Full Fingerprint Spoofing: What 'Full' Actually Means in 2026
Many anti-detects spoof a half-dozen surfaces and call it done. Full spoofing covers 40+. Here's the complete inventory and how Afina handles it.
"We spoof Canvas, WebGL, and Audio." Every anti-detect's marketing copy. None of them lie outright, but each of them undersells what's missing.
A modern fingerprinting library (Castle, Cloudflare Bot Management, Akamai Bot Manager, Datadome) probes dozens of surfaces to build a confidence score. Spoofing three is not "full." Here's the inventory of what Afina covers, with notes on which surfaces are commonly missed by competitors.
The 47 surfaces
Device-level (12)
- Canvas 2D rendering β pixel-level hash with text and curves
- WebGL renderer + parameters β graphics card model, GLSL version, extensions
- WebGL shader precision β float precision per shader stage
- AudioContext oscillator output β float32 sample buffer hash
- ClientRects rounding β sub-pixel rounding model of layout
- Screen properties β dimensions, colorDepth, pixelDepth
- Device pixel ratio
- Battery API β even presence of the removed API leaks browser version
- Hardware concurrency β number of logical cores
- Device memory (deviceMemory) β heap memory in GB
- Touch points (maxTouchPoints)
- Pointer hover capability (CSS @media hover)
Browser-level (15)
- User-Agent + Client Hints β UA-CH headers must match UA string
- Accept-Language + navigator.languages
- Timezone β Date.getTimezoneOffset() and Intl.DateTimeFormat resolved zone (they leak independently)
- Locale β Intl.Collator, Intl.NumberFormat
- Plugins list β even though Chrome reports empty, empty in the right way
- Mime types
- Permissions API state for notifications, geolocation, push
- Speech synthesis voices list
- WebDriver flag
- Chrome runtime properties
- Window properties β outerWidth/outerHeight vs innerWidth/innerHeight relationship
- Document properties β document.hidden, visibilityState
- CSS @supports queries for browser-specific features
- Performance timing β connection start vs end nanosecond patterns
- Font enumeration β installed fonts list (most underestimated surface)
Network-level (8)
- TLS JA3 / JA4 fingerprint β cipher order, extensions, ALPN
- HTTP/2 frame ordering and SETTINGS β second JA-style fingerprint above TLS
- HTTP/3 / QUIC fingerprint β only matters if you support UDP
- Akamai-style behavioural signals β packet sizes, TCP options
- WebRTC ICE candidates β see our UDP article
- DNS resolver β DoH endpoint visible to authoritative servers
- IP geolocation consistency β IP, timezone, locale, font set must align
- CDN-specific Anubis / PerimeterX challenges
Behavioural (12)
- Mouse movement model β BΓ©zier vs straight, jitter, micro-pauses
- Keystroke dynamics β dwell time, flight time distribution
- Scroll behaviour β wheel-deltaY distribution, momentum
- Touch event sequences (mobile)
- Pointer events ordering β pointerover before mouseover
- Focus/blur cadence
- Tab switching frequency
- Form fill timing β character cadence, paste vs type
- Selection events
- Visibility change handling
- Page visibility lifecycle
- Beforeunload / unload behaviour
Where most competitors stop
The majority of anti-detect browsers cover the first six device-level and first five browser-level surfaces. That's 11 of 47. Modern detectors expect all 47 to be coherent.
The most commonly missed:
- ClientRects rounding β even Multilogin's Stealthfox missed this until 2025
- AudioContext oscillator β Dolphin spoofs the value but not the per-channel correlations
- Font enumeration β almost no one ships per-region font sets
- HTTP/2 SETTINGS ordering β only Afina, Linken Sphere 2 and Octo get this right
- Behavioural surfaces β universally missing; you need a separate humaniser
What Afina ships
All 47 surfaces are spoofed at the engine level, with values derived from the chosen device profile (Win 11 / Chrome 132 / RTX 4060 / etc.) rather than randomised. Behavioural surfaces are covered by the Scenarios humaniser; if you build automations on Afina, you don't need a separate library like puppeteer-extra-stealth.
The injector is written in Rust (see our Rust article) and applies at Chromium's V8 layer before any page script runs, so detection scripts can't observe the swap.
How to test coverage
We use a fixed eight-tool battery to grade engines:
- demo.fingerprint.com β ML scoring (detailed walkthrough)
- iphey.com β should be all-green (100% guide)
- pixelscan.net
- browserleaks.com (canvas, webgl, audio, fonts, webrtc, tls)
- creepjs
- abrahamjuliot.github.io/creepjs
- bot.sannysoft.com
- arh.antoinevastel.com/bots/areyouheadless
A score of β₯9/10 on all eight is the standard we require for #1 placement on this site. Afina is currently the only product that clears that bar in our quarterly checks.
Bottom line
"Full" is a number: 47. Everything less is partial. Modern detectors look at the gaps as much as the values, so a half-spoofed profile signals "anti-detect" louder than a half-spoofed profile signals "real user." Cover everything or cover nothing.