ShieldLabs is an anonymous visitor identification and traffic quality platform. It analyzes device, browser, IP, and network signals, detecting mismatches between them to identify anonymous visitors and assign a real-time explainable risk score to every visit, as well as detect abuse patterns across your traffic.

What is ShieldLabs used for?

ShieldLabs is used to identify anonymous visitors, assess traffic quality, and detect abuse activity such as multi-accounting, fake account creation, account takeover, free trial abuse, bonus abuse, ban evasion, referral fraud, account sharing, coupon abuse, subscription abuse, giveaway fraud, voting manipulation, and survey fraud.

Who is ShieldLabs for?

ShieldLabs is best for startups, small-to-mid-sized businesses, and digital platforms with medium to high traffic volume that need a cost-effective anonymous visitor identification solution. Built for product, fraud, and growth teams at SaaS platforms, fintech, iGaming, e-commerce, Web3, media and streaming, travel, and technology platforms - any business dealing with anonymous traffic and abuse.

How accurate is ShieldLabs?

ShieldLabs detects anonymized connections and environment spoofing with up to 99% accuracy through multi-layer analysis.

How is ShieldLabs different from traditional abuse prevention platforms?

ShieldLabs delivers the same level of visitor identification and abuse detection used by platforms like Google and X / Twitter — with transparent per-request pricing, self-serve integration in 5 minutes, and an explainable risk score. No "Contact Sales," no enterprise contracts.

Can a visitor be recognized when IP changes?

Yes. ShieldLabs generates a persistent visitor ID. This identifier remains stable across sessions even when the visitor changes IP, clears cookies, switches to incognito mode, or creates a new account.

What is a persistent visitor ID?

A persistent visitor ID is a stable identifier assigned to each visitor. Unlike cookies or IP addresses, it survives IP rotation, cookie clearing, incognito mode, and account changes - allowing real-time recognition of returning visitors regardless of how they try to hide.

What is browser fingerprinting?

Browser fingerprinting is a technique for identifying website visitors by collecting unique browser signals such as browser version, preferred language, screen resolution, installed fonts, and graphics rendering. These signals are combined to generate a unique identifier that recognizes the visitor across sessions — even without cookies.

What is device fingerprinting?

Device fingerprinting identifies a visitor based on hardware and operating system signals such as device type, OS version, memory, processor, and screen parameters. Combined with browser fingerprinting, it produces a more stable and accurate identification.

How does device fingerprinting differ from browser fingerprinting?

Browser fingerprinting collects signals from the browser — version, language, plugins, screen resolution. Device fingerprinting collects signals from the hardware and operating system — device type, OS, memory, processor. ShieldLabs combines both to generate a persistent visitor ID with higher accuracy than either method alone.

Does ShieldLabs do device fingerprinting or browser fingerprinting?

Both. ShieldLabs analyzes 70+ signals across device, operating system, and browser to generate a persistent visitor ID. It then cross-validates these signals against network and IP data to detect mismatches and expose anonymous visitors.

Is browser fingerprinting safe?

For businesses, browser fingerprinting is used to identify anonymous visitors and distinguish between legitimate users and potentially fraudulent ones. ShieldLabs does not track users across sites and does not collect personally identifiable information during the fingerprinting process. For visitors, the process is invisible and adds no friction to their experience.

Can ShieldLabs detect a visitor in incognito mode or on a VPN?

Yes. Device and browser fingerprinting signals remain consistent even in incognito mode. VPN connections are detected through IP intelligence and cross-layer mismatch analysis. ShieldLabs identifies the visitor in both cases.

What can ShieldLabs detect?

ShieldLabs detects VPN, proxy, TOR, iCloud Private Relay, anti-detect browsers, tampered browsers, anti-fingerprint tools, data center and hosting infrastructure, environment spoofing, device tampering, location spoofing, timezone mismatches, and abuse activity. All detection works in real time.

Does ShieldLabs detect anti-detect browsers?

Yes. Anti-detect browsers are designed to mask device fingerprints and rotate identities. ShieldLabs detects them through cross-layer mismatch analysis, identifying the difference between what the browser claims and what is actually detected.

