What your browser leaks the moment you visit a website

You don't even click a button. The first packet your browser sends to a new website already contains enough information to identify you across visits, place you geographically, and roughly profile your hardware. Here's the full list of what gets sent without your knowledge — ranked by how much it actually matters.

Privacy on the web is mostly fought over things you actively do — clicking accept on a cookie banner, logging in, granting location permission. But before any of that, a remarkable amount of information leaves your browser the instant you connect. Some of it is necessary for the connection to work. Some of it isn't and could be turned off. Most of it ends up in some advertiser's database within seconds of you visiting any major site.

This is what we measure on our Privacy Check tool — a severity-tiered breakdown of what every website receives about you without permission. Here's the same list, prose-style, with the actual privacy implications of each item.

What's sent in the TCP/HTTP handshake

Before HTML even arrives, a few things have already crossed the wire.

1. Your public IP address

Severity: highest. Your IP reveals approximately who your ISP is, approximately where you are geographically, and persistently identifies you across visits within the lifetime of your IP lease (anywhere from minutes on mobile networks to weeks on fiber).

You can't avoid sending your IP — it's how packets find their way back to you. The mitigations are using a VPN (replaces your IP with theirs), Tor (replaces with a different exit node IP every circuit), or accepting it.

2. The destination domain in TLS SNI

Severity: high. Even though HTTPS encrypts what's inside your request, the TLS handshake's Server Name Indication (SNI) field still contains the destination hostname in plaintext. Your ISP can see "you connected to twitter.com" even if they can't see what you did there. Mitigation: Encrypted Client Hello (ECH), now deployed by Cloudflare and supported in Firefox 119+. When ECH is fully rolled out (probably 2028), even SNI becomes encrypted.

3. The exact TLS handshake fingerprint (JA4)

Severity: medium-high. The combination of TLS versions, ciphers, extensions, and elliptic curves your browser supports forms a fingerprint called JA4. Different browsers (Chrome vs Firefox vs Safari) have distinctive JA4 hashes, and different browser versions have different ones too. This identifies which browser you're using before any HTTP is exchanged.

What's in the HTTP request headers

Once TLS completes, your browser sends an HTTP request. The headers are where the bulk of casual identification happens.

4. User-Agent string

Severity: medium. The User-Agent declares your browser brand and version, your operating system, and (historically) your device. Chrome moved to "User-Agent Client Hints" in 2022 which fragments this into more granular headers, but the data is still there. Sites can also re-derive it from JS feature detection, which is harder to lie about.

5. Accept-Language

Severity: medium. Your browser sends your language preferences in priority order. "en-US,en;q=0.9,fr;q=0.8" tells a website that you speak English natively, English variants secondarily, and French somewhat — which combined with your IP can reveal expat status, recent travel, or specific cultural background.

6. Accept-Encoding

Severity: low. Lists which compression algorithms your browser supports. Useful for fingerprinting older browsers but mostly innocuous on modern ones (everyone supports gzip + brotli).

7. Referer header (yes, that misspelling is permanent)

Severity: medium. When you click a link from site A to site B, the Referer header tells site B you came from site A — including the full URL of the page you were on, with any query parameters. If you clicked an affiliate link from a blog, the destination site sees the blog's URL. If you came from a search result, the destination sees the search query.

Most modern sites set Referrer-Policy: strict-origin-when-cross-origin which trims this to just the origin (no path, no query). But the default is "send everything."

What JavaScript can collect once the page loads

Now we're into the realm where the browser is helping the site collect data. Each of these is a JavaScript API the site can call.

8. Screen resolution and color depth

screen.width, screen.height, screen.colorDepth, window.devicePixelRatio. The combination uniquely identifies your monitor + window size. On a desktop with a 4K monitor at 175% scaling, this is approximately unique to you.

9. Time zone

Intl.DateTimeFormat().resolvedOptions().timeZone returns something like "America/Los_Angeles." Combined with IP geolocation, refines your approximate location. If your VPN puts you in Frankfurt but your timezone says Los Angeles, the site knows you're using a VPN.

10. Installed fonts (the fingerprinter's favorite)

Via canvas measurement tricks, a site can detect which fonts are installed on your system without you granting any permission. The exact font set is highly unique — Adobe Creative Cloud users have a specific set, Microsoft Office users have another, fresh installs have a third. This is one of the strongest fingerprinting signals available.

