CSS Fingerprinting Techniques 2026: How Websites Track You Without a Single Line of JavaScript
When most people think about browser fingerprinting, they picture JavaScript APIs — Canvas, WebGL, AudioContext, Navigator properties. But there’s a far more insidious tracking method that operates entirely without JavaScript: CSS fingerprinting techniques 2026. Using nothing but stylesheets, websites can identify your browser, operating system, screen configuration, installed fonts, supported features, and even your browsing history — all while remaining completely invisible to script blockers, privacy extensions, and most antidetect solutions.
CSS fingerprinting is the silent threat that most privacy tools ignore. In 2026, it has evolved from an academic curiosity into a practical tracking technique used by analytics platforms, ad networks, and anti-bot services. This guide explains exactly how it works, why it’s so hard to block, and what you can do to protect yourself.
Why CSS Fingerprinting Is Different (and Dangerous)
JavaScript-based fingerprinting has a fundamental weakness: it requires JavaScript to execute. Users can block JavaScript entirely, use extensions like NoScript or uBlock Origin, or run browsers with JavaScript disabled. When JavaScript is blocked, these fingerprinting methods simply don’t work.
CSS fingerprinting has no such weakness. CSS is loaded and processed by the browser’s rendering engine as a core part of page display. You cannot browse the modern web without CSS — disabling it makes virtually every website unusable. This gives CSS fingerprinting several unique advantages:
- Invisible to script blockers: NoScript, uBlock Origin, and similar extensions block JavaScript but allow CSS to load normally
- No Content Security Policy restrictions: CSP headers control script execution, not stylesheet behavior
- No browser API required: CSS fingerprinting uses the rendering engine directly — no navigator, document, or window objects needed
- Undetectable to the user: There’s no console activity, no network panel anomalies, and no performance impact
- Works in privacy modes: Incognito/private browsing doesn’t change CSS behavior
If you want to understand the full picture of how browsers can be identified, our comprehensive guide on browser fingerprinting explained covers every major technique — including the CSS methods we’ll explore in depth here.
Core CSS Fingerprinting Techniques
Let’s dive into each major css fingerprinting techniques 2026 method, from the well-established to the cutting-edge.
1. @media Query Fingerprinting
CSS @media queries are designed to apply styles based on device characteristics. But they can also be weaponized to extract detailed information about the user’s environment by loading unique background images for each condition — sending data to the server without any JavaScript.
Screen Resolution and Dimensions
Media queries can detect exact screen dimensions, pixel density, and aspect ratio:
/* Detecting screen width */
@media (width: 1920px) {
.probe { background: url('/fingerprint?width=1920'); }
}
@media (width: 1440px) {
.probe { background: url('/fingerprint?width=1440'); }
}
@media (width: 2560px) {
.probe { background: url('/fingerprint?width=2560'); }
}
/* Detecting device pixel ratio */
@media (-webkit-min-device-pixel-ratio: 2) {
.probe { background: url('/fingerprint?dpr=2'); }
}
@media (-webkit-min-device-pixel-ratio: 3) {
.probe { background: url('/fingerprint?dpr=3'); }
}
Each matching media query triggers a unique URL request, telling the server the user’s exact screen configuration. With enough granularity (testing hundreds of width values), this alone can significantly narrow down the user’s identity. For a deeper exploration of how screen properties are used for tracking, see our article on screen resolution fingerprinting.
Color Depth and Color Scheme
Media queries also reveal color capabilities and user preferences:
/* Color depth */
@media (color: 8) {
.probe { background: url('/fingerprint?color-depth=8bit'); }
}
/* Dark mode preference */
@media (prefers-color-scheme: dark) {
.probe { background: url('/fingerprint?scheme=dark'); }
}
/* Reduced motion preference */
@media (prefers-reduced-motion: reduce) {
.probe { background: url('/fingerprint?motion=reduced'); }
}
/* High contrast mode */
@media (forced-colors: active) {
.probe { background: url('/fingerprint?forced-colors=true'); }
}
These preference queries reveal personal settings that users rarely change — making them stable, long-term fingerprinting signals.
