Font enumeration (also called font fingerprinting) is a technique websites use to discover which fonts are installed on your device and how text renders in those fonts. Because font sets vary between devices, this information can help distinguish or identify visitors. The technique works by asking the browser to render text with many different font names and measuring differences in width or appearance. If a tested font isn’t installed, the browser falls back to a default font - and that difference reveals the absence of the font.
Modern browsers commonly test around 150 well-known fonts using JavaScript and CSS. The results form a “font fingerprint”: a pattern of fonts present or absent on the device. When two devices report similar font sets, tracking systems may treat them as likely related.
System fonts are the typefaces that come pre-installed with an operating system (e.g., Windows, macOS, Linux). They’re used when no custom or web font is specified. Users can also install additional fonts manually, and applications sometimes add fonts to ensure correct rendering. On Windows, font files are commonly .ttf or .otf.
When a website requests a font that isn’t installed locally, the browser automatically falls back to a system font so text remains readable. Because different machines may have different fonts available, the same webpage can look slightly different on different devices.
As different users can have different sets of fonts installed on their computers, it can be used as a discriminatory indication. If 2 visitors have the same fonts installed on their devices, they may be visiting from the same computer, and it can be a red flag for your online accounts.
Let’s see how a website can obtain the list of installed fonts.
Before 2020 browsers could use Flash (multimedia platform) to get information about the installed system fonts. Modern browsers are not supporting Flash anymore, so websites have discovered another way for font fingerprinting.
This method is using CSS (Cascading Style Sheets) and JavaScript technologies to determine the installed fonts on a machine.
A basic test forces your browser to draw a specific text with the default font installed on the machine (most often Arial) and with another ~150 different fonts. The website can check how much space does each text takes by measuring the string's width. When a text cannot be written with the font defined by the website, because it is not installed on your machine, it will be displayed with the default font. So, each text that takes the same space as the text that was originally printed with the default font, is most likely not installed on the computer.
Modern operating systems are shipped with plenty of preinstalled fonts, therefore a test that checks “only” 150 fonts may not show any difference between 2 computers with 2 actually different sets of fonts as the explicit whole list of installed fonts cannot be obtained by modern browsers.
Example: User 1 has fonts A and B. User 2 has fonts A and C. Then they visit a website, which checks for fonts A and D. In this case, both users will have the same hash code despite they have different fonts installed on their computer.
To summarize the above mentioned nature of font fingerprinting it is really hard to determine by a website if 2 visits are actually coming from the same computer or not if those computers has the same OS. However font fingerprinting can be used to determine the OS of the visiting browser. If you want to use some fingerprint browser, you need to make sure that your font fingerprint is aligned with the OS that sites can read with other fingerprinting technologies.
• Without font spoofing, an unusual or mismatched font set can reveal that your browser is being altered or automated.
• Especially when using multiple profiles or browser automation, making sure fonts stay consistent with other profile settings helps avoid leaving telltale signs.
When someone is trying to spoof his browser fingerprint without a professional tool, he may screw up the consistency of his browser fingerprint. For example, if you want to have a natural-looking Chinese browser profile, then websites should see Chinese fonts installed on your OS. Free privacy tools are not so sophisticated. Kameleo automatically aligns font sets with the intended OS and profile settings, preventing mismatches and reducing the risk of detection by font-fingerprinting scripts. See how font spoofing works.
Trusted by thousands of growth hackers, and enterprises worldwide, Kameleo makes browser automation and web scraping smarter, safer, and unstoppable. With our anti-detect browser, you can bypass anti-bot defenses, and stay one step ahead - all with human-like browsers.