fingerprintby Scraping Central

WebGL fingerprint

Your WebGL Renderer

The exact GPU vendor and model your browser reports. If it says SwiftShader or llvmpipe, every bot detector knows you're running headless.

Running fingerprint checks in your browser…

Renderer strings, ranked by suspicion

  • LEAK  Google SwiftShader, Chrome software fallback. Cloud headless.
  • LEAK  Mesa OffScreen, llvmpipe, Linux software rendering. Cloud Linux VM.
  • SUS  VMware SVGA 3D, VirtualBox, virtualized GPU. Could be a real desktop in a VM, but usually a server.
  • OK  ANGLE (Intel, Intel(R) UHD Graphics ...), real Windows laptop integrated GPU.
  • OK  ANGLE (NVIDIA, NVIDIA GeForce ...), real Windows desktop GPU.
  • OK  Apple M2 Pro, Apple GPU, real Mac.

Practical fixes for scrapers

  1. Run on a real GPU. Local hardware, or EC2 G-instances. Most expensive but most reliable.
  2. Pass GPU through to your headless container. Doable with NVIDIA Docker on certain hosts.
  3. Patch Chromium at build time to spoof both getParameter AND the underlying GL command stream consistently. Hard.
  4. Use a managed scraping API (see the sidebar), they handle this for you.

Frequently asked questions

What does the WebGL fingerprint reveal?

Your real GPU. The WEBGL_debug_renderer_info extension exposes UNMASKED_VENDOR_WEBGL and UNMASKED_RENDERER_WEBGL, strings like 'Google Inc. (NVIDIA)' and 'ANGLE (NVIDIA, NVIDIA GeForce RTX 4060 Direct3D11 vs_5_0 ps_5_0)'. Real users have hundreds of distinct GPU combinations; headless browsers in clouds have maybe a dozen.

What does 'SwiftShader' mean in my WebGL renderer?

It means there's no GPU. SwiftShader is Google's software-only WebGL renderer that ships with Chrome as a fallback. If a site sees 'Google SwiftShader' as your renderer, you're almost certainly running headless Chrome on a server with no GPU. It's one of the strongest single bot signals available.

Why does llvmpipe / Mesa show up?

Same reason, software rendering. llvmpipe is Mesa's software WebGL implementation, used on Linux headless setups. Mesa with no hardware backing also screams 'cloud Linux VM'.

How do I spoof the WebGL renderer?

It's harder than it looks. You can override the return value of getParameter() in JavaScript, but anti-bot scripts also call getContextAttributes() and run actual WebGL operations to verify the renderer matches its claims. Proper spoofing requires injecting at the C++ level (via a patched Chromium build) or running a real headed browser on real hardware.

Will every real user have a different WebGL fingerprint?

Mostly yes. Combinations of (GPU, driver version, browser version, OS) produce hundreds of distinct UNMASKED_RENDERER_WEBGL strings. Two users with the exact same GPU and driver on the same browser version will collide, but that's rare in practice for tracking, and irrelevant for bot detection.

Can I disable WebGL to hide my GPU?

You can, but it's also a signal. The vast majority of real browsers have WebGL enabled. A modern Chrome reporting 'WebGL unavailable' is suspicious in its own right and will often trigger a CAPTCHA. Better to expose a believable WebGL renderer than to disable it.

← Run the full fingerprint test