Pointer and Hover Capabilities
CSS can detect input device types, distinguishing between mouse, touch, and stylus:
@media (pointer: fine) {
.probe { background: url('/fingerprint?pointer=fine'); }
}
@media (pointer: coarse) {
.probe { background: url('/fingerprint?pointer=coarse'); }
}
@media (hover: hover) {
.probe { background: url('/fingerprint?hover=true'); }
}
2. @supports Feature Detection
The CSS @supports rule tests whether the browser supports specific CSS features. By probing for a large set of features, trackers can determine the exact browser engine and version:
/* WebKit-specific features */
@supports (-webkit-backdrop-filter: blur(1px)) {
.probe { background: url('/fingerprint?webkit-backdrop=true'); }
}
/* Firefox-specific features */
@supports (-moz-appearance: none) {
.probe { background: url('/fingerprint?moz-appearance=true'); }
}
/* Modern CSS features (version-dependent) */
@supports (container-type: inline-size) {
.probe { background: url('/fingerprint?container-queries=true'); }
}
@supports (anchor-name: --test) {
.probe { background: url('/fingerprint?anchor-positioning=true'); }
}
@supports selector(:has(*)) {
.probe { background: url('/fingerprint?has-selector=true'); }
}
By testing 50-100 CSS features with known browser support timelines, a tracker can determine:
- Browser engine: Blink (Chrome/Edge/Opera), Gecko (Firefox), or WebKit (Safari)
- Browser version: Narrow down to a specific version range based on feature support
- Rendering capabilities: Hardware acceleration, compositing support, etc.
This is especially powerful for detecting antidetect browsers that spoof the User-Agent but can’t change which CSS features the rendering engine actually supports.
3. CSS Visited Link History Detection
The :visited pseudo-class has been one of the most controversial CSS fingerprinting vectors for over a decade. While browsers have implemented significant restrictions (blocking getComputedStyle() for visited links and limiting style changes to color properties), researchers continue to find side-channel attacks:
Timing-Based Visited Link Detection
In 2026, researchers demonstrated that CSS animations applied to visited and unvisited links render at slightly different speeds when color properties are involved. By measuring paint timing through CSS-triggered server requests (using animation events that load background images at specific keyframes), it’s possible to determine link visit status without JavaScript.
CSS Paint API Method
The CSS Paint API (Houdini) introduces another visited link detection vector. Custom paint worklets can potentially detect color differences between visited and unvisited links through the rendering pipeline, although browsers are actively working to close this side channel.
Scale of the Problem
Even a binary “visited or not” result for 100 popular URLs creates a 100-bit identifier with 2^100 possible combinations — far more than enough to uniquely identify any user on Earth. In practice, testing just 30-50 high-traffic URLs provides strong identification capability.
4. Font Fingerprinting via CSS
CSS-based font fingerprinting exploits the fact that different operating systems, locales, and user configurations have different sets of installed fonts. This technique works entirely through CSS rendering without JavaScript font enumeration APIs.
Font Availability Detection
The technique uses CSS font stacks with a fallback mechanism:
/* Test if Arial is installed */
.font-test-arial {
font-family: 'Arial', 'fallback-font-with-different-metrics';
width: fit-content;
}
/* If Arial is installed, the element renders with Arial metrics.
If not, it renders with the fallback font's metrics.
Different widths trigger different @container queries or
cause different elements to overflow, triggering different
background-image requests. */
By testing hundreds of font names and detecting which ones are installed (through rendering width changes that trigger CSS-based server requests), trackers can build a detailed font profile. This is closely related to the JavaScript-based methods covered in our guide on font fingerprinting protection, but operates entirely at the CSS level.
Font Metrics Fingerprinting
Even when the same font is installed, different operating systems and browsers render it with slightly different metrics — character widths, line heights, kerning pairs. CSS can detect these differences through overflow detection and container queries that respond to precise content dimensions.
