The Complete Browser Privacy Audit Checklist
A browser privacy audit checklist is a structured walkthrough of every privacy-relevant setting and exposure point in your browser â cookies, trackers, fingerprint surface, DNS configuration, WebRTC leaks, extensions, HTTPS enforcement, and more. Most people fix one or two things and assume they’re covered. This 15-point audit tests everything systematically, with free tools to verify each item, so you know exactly where your browser leaks data and how to seal it.

Why You Need a Structured Audit
Browser privacy isn’t a single toggle. It’s a stack of independent systems â networking, storage, rendering, extensions â each with its own leak vectors. Fixing cookies but ignoring WebRTC still exposes your real IP. Blocking trackers but leaving canvas fingerprinting wide open still lets ad networks follow you across sites. A checklist forces you to test every layer instead of guessing.
The stakes are higher in 2026 than ever. Third-party cookie deprecation pushed tracking companies to invest heavily in fingerprinting, server-side tracking, and first-party data collection. The attacks got more sophisticated; your defenses need to keep pace.
The 15-Point Audit
1. Third-Party Cookies
What to check: Are third-party cookies blocked by default? Do any exceptions exist?
How to test: Visit https://privacy.net/analyzer/ or open DevTools â Application â Cookies after visiting a few ad-heavy sites. Look for cookies from domains you didn’t visit directly.
Fix: Set your browser to block all third-party cookies. In Chrome: Settings â Privacy â Cookies â Block third-party cookies. In Firefox: Enhanced Tracking Protection â Strict mode.
2. First-Party Cookie Lifetime
What to check: How long do first-party cookies persist? Are you auto-clearing on close?
How to test: Check Settings â Privacy â Cookies and site data. Look for “Keep until I close my browser” or equivalent. In DevTools, check cookie expiration dates â some tracking cookies set 2-year lifetimes disguised as first-party.
Fix: Set cookies to clear on browser close. Whitelist only sites you actively need to stay logged in to. Use a cookie auto-delete extension for granular control.
3. Tracker Blocking
What to check: Is your browser actively blocking known tracking scripts, pixels, and fingerprinting libraries?
How to test: Visit https://coveryourtracks.eff.org/ (EFF’s Cover Your Tracks). It tests for known tracker blocking and reports whether your browser is blocking tracking ads, invisible trackers, and fingerprinting scripts.
Fix: Enable strict tracking protection in your browser. Install uBlock Origin and set it to default filter lists at minimum. Consider adding the EasyPrivacy and Fanboy’s Enhanced Tracking lists. For a deeper understanding of tracking exposure, read our safe browsing guide.
4. Browser Fingerprint Exposure
What to check: How unique is your browser fingerprint? Can you be identified across sessions even without cookies?
How to test: Visit https://coveryourtracks.eff.org/ or https://browserleaks.com/. These tools calculate your fingerprint uniqueness based on canvas rendering, WebGL data, installed fonts, screen resolution, timezone, language, and dozens of other signals. Our browser fingerprint explained guide covers each signal in detail.
Fix: Pure browser settings can’t fully solve fingerprinting. Resist Fingerprinting (Firefox’s privacy.resistFingerprinting) helps but breaks some sites. For genuine fingerprint control, you need dedicated browser profiles with managed fingerprints â each profile presenting a unique, consistent, realistic fingerprint rather than a randomized or blocked one that screams “privacy user.”
5. WebRTC Leak
What to check: Is your real IP address leaking through WebRTC, bypassing your VPN or proxy?
How to test: Visit https://browserleaks.com/webrtc while connected to your VPN or proxy. If you see your real public or local IP address in the results, you have a WebRTC leak.
Fix: In Firefox: set media.peerconnection.enabled to false in about:config. In Chrome: install the WebRTC Leak Prevent extension or use a browser that handles WebRTC IP masking natively. Note that disabling WebRTC entirely breaks video calling services.
6. DNS Leak
What to check: Are your DNS queries going through your ISP instead of your VPN/proxy’s DNS servers?
How to test: Visit https://dnsleaktest.com/ and run the extended test. If the results show your ISP’s DNS servers instead of your VPN provider’s, DNS queries are leaking.