Can ShieldLabs detect fake accounts and multi-accounting?

Yes. The system builds an identity graph linking visitors, devices, and accounts across sessions. When the same person creates multiple accounts — even using different IPs, browsers, or anti-detect tools — the system connects them through shared device and network characteristics.

Can ShieldLabs detect account takeover?

Yes. When an account is accessed from an unrecognized device, suspicious connection, or unusual location, the system flags it as a potential account takeover.

Can ShieldLabs detect location spoofing?

Yes. The system detects timezone and geolocation mismatches between what the browser reports and what the IP and network reveal — indicating masked or spoofed visitor location.

Does ShieldLabs detect account sharing?

Yes. When multiple devices, locations, and network signatures access the same account, the system flags it as potential account sharing — helping protect subscription value and enforce per-user access.

Risk Score is a numerical assessment of explainable risk for every visit. It is calculated from anonymity indicators, cross-layer mismatches, and network signals. A high score indicates an increased probability of an anonymous or masked visit. Every score includes clear reasons for every contributing factor.

How is Risk Score calculated?

Each detected signal contributes to the final score - VPN detection, proxy connection, OS mismatch between browser and network, timezone conflict, data center IP, and more. Risk score reflects the cumulative risk level and explains each factor.

What is traffic risk level?

Traffic risk level is an overall assessment of anonymity across all your traffic. It shows what percentage of visitors are clean, low risk, medium risk, or high risk - giving you visibility into overall traffic quality.

Does ShieldLabs automatically block users?

No. ShieldLabs provides risk score, scoring reasons, and detailed visitor data. The blocking decision is made by you - either manually or through automated rules you configure.

What is an identity graph?

An identity graph is a map of connections between visitors, devices, and accounts. ShieldLabs builds this graph automatically by linking persistent visitor IDs, device fingerprints, and network signals across all sessions — revealing which accounts are connected and the risk level of each connection.

What are abuse patterns?

Abuse patterns are ready-made detection rules that identify suspicious connections between visitors, devices, and accounts — such as many accounts on one device, changing IDs on one account, or many devices on one account. Each pattern flags potential multi-accounting, account sharing, ban evasion, or coordinated abuse.

What is traffic quality?

Traffic quality is a measure of how much of your traffic comes from real, identifiable visitors versus anonymous, masked, or suspicious traffic. ShieldLabs assigns a risk level to your overall traffic and a risk score to every visitor.

How long does integration take?

Integration takes approximately 5 minutes. Add a code snippet to your site, and the system immediately begins anonymous visitor identification and real-time traffic analysis.

Which frameworks are supported?

ShieldLabs supports JavaScript, Next.js, React, Angular, Vue.js, Preact, and Svelte.

Does ShieldLabs provide API and Webhooks?

Yes. Risk score, visitor IDs, and detailed detection signals are available via API and Webhooks in real time for automation of fraud prevention rules and protection scenarios.

Does ShieldLabs affect real users?

No. The system operates in the background and does not require any additional actions from visitors. No CAPTCHAs, no challenges, no friction.

How does pricing work?

ShieldLabs offers transparent per-request pricing with a free tier. Start free, scale as you grow. No enterprise contracts, no "Contact Sales."

Is there a free plan?

Yes. The free plan includes 5,000 requests for initial traffic quality check and anonymous visitor identification.

How does font fingerprinting work?

A script cannot read the installed font list directly, so it measures how text renders. It draws text in a target font and checks the dimensions: an installed font produces its real metrics, while a missing one falls back to a default of a different size. Repeating this across many fonts reveals which are present, then condenses into a value.

What does font fingerprinting reveal about a device?

It reveals which fonts are installed, which reflects the operating system, the language packs, and the software a person has added, such as design or office tools. It names no one, but the combination of fonts is distinctive enough to help recognize the same device again, especially on machines with extra software beyond the stock set.

Does font fingerprinting need permission?

No. Font fingerprinting uses no special permission and shows no prompt. It works by measuring the dimensions of text the browser renders off-screen, which is data the browser already exposes, so the technique runs silently in the background like the other rendering-based fingerprinting methods.

