Educational privacy tool

Client-Side Exposure Audit

A live mirror of what any website can passively learn about you. Every probe runs in your browser. Nothing is sent to our servers, nothing is stored.

Low exposure

Network & connection

Network & IP
Exposed

Your public IP reveals your ISP, ASN, and approximate location. A VPN replaces this, but doesn't hide what's below.

WebRTC leaks
OK

WebRTC can expose your private LAN IP even through a VPN. Disable it in browser settings or with an extension to plug this leak.

Privacy signals sent
Info

DNT and GPC tell sites you don't consent to tracking. Most ignore DNT; GPC is legally binding in some jurisdictions (e.g. California).

Device & environment

Browser & hardware
Exposed

These values are read with zero permissions. Combined, they narrow you to a small population of devices.

System preferences
Info

Accessibility preferences and input modality reveal usage context (mobile vs desktop, dark mode, assistive needs).

Platform features
Info

Feature availability itself is a fingerprint. Browsers that ship more APIs become easier to identify.

Fingerprint identity

Canvas, WebGL & audio
Leaking

These hashes create a stable ID that survives clearing cookies. Privacy browsers randomize them.

Installed fonts
OK

The combination of fonts on your device often reveals your operating system, language packs, and installed software suites.

Speech voices
OK

The set of speech-synthesis voices varies by OS, version, and installed language packs — a powerful fingerprint vector.

Permissions & sensors

Permissions API status
Info

The Permissions API reveals which capabilities you've granted, denied, or never been prompted for — without re-prompting.

Media devices
Info

Site can count your cameras, mics, and speakers without permission. Labels only appear after you grant access to one — try the buttons below.

Active probes (require your consent)
Info

These APIs need a click to fire. Use them to compare passive leakage above against what a granted permission additionally reveals.

Storage state

Storage stores
Info

Any script on this origin can read these stores. XSS turns them into an exfiltration target — that's why session tokens belong in httpOnly cookies.

Storage quota
Info

Browsers allocate a sandbox per origin. The quota and current usage are visible to scripts on this origin.

Theory & defense

DNS rebinding (concept)
Info
  1. User visits evil.com — DNS returns a public IP.
  2. Browser loads JavaScript. SOP is satisfied.
  3. Attacker flips DNS for evil.com to 192.168.1.1.
  4. New request to evil.com resolves to the local router.
  5. Browser compares the origin string and allows the request.

Defense: routers with DNS rebinding protection, plus modern browsers blocking public-to-private requests.

Same-Origin Policy is enforced against the domain name, not the IP. If DNS flips a public hostname to a private IP after page load, the browser may allow access to local services.

Side-channel timing (concept)
Info
  • Cache hits vs misses reveal whether a resource was visited.
  • Constant-time comparisons defend against secret-leaking timing.
  • Cross-origin isolation (COOP/COEP) limits Spectre attack surface.

Even when data isn't directly readable, how long operations take can leak it. Spectre, cache timing, and CSS history sniffing all exploit this.

What to do about it
Info
  • Use a privacy-respecting browser (Firefox, Brave, Tor Browser).
  • Install fingerprinting blockers like CanvasBlocker or uBlock Origin.
  • Disable WebRTC or set it to use proxy only.
  • Combine a VPN with browser hardening — neither alone is enough.
  • Enable DNS rebinding protection on your router.
  • Keep your browser and OS updated — leaks are fixed every release.

No tool eliminates fingerprinting entirely. Stacking these defenses dramatically reduces your trackability.