Fingerprints Software C

Client Hints

Table of Contents

1. What are Client Hints in Browser Fingerprinting?

Client Hints (CH) are an HTTP-based mechanism that allows websites to request specific device and browser attributes directly from the client, supplementing (or replacing) traditional User-Agent string parsing.

Since the gradual deprecation of full User-Agent strings in Chrome, Firefox, and Edge, Client Hints have become a primary fingerprinting source, exposing data points like:

  • Device model & brand (Sec-CH-UA-Model, Sec-CH-UA-Platform)
  • Browser version & vendor (Sec-CH-UA, Sec-CH-UA-Full-Version-List)
  • Screen dimensions (Sec-CH-Viewport-Width, Sec-CH-Width)
  • Preferred language & encoding (Sec-CH-Lang, Sec-CH-Prefers-Reduced-Motion)
  • Hardware status (Sec-CH-Save-Data, Sec-CH-DPR for display pixel ratio)

Unlike the User-Agent, Client Hints require explicit server permission (via Accept-CH header) before the browser sends them—yet many privacy-invasive scripts coerce their delivery via JavaScript or iframe tricks.

2. How Platforms Detect and Use Client Hints for Fingerprinting

Modern anti-bot and fraud detection systems actively probe Client Hints to build high-entropy fingerprints, checking for anomalies such as:

  1. Version Inconsistencies
  • Mismatched Sec-CH-UA vs. User-Agent strings
  • Impossible browser/OS combinations (e.g., Chrome 120 on Windows 7)
  1. Header Timing Attacks
  • Detecting delayed or missing headers (a sign of spoofing middleware)
  • Comparing Accept-CH permissions across sessions
  1. Hardware/Software Correlation
  • Sec-CH-UA-Model vs. navigator.hardwareConcurrency
  • Sec-CH-DPR vs. window.devicePixelRatio
  1. Forced Client Hints Extraction
  • Using <iframe> or fetch() with importance: 'high' to bypass privacy restrictions
  • Logging default vs. overridden hints to detect VM/dockerized environments

Client Hints are particularly dangerous for anonymity because they bypass traditional User-Agent spoofing tools—requiring deep browser integration to manipulate convincingly.

3. How FlashID Controls Client Hints Fingerprints

FlashID gives users granular control over Client Hints headers, ensuring each browser profile:
✔️ Sends only permitted hints (matching its fingerprint profile)
✔️ Maintains cross-API consistency (e.g., JS vs. HTTP headers)
✔️ Blocks forced hint extraction via permission masking

Key spoofing features include:

1. Client Hints Whitelisting

  • Select which Sec-CH-* headers are exposed per profile
  • Simulate legitimate hint negotiation with Accept-CH and Critical-CH

2. Dynamic Header Generation

  • Auto-generate Sec-CH-UA-* strings matching the browser version, OS, and device type
  • Sync Sec-CH-Viewport-Width with actual window dimensions (when resized)

3. Anti-Detection Protections

  • Block coercive hint extraction via JS/iframe injection
  • Mimic natural header send delays (~100-300ms) to evade timing checks

4. Hardware/Software Alignment

  • Enforce consistency between:
    • Sec-CH-DPRdevicePixelRatio
    • Sec-CH-UA-Modelnavigator.userAgentData
    • Sec-CH-Widthscreen.width

By surgically overriding Client Hints at the network layer, FlashID defeats next-generation fingerprinting while allowing safe multi-account usage on platforms that rely on these signals for fraud scoring.

You May Also Like

FlashID blog avatar image
Run multiple accounts without bans and blocks
Try it Free

Multi-account security protection, starting with FlashID

Through our fingerprint technology, stay untracked.

Multi-account security protection, starting with FlashID