How does ShieldLabs use font fingerprinting?

ShieldLabs reads fonts as one of many techniques, never alone. They add distinguishing detail to a persistent device identifier and feed a risk score from 0 to 100 with the signals behind it, including contradictions when a font list does not fit the operating system. Your own rules decide the outcome, and the free tier covers your first 5,000 identifications.

Back to blog

June 29, 2026Browser fingerprinting Device intelligence Fraud prevention

What is font fingerprinting? How your installed fonts identify you

Pavel NuryieuHead of Research

Font fingerprinting: the set of fonts installed on a device measured from how text renders, condensed into a value that identifies the device

Last updated on June 29, 2026 · 8 min read

Font fingerprinting is a technique that identifies a device by the set of fonts installed on it. A script cannot read the font list directly, so it measures how text renders: it asks the browser to draw text in a given font and checks the dimensions. If the font is present, the text takes its real shape; if it is missing, the browser falls back to a default with different dimensions. Repeating this across many fonts reveals which ones a device has, and that combination is surprisingly distinctive.

The set of fonts on a machine reflects its operating system plus everything that has added fonts, design software, office suites, language packs, so it varies more than people expect. Fonts are a quiet but reliable medium-strength signal, easy to read and slow to change. This guide explains how it works, what it reveals, and where it fits in fraud detection. It is one of the browser fingerprinting techniques a site reads together.

Key takeaways

Font fingerprinting detects which fonts are installed by measuring how text renders, since a missing font falls back to a default of a different size.
The installed font set reflects the operating system and the software a person has added, which makes it more distinctive than it first appears.
It is a medium-strength signal: stable over time and easy to read, but not unique on its own, so it works as part of a larger fingerprint.
For fraud detection, fonts add distinguishing detail and corroborate other signals, and a font list that does not fit the rest of the device is itself a hint.

How font fingerprinting works

Font fingerprinting works by inference, because browsers do not hand a script the list of installed fonts outright. Instead, a script measures the effect of each font on rendered text. It runs in the background with no permission prompt.

Render text in a target font. The script draws a string in a specific font, off-screen, and asks the browser to lay it out.
Measure the dimensions. It reads the width and height of the rendered text. If the font is installed, the text takes that font's metrics; if not, the browser substitutes a fallback, and the dimensions change.
Compare and repeat. By comparing against the known dimensions of a fallback, the script decides whether each font is present, then repeats across a long list of fonts and condenses the result into a value.

A related variant uses the canvas element to measure font rendering more precisely, which is why font and canvas signals often appear together. Either way, the principle is the same: the instructions are identical for everyone, so the differences in the measurements come from the device's fonts.

How font fingerprinting works: text is rendered in many fonts, the dimensions are measured to detect which fonts are installed, and the result is condensed into a font fingerprint

What a font fingerprint reveals

A font fingerprint does not reveal documents or personal data. It reflects the set of fonts on the device, which in turn reflects:

The operating system and its version, which ship with a known baseline set of fonts.
Installed software, since design tools, office suites, and other apps add their own fonts.
Language and regional packs, which add fonts for specific scripts.
Fonts the user installed manually, which can be highly distinctive.

None of this names a person, and many devices with a stock operating system and no extra software share a similar font set. The distinctiveness comes from the additions: a machine with design and office software carries a font list that few others match exactly.

Property	Font fingerprinting
What it reads	Which fonts are installed, inferred by measuring the dimensions of text rendered in each font
Why it differs between devices	The installed font set reflects the operating system, added software, language packs, and fonts installed manually
Does it survive clearing cookies?	Yes, installed fonts change rarely, so the value holds across visits and survives cleared cookies and incognito mode
Main limitation	A stock install produces a common font set, and modern browsers increasingly limit font enumeration, so it is a medium-strength supporting signal

How unique and stable is a font fingerprint?

A font fingerprint is stable and moderately distinctive, which makes it a dependable supporting signal. It is stable because installed fonts change rarely, only when software is added or removed, so the value holds across visits and survives cleared cookies and incognito mode. When researchers first measured font-metric fingerprinting in 2015, they found that the dimensions of rendered text carried enough variation to help distinguish browsers, even using only a modest list of fonts.