5. @font-face Loading Detection
The @font-face rule provides another fingerprinting vector. When a browser encounters a @font-face declaration, it only downloads the font file if it’s actually used and not already installed locally. This creates a detection mechanism:
@font-face {
font-family: 'ProbeSegoeUI';
src: url('/fingerprint?has-segoe-ui=false');
/* This URL is only fetched if Segoe UI is NOT installed */
unicode-range: U+0041; /* Only need one character to trigger */
}
.probe-segoe {
font-family: 'Segoe UI', 'ProbeSegoeUI';
}
If Segoe UI is installed locally, the browser uses it and never fetches the @font-face URL. If it’s not installed, the browser requests the fallback URL — sending a signal to the server. By probing dozens of OS-specific fonts (Segoe UI for Windows, SF Pro for macOS, Liberation Sans for Linux), trackers can determine the user’s operating system and configuration.
The CSS local() function in @font-face declarations has also been exploited for fingerprinting. Browsers that support the local() source will check for locally installed fonts before downloading, creating another detectable behavior difference.
6. CSS Paint API (Houdini) Fingerprinting
The CSS Paint API, part of the Houdini specification, allows websites to register custom paint worklets that render directly to CSS backgrounds. This powerful API creates new fingerprinting vectors:
- Rendering differences: Custom paint worklets can detect GPU capabilities, anti-aliasing behavior, and sub-pixel rendering differences across browsers and hardware
- Canvas-like fingerprinting without Canvas API: Paint worklets have access to a rendering context similar to Canvas 2D, but operate entirely within CSS — bypassing Canvas fingerprinting protections
- Performance fingerprinting: The execution speed of paint worklets varies based on hardware, creating a timing-based fingerprint
- Feature detection: Whether the CSS Paint API is supported at all is itself a fingerprinting signal (Chrome supports it, Firefox doesn’t as of 2026)
In 2026, the CSS Paint API is supported in Chromium-based browsers but not in Firefox or Safari, making it a strong browser engine differentiator. Within Chromium, rendering differences between GPU drivers and hardware configurations create additional fingerprinting entropy.
7. Container Queries as Fingerprinting Vectors
CSS Container Queries, now widely supported in 2026, allow styles to respond to the size of a parent container rather than the viewport. While designed for responsive component design, they introduce new fingerprinting capabilities:
.fingerprint-container {
container-type: inline-size;
}
/* Probe with a precisely-sized container */
@container (width > 299.5px) and (width < 300.5px) {
.probe { background: url('/fingerprint?container-width=300'); }
}
Container queries reveal information about:
- Scrollbar width: Different browsers and OS configurations use different scrollbar widths, affecting container sizes
- Font rendering differences: Text content inside containers has different metrics across platforms, affecting container layout
- Sub-pixel rendering: Browsers handle sub-pixel calculations differently, causing tiny but detectable container size variations
- Zoom level: Browser zoom affects container dimensions in browser-specific ways
8. CSS Custom Properties and Cascade Layers
Newer CSS features like custom properties (CSS variables) and cascade layers (@layer) provide additional version-detection signals:
/* Cascade layers — supported since Chrome 99, Firefox 97, Safari 15.4 */
@layer fingerprint {
@supports (background: paint(test)) {
.probe { background: url('/fingerprint?paint-api=true&layers=true'); }
}
}
The combination of supported features creates a detailed browser version profile that’s difficult to spoof without modifying the rendering engine itself.
