Canvas fingerprint
Your Canvas Fingerprint
The unique hash your GPU produces when rendering text. Stable across sessions, near-impossible to spoof without hardware-aware patches.
Running fingerprint checks in your browser…
How the hash above was computed
We drew the text Scraping Central FP ⚡ twice on a hidden 240x60 canvas, in different colors with slight offset, then called canvas.toDataURL()and hashed the resulting base64 string with FNV-1a. The exact same script on a different GPU, OS, or font config produces a different hash. Run this page in Chrome vs Firefox on the same machine, you'll get different hashes because the rendering engines anti-alias differently.
Why scrapers fail this check
A headless Chrome instance on AWS without a GPU falls back to SwiftShader (software rendering). SwiftShader produces a small set of recognizable hashes that anti-bot vendors have catalogued. Even one hit of a known headless-Chrome canvas hash is often enough to issue a CAPTCHA or block.
Fixing it
- Run your headless browser on a host with a real GPU (e.g. EC2 G-series, or local hardware).
- Use
puppeteer-extra-plugin-stealth/playwright-stealthwhich inject canvas noise. - Or skip the headless browser entirely and use a residential-proxy API that handles fingerprinting for you (see the sidebar).
Frequently asked questions
→How does canvas fingerprinting work?
The site asks your browser to draw text and shapes on a hidden <canvas>. Then it calls canvas.toDataURL() to read back the pixel data and hashes it. Tiny differences in your GPU, drivers, font hinting, anti-aliasing, and subpixel rendering produce different pixels, and therefore different hashes, even between two identical-looking Chrome installs.
→Why is the canvas hash stable across sessions?
Because the inputs are stable. Your GPU, drivers, OS version, and installed fonts don't change between visits. Same inputs, same pixels, same hash. That's exactly what makes it useful for tracking, and for bot detection that wants to spot when the same hash hits a site from 1000 different IPs.
→Can I block canvas fingerprinting?
Firefox has a built-in protection (privacy.resistFingerprinting). Brave randomizes the canvas output per session. In Chrome you need an extension like CanvasBlocker. For scrapers, the more useful approach is to spoof rather than block: stealth plugins inject tiny consistent noise into the canvas readback so the hash stays stable for one session but differs across sessions.
→What does a 'bot' canvas hash look like?
Headless browsers running on cloud VMs without a real GPU produce a very small set of recognizable hashes, usually corresponding to SwiftShader or llvmpipe software rendering. Anti-bot vendors maintain blocklists of these known headless hashes.
→Does randomizing the canvas help?
It depends on how. Per-session randomization (one consistent fake hash for the whole session) looks like a real browser with unusual hardware, usually fine. Per-pixel or per-call randomization (different hash on every read) is itself a giveaway, since real browsers always return the same hash for the same input within a session.
→Is canvas fingerprinting GDPR-compliant?
If used for tracking users, no, it requires consent under GDPR and similar laws, same as cookies. If used purely for fraud/bot prevention without persistent user identification, it generally falls under legitimate interest. The line is fuzzy and being actively litigated.