Its limits are the familiar ones. A clean operating system install with no added software produces a common font set shared by many devices, so on its own the signal separates fewer machines than a full fingerprint can. And modern browsers increasingly limit font enumeration to a standard set to fight tracking, which narrows what the technique can read. It is best treated as one medium-strength signal among several, not a standalone identifier.

Font fingerprinting in fraud detection

For fraud detection, fonts add quiet corroboration to a device fingerprint. A font list does not identify anyone by itself, but together with the rendering and network signals it helps confirm that two visits came from the same device after a cleared cookie and a new email, and it adds distinguishing detail that sharpens the match.

Fonts are also useful for catching inconsistency. A device that claims one operating system but carries a font set typical of another, or a session that reports an implausibly tiny or generic font list, does not fit the pattern of an ordinary visitor. A defender reads signals like these into a risk score rather than acting on the font list alone.

Can font fingerprinting be blocked?

Font fingerprinting can be reduced, and browsers have been steadily limiting it. Privacy browsers such as Tor restrict pages to a fixed set of fonts so every user looks alike, and Firefox and others limit font enumeration in their anti-fingerprinting modes. Extensions can report a randomized or trimmed font list.

For a fraud detection system, those defenses change the signal rather than erasing it. A font list restricted to a bundled set is a recognizable state of its own, and a list that changes on every read, or that contradicts the rest of the device, becomes a hint that something is being hidden. As with the other techniques, the move that hides one signal tends to leave a different trace.

How ShieldLabs uses font fingerprinting

ShieldLabs reads fonts as one of many techniques in a single fingerprint, never on their own. They add distinguishing detail and corroboration to a stable device identifier that recognizes a returning visitor after cleared cookies and a rotated IP, derived from the whole combination rather than any single signal.

Each visit returns a risk score from 0 to 100 with the named signals behind it, including the anonymity signals and the contradictions that surface when a font list does not fit the operating system or the rest of the device. Because the read happens in the background from data the browser already exposes, it adds no friction for a real visitor, and you act on the score through the API and webhooks while your own rules decide the outcome.

Frequently asked questions

WebGL fingerprinting: a hidden 3D scene rendered by a device's GPU into a distinct hash that identifies the graphics hardware

Browser fingerprinting Device intelligence

What is WebGL fingerprinting? How the GPU gives a device away

WebGL fingerprinting identifies a device by how its GPU renders 3D graphics. How it works, what it reveals, and how it differs from canvas.

Pavel NuryieuHead of ResearchJune 29, 2026

TLS fingerprinting: a client's TLS handshake, its cipher suites and extensions, condensed into a JA3 or JA4 hash that identifies the software behind the connection

Browser fingerprinting Network signals

What is TLS fingerprinting? How JA3 and JA4 identify a client

TLS fingerprinting identifies the software behind a connection from its TLS handshake. How it works, what JA3 and JA4 are, and what it reveals.

Vasil MakarchukChief Technology OfficerJune 29, 2026

Browser audio fingerprinting: a silent waveform processed by a device's audio stack into a distinct value that identifies the device

Browser fingerprinting Device intelligence

What is audio fingerprinting? The browser technique, explained

Audio fingerprinting identifies a device by how it processes a sound signal in the browser. How it works, what it reveals, and how stable it is.

Pavel NuryieuHead of ResearchJune 29, 2026

How font fingerprinting works

What a font fingerprint reveals

How unique and stable is a font fingerprint?

Font fingerprinting in fraud detection

Can font fingerprinting be blocked?

How ShieldLabs uses font fingerprinting

Frequently asked questions

How does font fingerprinting work?

What does font fingerprinting reveal about a device?

Does font fingerprinting need permission?

Can font fingerprinting be blocked?

How does ShieldLabs use font fingerprinting?

Related articles

What is WebGL fingerprinting? How the GPU gives a device away

What is TLS fingerprinting? How JA3 and JA4 identify a client

What is audio fingerprinting? The browser technique, explained