Combining CSS Fingerprinting Signals
Individual CSS fingerprinting signals have limited entropy — screen width alone can’t identify a user. But combining multiple signals creates a powerful composite fingerprint:
| Signal Category | Approximate Entropy | Example Values Detected |
|---|---|---|
| Screen dimensions | ~8 bits | 1920×1080, 2560×1440, 1440×900 |
| Device pixel ratio | ~3 bits | 1x, 2x, 3x, 1.5x, 1.25x |
| Color scheme preference | ~1 bit | light, dark |
| Reduced motion | ~1 bit | reduce, no-preference |
| Pointer type | ~2 bits | fine, coarse, none |
| @supports features (50 tests) | ~15 bits | Browser engine + version range |
| Installed fonts (100 tests) | ~20 bits | OS + locale + custom fonts |
| Scrollbar width | ~3 bits | 0px, 15px, 17px (varies by OS/browser) |
| Color depth | ~2 bits | 24-bit, 30-bit, 8-bit |
| Forced colors / high contrast | ~1 bit | active, none |
Combined, these signals yield approximately 56 bits of entropy — enough to uniquely identify one user in over 72 quadrillion possibilities. In practice, 33 bits of entropy is sufficient to uniquely identify any person on Earth (2^33 ≈ 8.5 billion). CSS fingerprinting provides nearly double that.
Why CSS Fingerprinting Is So Hard to Block
Defending against CSS fingerprinting is fundamentally harder than defending against JavaScript fingerprinting because CSS is deeply integrated into the browser’s rendering pipeline:
No API to Override
JavaScript fingerprinting can be countered by overriding APIs — spoofing navigator.userAgent, modifying Canvas output, or blocking WebGL calls. CSS fingerprinting doesn’t use JavaScript APIs. The information is extracted through the rendering engine’s native behavior, which can’t be overridden through extensions or scripts.
Blocking CSS Breaks the Web
Unlike JavaScript (which can be selectively blocked), CSS is essential for website layout and presentation. Blocking CSS makes every website unusable. Even blocking specific CSS features (like @media queries) would break responsive design on virtually every modern website.
No Fingerprinting “API” to Detect
JavaScript fingerprinting scripts can be detected by content blockers that identify known fingerprinting code patterns. CSS fingerprinting probes look identical to legitimate responsive design code — there’s no way to distinguish a fingerprinting @media query from a layout @media query.
Server-Side Data Collection
CSS fingerprinting sends data to servers via image URLs in background-image properties. These requests look like normal resource loads and can’t be distinguished from legitimate image requests by network-level privacy tools.
CSS Fingerprinting vs. JavaScript Fingerprinting
| Aspect | CSS Fingerprinting | JavaScript Fingerprinting |
|---|---|---|
| Requires JavaScript | No | Yes |
| Blocked by NoScript | No | Yes |
| Blocked by ad blockers | Rarely | Sometimes |
| Entropy (bits) | ~50-60 | ~70-100+ |
| Stealth level | Extremely high | Moderate (detectable) |
| Browser API needed | None | Canvas, WebGL, Audio, etc. |
| Works in privacy mode | Yes | Partially |
| Can be spoofed by extensions | Very difficult | Possible |
| Detection by privacy tools | Nearly impossible | Common |
| User visibility | Invisible | Visible in console/devtools |
Real-World CSS Fingerprinting Usage in 2026
CSS fingerprinting is no longer just an academic exercise. In 2026, it’s actively used by:
- Ad networks: Cross-site tracking after cookie deprecation, using CSS probes as supplementary identification signals
- Anti-fraud platforms: Detecting users who block JavaScript but still interact with forms and content
- Anti-bot services: Adding CSS fingerprinting as an additional detection layer alongside JavaScript challenges, since bots that block JavaScript still process CSS
- Analytics platforms: Providing “cookieless analytics” that use CSS-based signals for user identification
- Paywall enforcement: Identifying repeat visitors who clear cookies and block JavaScript tracking
How Send.win Helps You Master Css Fingerprinting Techniques 2026
Send.win makes Css Fingerprinting Techniques 2026 simple and secure with powerful browser isolation technology:
- Browser Isolation – Every tab runs in a sandboxed environment
- Cloud Sync – Access your sessions from any device
- Multi-Account Management – Manage unlimited accounts safely
- No Installation Required – Works instantly in your browser
- Affordable Pricing – Enterprise features without enterprise costs
Try Send.win Free – No Credit Card Required
Experience the power of browser isolation with our free demo:
- Instant Access – Start testing in seconds
- Full Features – Try all capabilities
- Secure – Bank-level encryption
- Cross-Platform – Works on desktop, mobile, tablet
- 14-Day Money-Back Guarantee
Ready to upgrade? View pricing plans starting at just $9/month.