Fix: Configure DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) in your browser. Firefox: Settings â Privacy â DNS over HTTPS â Enable. Chrome: Settings â Security â Use secure DNS. Alternatively, set your system DNS to privacy-respecting resolvers like Cloudflare (1.1.1.1) or Quad9 (9.9.9.9) with encrypted DNS enabled.
7. HTTPS Enforcement
What to check: Does your browser automatically upgrade HTTP connections to HTTPS? Does it warn you before loading insecure pages?
How to test: Try visiting http://neverssl.com/ â this site intentionally serves only HTTP. Your browser should either block it, warn you, or attempt an HTTPS upgrade (which will fail, triggering a warning).
Fix: Enable HTTPS-Only Mode. Firefox: Settings â Privacy â HTTPS-Only Mode â Enable in all windows. Chrome: Settings â Security â Always use secure connections. This prevents accidental plaintext browsing that exposes your activity to network observers.
8. Extension Audit
What to check: Which extensions have access to your browsing data? Are any of them known data collectors?
How to test: Go to your browser’s extension manager. For each extension, check its permissions. Look for “Read and change all your data on all websites” â any extension with this permission can see everything you browse. Cross-reference against known problematic extensions on sites like extensionmonitor.com.
Fix: Remove any extension you don’t actively use. For remaining extensions, restrict site access to “On click” instead of “On all sites” where the extension allows it. Never install extensions from outside your browser’s official store. Fewer extensions = smaller attack surface = harder to fingerprint (your extension list is itself a fingerprint signal).
9. Search Engine Privacy
What to check: Does your default search engine log your queries and tie them to your identity?
How to test: Check Settings â Search engine. If it’s Google, Bing, or Yahoo, your queries are logged, profiled, and used for ad targeting.
Fix: Switch to a privacy-respecting search engine: DuckDuckGo (no query logging), Brave Search (independent index, no tracking), or Startpage (Google results without tracking). Set it as your default for both the address bar and the new-tab search box.
10. Browser Sync Settings
What to check: What data is being synced to the cloud? Bookmarks? History? Passwords? Open tabs?
How to test: Check your browser’s sync settings. In Chrome: Settings â You and Google â Sync. In Firefox: Settings â Sync. Review what’s being uploaded.
Fix: Disable sync for browsing history, open tabs, and autofill data at minimum. If you sync passwords, ensure they’re end-to-end encrypted (Firefox encrypts sync data by default; Chrome requires enabling a sync passphrase). Better yet, use a dedicated password manager instead of browser-based sync.
11. Password Manager Integration
What to check: Are your passwords stored in the browser’s built-in manager (accessible to any extension with the right permissions) or in a dedicated vault?
How to test: Check your browser’s password manager (Settings â Passwords). If you see saved credentials there, they’re stored in the browser.
Fix: Migrate to a dedicated password manager (Bitwarden, 1Password, KeePassXC). Disable the browser’s built-in password saving and autofill. A dedicated manager provides better encryption, cross-browser access, and isolation from browser-level attacks.
12. Two-Factor Authentication Coverage
What to check: Which accounts accessible from your browser have 2FA enabled? Are you using SMS (weak) or TOTP/hardware keys (strong)?
How to test: Visit https://2fa.directory/ â it lists 2FA support for major services. Cross-reference with your actual accounts. Check each account’s security settings for 2FA status.
Fix: Enable 2FA on every account that supports it. Use TOTP (Authy, Google Authenticator) or hardware keys (YubiKey) instead of SMS. SMS 2FA is vulnerable to SIM swapping. For high-value accounts (email, banking, cloud storage), hardware keys are the only truly secure option.
13. Site Permissions
What to check: Which sites have access to your camera, microphone, location, notifications, clipboard, and other sensitive APIs?
How to test: Chrome: Settings â Privacy â Site Settings. Firefox: Settings â Privacy â Permissions. Review each permission category and the sites that have been granted access.
Fix: Revoke all permissions except those actively needed. Set the default for camera, microphone, and location to “Ask before allowing” (not “Allowed”). Disable notification prompts globally â no legitimate use case requires a news site to push notifications to your desktop. Block clipboard access by default.
