By Stephen Milner · UtilityForge · Last reviewed: May 2026
Every website you visit can ask your browser questions: What is your IP address? What GPU are you running? What timezone are you in? In most browsers, JavaScript can answer these questions instantly, without your knowledge.
A browser privacy leak occurs when your browser reveals information you did not intend to share. This happens through standard web APIs that exist for legitimate purposes but can also be used for tracking. The most serious examples are WebRTC IP leaks, which can expose your real IP address even when you are behind a VPN.
WebRTC (Web Real-Time Communication) is a browser API that powers video calls, voice chat, and peer-to-peer data transfer. To establish a direct connection between two peers, WebRTC needs to discover each device's IP addresses, including local network IPs and public IPs.
The problem: WebRTC performs this IP discovery process even when you are behind a VPN. Normally a VPN tunnels all your traffic, hiding your real IP from websites. But WebRTC bypasses the VPN tunnel to discover your actual network interfaces. A website can run a WebRTC ICE gathering process in the background and read the resulting IP addresses from JavaScript without any visible browser prompt.
This means: if your browser has WebRTC enabled and a site runs this check, your real public IP address is exposed even if you are using a VPN.
Unlike cookies, browser fingerprinting does not store anything on your device. Instead, it reads characteristics from your browser to build a profile that is unique enough to identify you across sites. A 2014 EFF study found that over 94% of browsers had unique fingerprints.
Canvas fingerprinting works by drawing an invisible image with text and shapes. Different devices render this image slightly differently due to differences in GPU, operating system, font rendering, and anti-aliasing. The resulting pixel data, when hashed, forms a stable identifier that is consistent across browser sessions and does not change when you clear cookies.
WebGL fingerprinting reads your GPU vendor and renderer model directly. This is high-entropy data because GPU models correlate strongly with device type and age. NVIDIA GeForce RTX 3080 users form a much smaller fingerprint pool than Chrome users in general.
Tor Browser provides the strongest protection. It normalizes canvas output (introducing noise), reports generic user agent and screen data, always reports UTC timezone, and blocks WebRTC by default.
Brave blocks the WEBGL_debug_renderer_info extension, adds noise to canvas reads, and sets WebRTC to use only the VPN-tunneled IP by default. Brave Shields can be configured to block all fingerprinting.
Firefox with privacy.resistFingerprinting = true (in about:config) approximates Tor Browser protections without requiring the Tor network: generic UA string, UTC timezone, normalized screen size, and canvas noise injection.
Chrome and Safari provide minimal fingerprinting protection by default. Their business models depend on advertising, which creates limited incentive to prevent fingerprint-based tracking.
A VPN encrypts your internet traffic and replaces your IP address as seen by websites. But a VPN does not:
This is why a "WebRTC leak" is a specific known limitation of VPN protection in browsers, not a VPN bug. The VPN works as designed for TCP/UDP traffic, but WebRTC has its own IP discovery mechanism outside normal traffic routing.
Fixing one or two high-impact issues dramatically reduces your fingerprint surface:
No. Every check runs entirely in your browser using JavaScript APIs. No data is sent to any server. The WebRTC check uses Google's public STUN server (stun.l.google.com) to discover your external IP, but this is the same server your browser uses for WebRTC anyway, and the discovered IP is only shown to you in the results, not stored or transmitted anywhere by this tool.
This is a WebRTC IP leak. WebRTC uses its own IP discovery mechanism that bypasses your VPN tunnel. It communicates with STUN servers to discover your public IP address at the network interface level, which reveals your ISP-assigned IP regardless of VPN. This is a well-known and documented limitation of browser-based VPN protection. Fix it by disabling WebRTC in your browser settings.
A canvas fingerprint is a unique identifier generated by rendering an invisible image using the HTML Canvas API. Different hardware and software combinations render the same drawing instructions slightly differently, producing a hash that is unique to your device. You can block it in Firefox by setting privacy.resistFingerprinting to true, which introduces noise into canvas output. Brave also adds noise by default in Shields mode. Chrome has no native canvas fingerprinting protection.
The WEBGL_debug_renderer_info extension gives JavaScript access to your actual GPU vendor and model (e.g., "Apple / Apple M2"). This is unmasked GPU information that goes beyond what WebGL needs for rendering. Sites use it for fingerprinting because GPU models are high-entropy identifiers. Firefox with privacy.resistFingerprinting blocks this. Brave blocks the extension in Shields mode.
No. A higher score means fewer browser signals are being leaked, but anonymity is much harder to achieve. This tool does not test DNS leaks (requires server-side testing), traffic analysis, browser extension fingerprinting, font enumeration, AudioContext fingerprinting, or behavioral signals. A score of 80 or above indicates good browser-side hygiene but does not imply anonymity.
DNS leaks require a server-side test because they check whether your DNS queries are going through your VPN's DNS servers or bypassing them to your ISP's resolvers. This tool cannot perform DNS leak tests. Use a dedicated DNS leak test service for that check.
For maximum privacy, the Tor Browser routes all traffic through the Tor network and applies aggressive fingerprinting protections. For everyday use, Brave and Firefox (with privacy.resistFingerprinting enabled) offer the strongest fingerprinting protection among mainstream browsers. Chrome and Edge offer minimal fingerprinting protection by default.
Incognito or Private Browsing mode prevents your browser from storing cookies and browsing history locally. It does not prevent fingerprinting. Sites can still read your canvas hash, WebGL renderer, user agent, screen resolution, and timezone in incognito mode. These values are the same in incognito as in normal mode.
Do Not Track (DNT) is an HTTP header that signals to websites that you prefer not to be tracked. It was introduced in 2009 but never became legally binding. Most advertising networks and analytics platforms ignore it. Sending DNT: 1 has minimal practical effect on tracking but shows privacy intent. Most major browsers stopped promoting it as a meaningful privacy feature.
Some checks (like CPU core count, screen resolution, and device pixel ratio) reflect your actual hardware and cannot be changed without changing your device. We flag them as warnings so you know they are being exposed, even if the fix requires using a different device or a privacy browser that reports normalized values. Tools like Tor Browser and Firefox with privacy.resistFingerprinting report generic values for these signals regardless of your actual hardware.