JA3 fingerprint. And while it’s not technically part of a fingerprint, your IP address adds more data points to the equation, narrowing down who you are and where the connection comes from. When you compare these against simply disabling JavaScript, here is the breakdown:
|
Technique |
Requires JavaScript? |
Reduced by disabling JavaScript? |
Still identifies you? |
|---|---|---|---|
|
Canvas fingerprinting |
Yes |
Yes |
No |
|
WebGL fingerprinting |
Yes |
Yes |
No |
|
HTTP headers |
No |
No |
Yes |
|
User-Agent / Client Hints |
No |
No |
Yes |
|
TLS fingerprint |
No |
No |
Yes |
|
IP address |
No |
No |
Yes |
Disabling JavaScript eliminates canvas and WebGL tests but leaves headers, TLS fingerprints, and IP address unchanged.
The paradox of privacy: Why blending in beats hiding
Making your browser unusual often makes it easier to recognize
You may believe your best bet is to stack privacy extensions, spoof your user agent, and tweak obscure settings. But this has the opposite effect because fingerprinting is a numbers game. You become less identifiable when your browser configuration starts to look like a million others, even though all your individual signals are technically visible.
Customization, which may include a niche ad blocker, a spoofed time zone, and privacy extensions, makes you stand out from the crowd. This is usually the opposite of what you wanted when you started customizing.
Privacy browsers understand this perfectly. The Tor Browser, for instance, doesn’t try to make you look unrecognizable. Rather, it makes you look like every other Tor Browser user. It gives everyone the same window size, fonts, and other configurations. You become anonymous by looking like everyone else.
The approach with Brave and Firefox is more subtle, but still the same. Brave uses farbling, or fingerprint randomization, to alter certain values in every session, stopping them from being reliably matched over time. The Resist Fingerprinting setting in Firefox trims or standardizes exposed browser data. You are not invisible in either of these browsers, but just like Tor Browser, you don’t look unusual, which counts more than blocking every tracking method.
- OS
-
Windows, macOS, Linux, Android, iOS
- Developer(s)
-
Brave
- Price model
-
Free
- iOS compatible
-
Yes
- Android compatible
-
Yes
- Desktop compatible
-
Yes
Brave is an open-source web browser focused on privacy, speed, and user control. Its standout features include Shields, which block ads, trackers, cookies, fingerprinting, and more by default, giving users granular privacy protection without the need for extensions.
What I’d actually do to make my browser harder to identify
The JavaScript toggle isn’t my first move now that I know all this. I only use the JavaScript toggle on sites I don’t trust, where any broken layout is an acceptable trade-off.
For daily browsing, the advice is to start with a privacy browser that offers fingerprinting resistance by default and never pile on extensions. I personally go with Brave for daily use and Mullvad Browser for sensitive, account-free research where I want to disappear into a crowd.
You may still choose to use a quality tracker blocker, but this must be done with the understanding that blocking trackers and resisting fingerprinting are not the same. While the former ensures requests don’t fire, the latter is concerned with how unique you look.
A VPN is valuable, but only with the understanding that it hides your IP address, and not much else. It offers no protection for your TLS fingerprint, headers, or font list. A single setting isn’t enough to make your browser disappear, but selecting the right browser to start with is often your best defense.
- OS
-
Windows, macOS, and Linux
- Developer(s)
-
Mullvad
- Engine
-
Gecko
- Price model
-
Free
Mullvad Browser is a privacy-focused, open-source web browser developed by Mullvad VPN and the Tor Project. It provides Tor-level anti-fingerprinting and tracking protection while using a standard network or VPN instead of Tor. It defaults to private mode, removes telemetry, and includes uBlock Origin for a secure, anonymous experience.