14. Referrer Header Leakage
What to check: When you click a link, does the destination site receive the full URL of the page you came from?
How to test: Visit https://browserleaks.com/referrer or check the Network tab in DevTools when navigating between sites. Look at the Referer header on outgoing requests.
Fix: Firefox: set network.http.referer.XOriginPolicy to 2 (only send referrer for same-origin requests) in about:config. Chrome: use an extension like “Referer Control” or set the browser’s referrer policy to strict-origin-when-cross-origin. This prevents destination sites from seeing your full browsing path.
15. Canvas and WebGL Fingerprint Exposure
What to check: Can websites read your canvas and WebGL rendering output to create a hardware-level fingerprint?
How to test: Visit https://browserleaks.com/canvas and https://browserleaks.com/webgl. Check your uniqueness percentage. A unique canvas hash + WebGL renderer string combination can identify your device across all sites, regardless of cookies or IP. For the technical details, see our WebGL fingerprinting guide.
Fix: Firefox’s privacy.resistFingerprinting returns a blank canvas, but this is itself a rare fingerprint (“blank canvas user”). CanvasBlocker extension adds noise instead. The most effective solution is managed fingerprint profiles where each browser profile returns a different, realistic canvas and WebGL output â indistinguishable from real hardware variation.
Audit Results: What Your Score Means
| Items Passed | Rating | What It Means |
|---|---|---|
| 13-15 | Excellent | Your browser leaks minimal data. Focus on maintaining this setup and testing after updates. |
| 9-12 | Good | Solid foundation, but specific vectors remain open. Prioritize fixing fingerprinting and leak items. |
| 5-8 | Needs Work | Multiple exposure points. You’re protected from basic tracking but vulnerable to determined trackers. |
| 0-4 | Critical | Your browser is essentially transparent. Start with items 1, 3, 5, and 6 as immediate priorities. |
What Browser Isolation Adds Beyond a Clean Audit
Here’s the uncomfortable truth: even a perfect 15/15 audit score in a single browser profile has fundamental limits. Every mitigation above applies to one identity in one browsing context. The moment you need to:
- Separate work browsing from personal browsing with different fingerprints
- Manage multiple accounts on the same platform without cross-linking
- Test how your site appears to users in different geolocations
- Run browser automation without exposing your main profile’s cookies and history
How Send.win Helps With Browser Privacy Audit Checklist
Send.win is an antidetect browser built for exactly this kind of work â every profile is a clean, isolated identity:
- Isolated profiles â unique fingerprint, separate cookies and storage per profile
- Stealth engine â canvas, WebGL, fonts, and audio spoofed at the engine level
- Desktop app + cloud sessions â native app for Windows, macOS, and Linux, or run profiles in the cloud with no install
- Built-in residential proxies â with automatic timezone, locale, and WebRTC matching
- Team features â share logged-in profiles with teammates without sharing passwords
Try the instant cloud browser demo â no install, no signup â or download the desktop app. The 30-day free trial needs no credit card, and paid plans start at $6.99/month billed annually (see pricing).
âĶa single audited browser can’t help you. You need multiple isolated profiles, each passing its own audit independently.
How Isolation Extends the Audit
Browser isolation through tools like Sendwin Browser doesn’t replace the 15-point audit â it multiplies it. Each isolated profile is a separate browsing environment with its own:
- Cookie and storage scope â items 1-2 are enforced per profile, not just per browser
- Fingerprint identity â items 4 and 15 become per-profile settings, not global compromises
- Network path â items 5 and 6 (WebRTC and DNS) are resolved per-profile through assigned proxies
- Extension set â item 8 can be customized per profile instead of one-size-fits-all
The result: instead of one well-audited identity, you get as many well-audited identities as you need â each isolated from every other. For deeper reading on anonymous browsing techniques that complement this audit, we’ve got you covered.
