Canvas fingerprinting is a browser-fingerprinting technique that asks the browser to draw text or graphics on an HTML5 canvas, then reads the rendered pixels back as a hash. Because GPUs, graphics drivers, fonts, and anti-aliasing differ between devices, the same drawing produces subtly different output, yielding an identifier that distinguishes one browser from another.
The technique works because rendering is not perfectly standardised. Two devices asked to draw the same shapes and text produce pixel output that differs at the sub-pixel level, depending on the GPU, the graphics driver, the installed fonts, and the operating system's anti-aliasing. Hashing those pixels turns that physical variation into a compact, comparable identifier.
Canvas is one of the higher-entropy signals in a browser fingerprint: it varies widely across the population, so it carries a large share of the identifying information. It is also engine-bound. The same physical machine produces different canvas output in different browsers, because each browser ships its own rendering pipeline, so a canvas hash identifies a browser rather than a device.
In doorman-benny
In doorman-benny the canvas signal feeds the per-browser `fingerprint`, not the cross-browser `hardwareFingerprint`, precisely because its output changes between browser engines on the same machine. The hardware-versus-engine split is what lets the library recognise a device across browsers while still telling two browsers apart.
Hardware vs engine fingerprint: why one hash is not enoughFrequently asked questions
Is canvas fingerprinting the same as a cookie?
No. A cookie is a small file the site stores in the browser and the user can delete. A canvas fingerprint is computed from how the device renders graphics and is not stored in the browser at all, so clearing cookies does not change the canvas output.
Does canvas fingerprinting work across different browsers on one device?
Not on its own. Canvas output is engine-bound, so Chrome and Firefox on the same machine produce different canvas hashes. Recognising a device across browsers requires hardware-bound signals combined into a separate cross-browser identifier.
Can users block canvas fingerprinting?
Some browsers and extensions add noise to the canvas readback or block it outright, which is one reason a robust fingerprint never relies on a single signal. The injected noise is itself a detectable pattern that cross-signal consistency checks can flag.