11. Canvas fingerprint

Site draws a specific shape with text to a hidden HTML canvas, then reads the resulting pixels. Subtle differences in font rendering, anti-aliasing, GPU drivers, and OS produce a fingerprint that's the same across visits but unique across users. Test yours on our Fingerprint tool — the hash you see is your canvas signature.

12. WebGL renderer string

Reveals your exact GPU (e.g., "NVIDIA GeForce RTX 4070" or "Apple M2 Max"). Highly identifying. Privacy browsers (Firefox with resistFingerprinting, Brave with shields up) lie about this.

13. AudioContext fingerprint

The audio rendering pipeline produces subtly different output on different hardware. Same trick as canvas, applied to audio. Adds another bit of entropy to the fingerprint.

14. Hardware concurrency

navigator.hardwareConcurrency exposes your CPU core count. Not unique on its own (most laptops are 4-12 cores), but adds entropy.

15. Device memory

navigator.deviceMemory exposes a coarse-grained RAM amount (rounds to 0.25, 0.5, 1, 2, 4, 8 GB). Originally added to help sites adapt to low-memory devices; now a fingerprinting signal.

16. Battery status

The Battery Status API was deprecated by Mozilla and Apple precisely because it was being abused for fingerprinting — sites could detect when your battery hit specific charge levels and re-identify you across sessions even after you cleared cookies. Chrome still exposes it as of 2026 but is "considering" removal.

17. Mouse movement patterns / typing cadence

Behavioral biometrics. Most sites don't bother, but ad-tech and fraud-detection companies do. Your specific rhythm of mouse curves and typing speed is identifying within the same session and somewhat persistent across sessions.

18. WebRTC IP leak

The WebRTC peer-connection API reveals your local IP and (sometimes) your public IP even when you're behind a VPN, because it bypasses the system network stack and uses STUN/ICE to discover addresses. Test on our WebRTC leak test. The fix is either disabling WebRTC entirely (privacy browsers do this), or using a VPN with WebRTC blocking built-in.

How identifying is all this combined?

The EFF's Cover Your Tracks project (formerly Panopticlick) measures real users and finds that the average browser fingerprint is unique among 1 in 200,000 users. For desktop users with installed extensions, it's typically unique among 1 in millions. Mobile users are slightly less unique (fewer installed fonts, fewer extensions) but still typically 1 in tens of thousands.

That uniqueness is persistent. Cookies clear. Browser sessions reset. But your fingerprint comes back the same every time — same fonts, same GPU, same screen, same time zone. Sites that fingerprint can re-identify you across sessions, across cookie clears, across incognito mode. The only reliable defense is to use a browser that actively makes you look like everyone else.

Defenses, ranked by effectiveness

1. Tor Browser. The strongest defense. Tor Browser specifically engineers each release to make every user look identical at the fingerprint level — same fonts, same screen size, same default settings. The cost: slower browsing because traffic routes through 3 hops, and some sites block Tor exit nodes.

2. Mullvad Browser. Tor Browser without the Tor network. Same anti-fingerprinting protections, normal network speed. Good for people who want anti-fingerprinting without anonymity-from-the-network. Free, made by Mullvad VPN.

3. Brave with Shields up. Randomizes canvas + audio fingerprints per session and per site. Doesn't try to make all users look identical, but breaks the "same fingerprint across visits" property. Reasonable middle ground.

4. Firefox with resistFingerprinting. Hidden setting (about:config → privacy.resistFingerprinting → true) that aggressively blocks fingerprinting APIs. Some sites break.

5. Chrome. Privacy Sandbox is rolling out gradual changes but Chrome is built by an advertising company. Fingerprinting protection is not a priority.

The cookie banner is the wrong battle

The GDPR era trained users to think privacy is about clicking "Reject All" on cookie banners. That's the visible layer of a much deeper problem. Cookies are the easy part to opt out of — and the part that mostly broke in 2024 when third-party cookies got phased out. Fingerprinting is what replaced them. You can't opt out of fingerprinting by clicking a banner.

The actual defense is at the browser level: pick a browser that's engineered to make fingerprinting hard, and use it consistently. Cookie banners are theatre. Browser choice is reality.

See exactly what your browser is leaking right now

Severity-tiered breakdown of 18 data points every website silently collects. Free, runs in your browser.

Run the Privacy Check →