Font Leak Tester
Free Browser Font Fingerprinting Check
Run our free font leak tester to see exactly which system fonts your browser exposes. Websites use CSS font introspection and JavaScript measureText to detect your installed fonts and build a unique digital signature for browser fingerprinting. This font enumeration tool shows what trackers see — your Windows default fonts, macOS system fonts, Linux font packages, and software-specific typefaces that make your font list a trackable identity.
Quick Answer: What Is Font Fingerprinting?
A font leak tester detects which system fonts your browser reveals to websites. Using CSS font introspection and JavaScript measureText, trackers render invisible text with a fallback font, then test hundreds of font names. If the text width changes, that font is installed. Your unique combination of fonts — from your OS, office suite, design tools, and language packs — creates a digital signature that enables browser fingerprinting without cookies.
System Font Privacy Test
Click below to scan which system fonts your browser exposes via font enumeration. We test 200+ font names using CSS font introspection.
Scanning font library via measureText...
--
Fonts Tested
--
Fonts Detected
--
OS Detected
--
Privacy Risk
--
OS Default Fonts
--
Software Fonts
--
Language/Specialty
--
Summary
Jessica Wright
Cybersecurity Threat Researcher
Jessica specializes in browser fingerprinting defense, font enumeration analysis, and privacy hardening techniques. She helps users understand how CSS font introspection and JavaScript measureText methods expose system fonts for cross-site tracking.
View All Articles by Jessica WrightWhat Is a Font Leak Tester and Why Does It Matter?
A font leak tester scans your browser to detect which system fonts are installed on your device. Websites use CSS font introspection and JavaScript measureText to probe hundreds of font names without your permission — no popup, no consent dialog, and no visible indicator. The resulting list of detected fonts creates a unique digital signature that enables browser fingerprinting and cross-site tracking without cookies.
According to Wikipedia's article on device fingerprinting, font enumeration is one of the top entropy sources used in browser fingerprinting. Research shows that the average computer has between 50 and 200 installed fonts. The specific combination of Windows default fonts, macOS system fonts, or Linux font packages — plus fonts added by software like Adobe Creative Suite, Microsoft Office, or language packs — creates a nearly unique identifier.
Our free font enumeration tool uses the same CSS font introspection technique that trackers use, testing 200+ font names against your browser's rendering engine. It shows exactly which fonts are detected, what operating system they suggest, and how high your information disclosure risk is.
Key Fact: Research by the Electronic Frontier Foundation found that font lists alone provide approximately 13.9 bits of identifying information — enough to uniquely identify one browser out of roughly 15,000. When combined with other fingerprinting signals like canvas fingerprints and JA3 hashes, identification accuracy approaches 99%.
How Font Enumeration Works: CSS Font Introspection and measureText
Understanding the technical method behind font enumeration explains why it is so difficult to block. The technique exploits a fundamental browser feature: font fallback rendering.
Step 1: Create a Baseline Measurement
The script creates an invisible text string (typically "mmmmmmmmmmlli" — characters chosen for maximum width variation between fonts). It renders this string using a generic fallback font like monospace and measures the width and height in pixels using JavaScript measureText or by measuring the offsetWidth of a hidden span element.
Step 2: Test Each Font Name
The script then changes the CSS font-family to a target font name (e.g., "Calibri") with the fallback as a backup: font-family: 'Calibri', monospace;. If Calibri is installed, the browser renders the text using Calibri. If not, it falls back to monospace.
Step 3: Compare Dimensions
If the rendered width changes from the baseline, the target font is installed. If the width remains identical to the baseline, the font is missing. This comparison happens in milliseconds per font.
