10 Ways Websites Track You Without Cookies (2026)

A hidden <canvas> element renders text and shapes. Your GPU, OS, and display driver render the image with pixel-perfect uniqueness. The pixel data is hashed into your canvas fingerprint — stable across browser restarts and incognito mode.

Who uses it: Advertising networks, analytics platforms, fraud detection services, paywall bypass detection.

Defense: Brave Browser (adds random noise), Firefox with RFP, Canvas Blocker extension.

The WebGL API exposes your exact GPU model via WEBGL_debug_renderer_info: e.g., "NVIDIA GeForce RTX 4090 / PCIe / SSE2". Combined with shader precision and supported extensions, it creates a hardware fingerprint that identifies your specific machine.

Defense: Brave shields (blocks WebGL debug info), Firefox RFP.

Using OfflineAudioContext, a site processes a silent audio buffer through a DynamicsCompressor. The floating-point output differs minutely based on your OS, CPU, and audio hardware — imperceptible but unique and stable across sessions.

Defense: Brave shields, Firefox RFP (both add noise to audio API output).

JavaScript probes hundreds of font names by measuring text width with canvas.measureText(). If a font is installed, the measured width differs from the fallback. The list of installed fonts is specific to your device and becomes more unique with each design tool or app you install.

Defense: Brave shields, Firefox RFP, limiting installed fonts.

localStorage and IndexedDB can store large amounts of data that persist independently of HTTP cookies. A tracker writes a unique ID to localStorage — it survives "Clear Cookies" operations if the user doesn't explicitly clear Site Data.

Defense: Clear "All Site Data" (not just cookies), use Firefox Container Tabs, or use a browser that isolates site storage by default.

HTTP ETags are cache validation tokens. A server sends a unique ETag with a cached resource. On the next visit, the browser sends back that ETag in an If-None-Match header — identifying you even after cookie clearing. The browser cache is used as a persistent identifier.

Defense: Clearing cache + cookies together, Private Browsing (prevents ETag caching).

HTTP Strict Transport Security (HSTS) entries are stored in the browser and persist across cookie clearing. A tracker creates a unique pattern of HSTS entries across subdomains. When you return, the tracker checks which subdomains have HSTS cached — reconstructing your identifier.

Defense: Private/incognito mode (HSTS cleared on session end), Firefox with network.stricttransportsecurity.preloadlist enabled.

CNAME cloaking disguises third-party trackers as first-party resources. A site points a subdomain like metrics.example.com via DNS CNAME to a tracker's servers. Browsers treat it as first-party, bypassing third-party cookie blocking and many ad blockers. The tracker can then set first-party cookies that survive restrictions.

Defense: Brave and Firefox 86+ perform CNAME uncloaking, blocking these requests. Most Chrome extensions cannot detect CNAME-cloaked trackers.

Your IP address, combined with ASN (internet service provider), geolocation, and latency probes, creates a "network fingerprint." Sites ping Cloudflare and Google servers and measure RTT — revealing VPN usage, corporate networks, and geographic inconsistencies even when IP is masked.

Defense: VPN (changes IP) + Brave (limits latency probe accuracy via timing API restrictions).

WebRTC's STUN protocol exposes your local network IP and real public IP even through a VPN. A single JavaScript call can reveal your actual IP address to any website, regardless of the proxy or VPN you're using. This is one of the most common and overlooked privacy leaks.

Defense: Disable non-proxied WebRTC in browser settings or use the WebRTC leak fix guide.