To understand the full landscape of detection methods you need to worry about, our guide on browser fingerprint test tools shows you how to audit your exposure across all fingerprinting vectors, including CSS-based methods.
How to Protect Against CSS Fingerprinting
Given the difficulty of blocking CSS fingerprinting, effective protection requires fundamental changes to how your browser interacts with websites:
Tor Browser Approach
The Tor Browser takes the most aggressive approach to CSS fingerprinting — it normalizes many CSS-detectable properties: forcing a standard window size (1000×1000), disabling custom fonts, and limiting @media query responses. This reduces CSS fingerprinting entropy significantly but also degrades the browsing experience.
Browser-Level Mitigations
Firefox has implemented some CSS fingerprinting protections in its Enhanced Tracking Protection (ETP), including:
- Restricting
:visitedlink styling to prevent history sniffing - Partitioning font access by site (preventing cross-site font fingerprinting)
- Reducing precision of some @media query values
However, these mitigations are incomplete — @supports detection, @font-face probing, and most @media query fingerprinting remain fully functional.
Cloud Browser Isolation
The most comprehensive protection against CSS fingerprinting comes from cloud browser platforms that render web content in a remote, isolated environment. When you use a cloud browser:
- The CSS fingerprint reflects the cloud server’s configuration, not your local device
- Each browser session can have a different, consistent profile (screen size, fonts, OS)
- Your real device characteristics are never exposed to the website
- Font fingerprinting tests detect the server’s fonts, not yours
- @media queries respond based on the virtual environment’s properties
Send.win’s cloud browser platform provides exactly this kind of isolation. Each browser session runs in a fully managed cloud environment where all CSS-detectable properties — screen dimensions, device pixel ratio, installed fonts, OS preferences, and browser features — are part of a controlled, consistent browser profile. The website’s CSS fingerprinting probes receive real, consistent data from the cloud environment, never from your actual device.
The Future of CSS Fingerprinting
Several emerging CSS specifications will create new fingerprinting vectors in the coming years:
- CSS View Transitions: Performance and rendering differences during view transitions may reveal hardware capabilities
- CSS Scroll-Driven Animations: Scrollbar and scroll behavior differences across browsers create new signals
- CSS Nesting: Parser differences in nested CSS handling may distinguish engine versions
- CSS Color Level 4: Support for wide-gamut colors (display-p3, oklch) reveals monitor capabilities
- CSS Anchor Positioning: Implementation differences in this new feature create version-specific fingerprints
As CSS specifications continue to evolve rapidly, the fingerprinting surface area only grows. Each new feature that can be probed with @supports or that affects rendering in detectable ways adds entropy to CSS-based fingerprints.
🏆 Send.win Verdict
CSS fingerprinting is the stealthiest tracking technique in 2026 — it works without JavaScript, bypasses privacy extensions, and is nearly impossible to detect or block. The only reliable defense is to ensure that CSS probes never reach your real device. Send.win’s cloud browser achieves exactly this: every browser session runs in an isolated cloud environment where screen dimensions, fonts, color depth, OS preferences, and CSS feature support are all part of a managed browser profile. Websites see the cloud environment’s CSS fingerprint, never yours.
Try Send.win free today — eliminate CSS fingerprinting exposure with fully isolated cloud browser sessions.
Frequently Asked Questions
What is CSS fingerprinting and how does it work without JavaScript?