// JavaScript: How font enumeration detects installed fonts
// 1. Create baseline measurement with fallback font
const testString = 'mmmmmmmmmmlli';
const canvas = document.createElement('canvas');
const ctx = canvas.getContext('2d');
ctx.font = '72px monospace';
const baseWidth = ctx.measureText(testString).width;
// 2. Test a specific font against the baseline
ctx.font = "72px 'Calibri', monospace";
const testWidth = ctx.measureText(testString).width;
// 3. If width differs, font is installed
if (testWidth !== baseWidth) {
console.log('Calibri is INSTALLED');
} else {
console.log('Calibri is NOT installed');
}
Legacy Method: Flash Fonts
Before modern CSS font introspection, Adobe Flash had a built-in function enumerateFonts() that returned the complete list of installed fonts directly — no measurement tricks needed. This was the original font enumeration tool. While Flash is now deprecated, the CSS/JS measurement technique replaced it and is actually harder to block. For a complete picture of your browser exposure, also test your Browser Leak status.
Why Do Websites Check Your System Fonts? Tracking, Fraud, and More
Three main groups use font enumeration for different purposes. Understanding their motivations helps you decide what level of privacy hardening you need.
1. Advertising and Cross-Site Tracking
Ad networks use your font list as part of a comprehensive browser fingerprinting profile. Combined with canvas fingerprints, battery status data, and user-agent tracking, your font list helps identify you across websites even after clearing cookies. The font list is especially valuable because it is persistent — you cannot "clear" your installed fonts like you clear cookies.
2. Fraud Prevention and Bot Detection
Anti-fraud systems use font detection to verify that a browser is genuine. Real computers have diverse font collections from their OS and installed software. Automated bots and virtual machines typically have only default fonts, making font enumeration an effective bot detection signal. Check your fraud risk with our IP Fraud Score Checker.
3. Operating System and Device Identification
Certain fonts are exclusive to specific operating systems. Detecting "Segoe UI" strongly suggests Windows 10/11. "San Francisco" indicates macOS. "Ubuntu" or "Liberation" fonts indicate Linux distributions. This allows websites to identify browser via fonts even when the user-agent string is spoofed.
Privacy Alert: Software like Microsoft Office installs fonts such as Calibri, Cambria, and Candara. Adobe Creative Suite installs Myriad Pro, Minion Pro, and dozens more. Each software installation makes your font list more unique, increasing your information disclosure risk.
Windows vs macOS vs Linux: How OS-Specific Fonts Leak Your Identity
Your operating system's default font collection is one of the strongest signals for browser fingerprinting. Here is how each platform's system fonts create different fingerprinting risks.
| Operating System | Signature Fonts | Typical Count | Risk Level |
|---|---|---|---|
| Windows 10/11 | Segoe UI, Calibri, Consolas, Ebrima | 180-250+ | High |
| macOS | SF Pro, Helvetica Neue, Apple Color Emoji | 100-200 | Medium |
| Ubuntu / Debian | Ubuntu, Liberation, DejaVu, Noto | 50-100 | Medium |
| Arch / Minimal Linux | DejaVu only (default) | 10-30 | Low |
| Android / iOS | Roboto / SF (limited access) | 20-50 | Low |
Windows users face the highest risk because Windows ships with a large default font set, and software installations add many more. macOS has moderate risk. Linux users with minimal installations have the lowest risk because they start with fewer fonts. Mobile browsers have limited font API access, reducing the risk further.
Font Fingerprinting vs Canvas Fingerprinting: What Is the Difference?
Both font fingerprinting and canvas fingerprinting are stateless tracking methods that survive cookie clearing and incognito mode. But they measure fundamentally different things.
| Feature | Font Fingerprinting | Canvas Fingerprinting |
|---|---|---|
| What It Measures | Installed font names (text width comparison) | GPU pixel rendering output (image hash) |
| Detection Method | CSS font introspection / JS measureText | Canvas toDataURL() / pixel extraction |
| Entropy Source | Software installations, OS, language packs | GPU hardware, drivers, anti-aliasing |
| Survives VPN | Yes | Yes |
| Survives Incognito | Yes | Yes |
The key difference: font fingerprinting reveals what software you have installed (Office, Adobe, language packs), while canvas fingerprinting reveals what hardware you use (GPU model, drivers). Together, they create an extremely high-entropy digital signature. Test your canvas exposure with our Canvas Fingerprint Test.
