Fingerprints Software C

Client Hints

1. What are Client Hints in Browser Fingerprinting?

Client Hints (CH) are an HTTP-based mechanism that allows websites to request specific device and browser attributes directly from the client, supplementing (or replacing) traditional User-Agent string parsing.

Since the gradual deprecation of full User-Agent strings in Chrome, Firefox, and Edge, Client Hints have become a primary fingerprinting source, exposing data points like:

  • Device model & brand (Sec-CH-UA-Model, Sec-CH-UA-Platform)
  • Browser version & vendor (Sec-CH-UA, Sec-CH-UA-Full-Version-List)
  • Screen dimensions (Sec-CH-Viewport-Width, Sec-CH-Width)
  • Preferred language & encoding (Sec-CH-Lang, Sec-CH-Prefers-Reduced-Motion)
  • Hardware status (Sec-CH-Save-Data, Sec-CH-DPR for display pixel ratio)

Unlike the User-Agent, Client Hints require explicit server permission (via Accept-CH header) before the browser sends them—yet many privacy-invasive scripts coerce their delivery via JavaScript or iframe tricks.

2. How Platforms Detect and Use Client Hints for Fingerprinting

Modern anti-bot and fraud detection systems actively probe Client Hints to build high-entropy fingerprints, checking for anomalies such as:

  1. Version Inconsistencies
  • Mismatched Sec-CH-UA vs. User-Agent strings
  • Impossible browser/OS combinations (e.g., Chrome 120 on Windows 7)
  1. Header Timing Attacks
  • Detecting delayed or missing headers (a sign of spoofing middleware)
  • Comparing Accept-CH permissions across sessions
  1. Hardware/Software Correlation
  • Sec-CH-UA-Model vs. navigator.hardwareConcurrency
  • Sec-CH-DPR vs. window.devicePixelRatio
  1. Forced Client Hints Extraction
  • Using <iframe> or fetch() with importance: 'high' to bypass privacy restrictions
  • Logging default vs. overridden hints to detect VM/dockerized environments

Client Hints are particularly dangerous for anonymity because they bypass traditional User-Agent spoofing tools—requiring deep browser integration to manipulate convincingly.

3. How FlashID Controls Client Hints Fingerprints

FlashID gives users granular control over Client Hints headers, ensuring each browser profile:
✔️ Sends only permitted hints (matching its fingerprint profile)
✔️ Maintains cross-API consistency (e.g., JS vs. HTTP headers)
✔️ Blocks forced hint extraction via permission masking

Key spoofing features include:

1. Client Hints Whitelisting

  • Select which Sec-CH-* headers are exposed per profile
  • Simulate legitimate hint negotiation with Accept-CH and Critical-CH

2. Dynamic Header Generation

  • Auto-generate Sec-CH-UA-* strings matching the browser version, OS, and device type
  • Sync Sec-CH-Viewport-Width with actual window dimensions (when resized)

3. Anti-Detection Protections

  • Block coercive hint extraction via JS/iframe injection
  • Mimic natural header send delays (~100-300ms) to evade timing checks

4. Hardware/Software Alignment

  • Enforce consistency between:
    • Sec-CH-DPRdevicePixelRatio
    • Sec-CH-UA-Modelnavigator.userAgentData
    • Sec-CH-Widthscreen.width

By surgically overriding Client Hints at the network layer, FlashID defeats next-generation fingerprinting while allowing safe multi-account usage on platforms that rely on these signals for fraud scoring.

You May Also Like

Multi-account security protection, starting with FlashID

Through our fingerprint technology, stay untracked.

Multi-account security protection, starting with FlashID