Maintaining Your Audit Over Time
A privacy audit isn’t a one-time event. Browsers update every few weeks, and updates frequently reset privacy settings, add new data-sharing features (looking at you, Chrome), or change the default behavior of existing settings. Build a maintenance cadence:
- Monthly: Re-run the fingerprint test (item 4) and leak tests (items 5, 6) â these break most often after updates.
- After every browser update: Check that HTTPS-Only mode, tracking protection level, and cookie settings weren’t reset to defaults.
- Quarterly: Full 15-point re-audit. Extensions get acquired by data companies, new tracking techniques emerge, and settings you set six months ago may no longer be sufficient.
- After installing any new extension: Review its permissions immediately and re-run the fingerprint test â new extensions change your fingerprint surface.
ð Send.win Verdict
A clean privacy audit is necessary but not sufficient. The real gap is isolation â separating identities, fingerprints, and network paths across profiles. Sendwin Browser lets you create up to 150 fully isolated profiles on the Pro plan ($6.99/month annually) or 500 on Team ($20.99/month annually), each with its own fingerprint, proxy, and storage â so every profile passes its own independent audit. Cloud browser sessions mean you can run audited profiles from any machine without local installation, and the Automation API (Selenium, Puppeteer, Playwright) lets you script audit verification across all profiles at once.
Try Send.win free today â 30-day trial, no credit card, and run your first audit in an isolated profile in minutes.
Frequently Asked Questions
How often should I run a browser privacy audit?
Do a full 15-point audit quarterly, with spot checks on fingerprinting and leak tests monthly. Any time your browser updates or you install a new extension, re-check the affected items. Browser updates frequently reset privacy settings to less protective defaults without notifying you.
Does incognito or private browsing mode pass this audit?
Partially. Incognito mode clears cookies and history on close (items 1-2), but it doesn’t block fingerprinting (items 4, 15), fix DNS or WebRTC leaks (items 5-6), change your search engine (item 9), or add tracker blocking beyond browser defaults (item 3). It’s better than nothing but far from comprehensive privacy protection.
Can a VPN replace most items on this checklist?
A VPN addresses items 5 (WebRTC, partially) and 6 (DNS, if configured correctly) and hides your IP from websites. It does nothing for cookies, trackers, fingerprinting, extensions, permissions, or any other browser-level exposure. A VPN protects your network connection; this checklist protects your browser â they’re complementary, not interchangeable.
Which audit items are the highest priority if I can only fix a few?
Start with: item 3 (tracker blocking â install uBlock Origin), item 5 (WebRTC leak â one setting change), item 7 (HTTPS-Only mode â one setting change), and item 4 (fingerprint awareness â know your uniqueness score even if you can’t fully fix it yet). These four give you the biggest privacy improvement for the least effort.
Do browser fingerprint tests give different results each time?
They should give the same result each time â that’s the point of fingerprinting. Your canvas hash, WebGL output, and font list are deterministic for a given hardware/software combination. If you see different results across visits, your browser or an extension is adding randomization noise, which is a form of protection (though detectable as such by sophisticated trackers).
Is Firefox more private than Chrome out of the box?
Yes, significantly. Firefox blocks third-party cookies by default (Enhanced Tracking Protection), supports privacy.resistFingerprinting, doesn’t tie browsing to a Google account by default, and offers DNS-over-HTTPS natively. Chrome has improved, but its business model depends on advertising data, which creates inherent tension with user privacy. Both can be hardened, but Firefox starts from a better baseline.
What’s the difference between blocking fingerprinting and managing fingerprints?
Blocking returns blank or generic values â which is itself a rare, identifiable fingerprint. Managing fingerprints means each browser profile returns unique, realistic values that look like a real device. Managed fingerprints blend in with normal traffic; blocked fingerprints stand out as privacy-tool users. For multi-account or professional privacy use, managed fingerprints through isolated browser profiles are more effective.
Will passing all 15 items make me completely untraceable online?
No. This audit covers browser-level privacy, but tracking also happens at the network level (ISP logging), the application level (logged-in services), and the behavioral level (typing patterns, mouse movements, content preferences). A clean browser audit is a critical layer, but comprehensive privacy requires layered defenses including VPNs, careful account management, and isolated browsing profiles for separate identities.