A step-by-step checklist to audit your own browser fingerprint for UA, timezone, GPU, font, and automation-flag mismatches before a detector does.
Detection systems don't just ask whether your browser fingerprint is unique — they ask whether it's coherent, as covered in Fingerprint Consistency: Why Mismatched Signals Get You Flagged. That's the theory. This post is the practice: a concrete checklist you can run against your own browser, point by point, before a real detection system runs it for you. Work through each item below with BrowserInsight's fingerprint check open in another tab.
Key Takeaways
- Run through seven checks: UA vs. OS/platform, timezone vs. IP geolocation,
Accept-Languagevs. IP region, GPU/WebGL vendor vs. claimed OS, installed fonts vs. claimed OS, screen size/device-pixel-ratio sanity, and automation flags. - Each check compares two signals that should tell the same story about one device — a mismatch anywhere is what a coherence scorer looks for first.
- Most checks take under a minute using BrowserInsight's fingerprint check and kernel check — no extra tooling required.
- A single mismatch rarely triggers anything on its own; the checklist is most useful for catching an accumulation of small inconsistencies left by a privacy extension, VPN, or anti-detect profile.
- Treat this as a self-audit, not a guarantee — real detection stacks also weigh behavior and network-level signals a static checklist can't see.
Before You Start
Open the fingerprint check tool in one tab and the kernel check tool in another. The fingerprint check surfaces your user-agent, WebGL renderer, timezone, language array, screen metrics, and font list in one place; the kernel check compares your claimed browser against what the JavaScript engine actually looks like from the inside — useful for catching a spoofed UA that claims a browser it isn't running. Run through the seven checks below in order; each takes under a minute.
1. User-Agent vs. OS/Platform
Read your user-agent string and navigator.platform side by side. Do they name the same operating system? A UA claiming "Windows NT 10.0" alongside a platform value of MacIntel, or an iPhone UA paired with a Win32 platform string, is an internal contradiction — these two values are supposed to come from the same OS-level API and cannot legitimately disagree on a real device.
Pass: UA and platform name the same OS family.
Fail: UA claims one OS, navigator.platform reports another.
2. Timezone vs. IP Geolocation
Check Intl.DateTimeFormat().resolvedOptions().timeZone — the system timezone your OS reports — against the region your IP address geolocates to on the IP intelligence tool. A America/Chicago timezone behind a Singapore-based IP is explainable (a traveler, a VPN), but it's exactly the kind of mismatch how websites detect VPNs relies on when scored alongside other signals.
Pass: Timezone region is plausible for the IP's geolocation. Fail: Timezone and IP geolocation point at different continents or time offsets with no travel/VPN explanation.
3. Accept-Language vs. IP Region
Compare navigator.languages (and the Accept-Language header your requests send) against the language you'd expect for your IP's region. navigator.languages reflects your OS locale order, not just a browser setting, so a claimed "US-based Chrome" session reporting ["zh-TW", "vi"] as its only languages, with no English present, is unusual on its own and compounds quickly if the timezone check above also fails.
Pass: At least one reported language matches what's common for the IP's region. Fail: The full language list is implausible for the claimed location, especially in combination with other mismatches.
4. GPU/WebGL Vendor vs. Claimed OS
Open the fingerprint check's WebGL section and read the unmasked renderer string. Certain rendering backends only exist on certain operating systems — a Direct3D token in the renderer string can only come from Windows, and an ANGLE (Apple, ...) or Metal-backed string only comes from macOS. If your UA claims macOS but the renderer string names a Direct3D backend, that combination is not just rare — it's physically impossible on a real device.
Pass: The renderer string's backend is consistent with the OS your UA claims. Fail: The renderer names a backend that doesn't exist on the claimed OS.
5. Installed Fonts vs. Claimed OS
Each desktop OS ships a distinct set of default fonts nothing else has: Windows bundles fonts like Calibri and Segoe UI, macOS bundles San Francisco and Helvetica Neue, and common Linux distributions ship neither. Check the font list the fingerprint check reports against your claimed OS — a "Windows" session with no Windows-exclusive fonts detected, or a font list that mixes exclusively-macOS and exclusively-Windows fonts, is a tell that the profile was assembled rather than run on a real machine.
Pass: Detected fonts include at least some fonts exclusive to the claimed OS, and none exclusive to a different one. Fail: The font list contradicts the claimed OS, or mixes fonts from operating systems that can't coexist.
6. Screen Size / Device Pixel Ratio Sanity
If your UA claims a phone (iPhone or Android), the screen dimensions and touch support should match. A mobile UA reporting a 2560×1440 screen with no touch events, or a device-pixel-ratio that doesn't match any shipped phone model, is one of the most common seams left by desktop automation tools that swap the UA string without adjusting the underlying device model.
Pass: Screen size, device pixel ratio, and touch support are all consistent with a real device matching the claimed UA. Fail: A mobile UA reports desktop-scale resolution and/or no touch support, or vice versa.
7. Automation Flags
Finally, check for the direct automation tells: does navigator.webdriver report true? Does window.chrome exist when it should for your claimed browser? Are navigator.plugins and the Permissions API returning internally consistent, non-empty results? These are the first things a bot-detection pipeline checks, well before any of the coherence comparisons above, and they're covered in depth in headless browser detection.
Pass: navigator.webdriver is false/undefined, and plugin/permissions data looks like a normal desktop browser.
Fail: navigator.webdriver reports true, or the properties around it look artificially patched.
Reading Your Results
One failed check in isolation often isn't damning — real users occasionally show up in unusual combinations. What raises a score is accumulation: a mismatched timezone plus a mismatched language plus a font list that doesn't fit the claimed OS is a different story than any single item alone. If you're running a privacy browser, an extension, or a VPN, expect the timezone/IP check to legitimately fail sometimes — that's an expected trade-off, not a bug — but the GPU, font, and automation-flag checks should still pass on a genuine device, since nothing about changing your network path or UA string touches them.
Frequently Asked Questions
Do I need to pass every item on this checklist?
Not necessarily. A VPN user will often fail the timezone/IP check by design — that's the whole point of using one — while still passing every other item. The checklist is most useful for spotting unexpected failures, particularly ones you can't explain from a tool you're intentionally running.
Which checklist item is hardest to fix with a privacy tool?
The GPU/WebGL renderer string (item 4) and installed fonts (item 5) are the hardest, because they're read from hardware and the OS respectively rather than a browser setting — spoofing them convincingly requires more than changing a header or a JavaScript-readable property.
Can I run this checklist on mobile?
Yes, though item 5 (fonts) and item 6 (screen/DPR) matter differently — mobile OSes ship a narrower, more uniform font set, and screen/touch consistency is the primary check that matters for a phone UA. Mobile browser fingerprinting covers what's actually distinctive on mobile devices.
Conclusion
None of these seven checks require special tools beyond what BrowserInsight already runs client-side. Working through them in order — UA/platform, timezone/IP, language/IP, GPU/OS, fonts/OS, screen/touch, and automation flags — surfaces the same mismatches a real coherence scorer looks for, in the order most detection pipelines check them: cheap, near-zero-false-positive checks first, probabilistic ones after. Run the fingerprint check and kernel check together, and you'll know before any detector does whether your setup tells one consistent story.
Recommended Reading:
- Fingerprint Consistency: Why Mismatched Signals Get You Flagged
- Browser Fingerprinting Explained: How to Protect Your Privacy
- How to Detect User-Agent Spoofing (and Why It's Easy to Spot)
- How Websites Detect VPNs and Proxies (and Why You Get Blocked)
- Impossible Fingerprints: GPU/OS/Font Combinations That Flag You