CSS fingerprinting is a tracking technique that identifies users by exploiting CSS features built into the browser’s rendering engine. It works by using CSS rules like @media queries, @supports, @font-face, and background-image URLs to extract device information and send it to a server. When a CSS condition matches (e.g., a specific screen width), the browser loads a unique background image URL that tells the server what matched. No JavaScript is needed because CSS processing is handled natively by the rendering engine.
Can ad blockers or privacy extensions stop CSS fingerprinting?
No, most ad blockers and privacy extensions cannot stop CSS fingerprinting. Extensions like uBlock Origin and NoScript primarily block JavaScript execution and known tracking domains. CSS fingerprinting probes look identical to normal responsive design code and use standard CSS features that extensions can’t block without breaking website layouts. Even aggressive content blockers like Brave’s shields have limited effectiveness against CSS-based tracking because the probes are indistinguishable from legitimate stylesheets.
How many bits of entropy can CSS fingerprinting collect?
CSS fingerprinting can collect approximately 50-60 bits of entropy by combining signals from screen dimensions (~8 bits), device pixel ratio (~3 bits), color scheme preference (~1 bit), pointer type (~2 bits), @supports feature detection (~15 bits), installed fonts (~20 bits), and several other signals. Since only 33 bits of entropy are needed to uniquely identify any person among Earth’s 8.5 billion inhabitants, CSS fingerprinting alone provides more than enough information for unique identification.
What CSS properties are used for fingerprinting?
The main CSS properties and features used for fingerprinting include: @media queries (detecting screen size, color depth, pixel ratio, color scheme, pointer type, hover capability, and reduced motion preference), @supports rules (detecting browser engine and version through feature support), @font-face with local() sources (detecting installed fonts), the :visited pseudo-class (detecting browsing history), CSS Paint API (detecting GPU and rendering capabilities), container queries (detecting scrollbar width and rendering differences), and CSS custom properties (detecting browser version support).
Is CSS fingerprinting used by major websites in 2026?
Yes, CSS fingerprinting is actively used in 2026 by ad networks for post-cookie tracking, anti-fraud platforms for detecting JavaScript-blocking users, anti-bot services as an additional detection layer, analytics platforms for “cookieless” user identification, and paywall enforcement systems. While it’s less common than JavaScript fingerprinting, its stealth advantage makes it increasingly attractive for scenarios where users actively block traditional tracking methods.
How does the CSS Paint API enable fingerprinting?
The CSS Paint API (part of the Houdini specification) allows websites to register custom paint worklets that render directly to CSS backgrounds. These worklets have access to a Canvas-like rendering context, enabling Canvas-style fingerprinting without using the Canvas API. The paint worklets can detect GPU capabilities, anti-aliasing behavior, and sub-pixel rendering differences. Additionally, whether the CSS Paint API is supported at all is itself a fingerprinting signal — Chrome supports it while Firefox doesn’t, immediately distinguishing between browser engines.
Can CSS detect which fonts are installed on my computer?
Yes, CSS can detect installed fonts through two main techniques. First, @font-face declarations with remote fallbacks: if a local font exists, the browser uses it without downloading the fallback; if it doesn’t exist, the browser fetches the remote font file — a request the server can log. Second, font metrics detection: text rendered with a specific font-family has different widths and heights depending on whether the named font or a fallback font is used. These dimension differences can trigger CSS container queries or overflow conditions that load unique background image URLs, signaling the result to the server.
What’s the best protection against CSS fingerprinting in 2026?
The most effective protection is using a cloud browser platform like Send.win that renders web content in a remote, isolated environment. This ensures that CSS fingerprinting probes detect the cloud server’s properties — not your real device’s screen size, fonts, or OS settings. Other partial mitigations include using the Tor Browser (which normalizes many CSS-detectable properties), Firefox’s Enhanced Tracking Protection (which restricts some CSS fingerprinting vectors), and maintaining consistent browser profiles across sessions. However, no client-side solution can fully prevent CSS fingerprinting because CSS is a fundamental, non-blockable part of web rendering.