How to Prevent Browser Font Fingerprinting in 2026
Blocking font enumeration requires browser-level protection because the detection happens locally through CSS and JavaScript — VPNs cannot intercept it. Here are the most effective privacy hardening methods.
Firefox: ResistFingerprinting Mode
# Firefox: Limit font exposure to a standard minimum set
# Open about:config and set:
privacy.resistFingerprinting = true
# This forces Firefox to report only bundled fonts,
# hiding all system and software-installed fonts.
# All Firefox users with this setting look identical.
Brave Browser: Font Farbling
Brave uses font spoofing through its "farbling" technique — adding random noise to measureText results. Each time a tracker probes for fonts, Brave returns slightly different measurements, breaking the fingerprint's consistency.
Tor Browser: Bundled Font Restriction
Tor Browser provides the strongest font blocking defense. It restricts font access to only the fonts bundled with the browser itself, completely hiding your system fonts. Every Tor user reports the identical font list worldwide. Check your Tor status with our Tor Detection Tool.
Chrome: Extension-Based Protection
Chrome has no built-in font blocking feature. Install Font Fingerprint Defender to intercept font detection scripts or use the Trace extension which blocks multiple fingerprinting vectors including fonts, canvas, and WebGL.
Pro Tip: After enabling font blocking or font spoofing, run our font leak tester again. If fewer fonts are detected or the count changes on each reload, your protection is working.
Is Your Unique Font List Leaking Your Identity? Understanding Entropy
In information theory, entropy measures how much identifying information a data point provides. Higher entropy means more uniqueness — and less privacy. Your font list is one of the highest-entropy signals available to trackers.
How Font Entropy Works
If every browser in the world had the same 20 fonts, font enumeration would provide zero identifying power. But in reality, the combination of your OS default fonts, office suite fonts, design software fonts, and language packs creates a nearly unique set. The Electronic Frontier Foundation's Panopticlick research found font lists provide approximately 13.9 bits of entropy — meaning your font combination narrows you down to 1 in approximately 15,000 users.
What Increases Your Font Entropy
- Microsoft Office: Installs Calibri, Cambria, Candara, Constantia, Corbel — fonts not present on non-Office machines.
- Adobe Creative Suite: Installs dozens of professional typefaces like Myriad Pro, Minion Pro, and Adobe Garamond — highly unique.
- Language Packs: Installing Japanese (MS Mincho, Yu Gothic), Arabic (Arabic Typesetting), or Hindi (Mangal) fonts dramatically increases uniqueness.
- Developer Tools: Fonts from coding IDEs, CAD software, or music production tools add further entropy.
Key Insight: A Windows user with Microsoft Office and Adobe Creative Cloud typically has 200+ fonts. Combined with even one language pack, this font list is effectively unique among millions of users — enabling reliable browser fingerprinting without any cookies.
How Language Packs and Regional Fonts Expose Your Location
Even if you use a VPN to mask your IP address, your installed fonts can reveal your linguistic and cultural background — a form of information disclosure that networks cannot protect against.
The Language Font Problem
Consider a user in the United States connecting through a Japanese VPN server to appear as a Tokyo-based visitor. Our font identity finder might detect that this same user has "Segoe UI" (Windows), "Calibri" (Office), and "MS Mincho" plus "Yu Gothic" (Japanese language pack). A tracker seeing these fonts on a "Japanese IP" can infer this is actually a Windows/Office user who has installed Japanese language support — dramatically narrowing the anonymity pool.
Fonts by Region
- Japanese: MS Mincho, MS Gothic, Yu Gothic, Yu Mincho, Meiryo
- Chinese: SimSun, SimHei, Microsoft YaHei, FangSong
- Korean: Malgun Gothic, Batang, Gulim, Dotum
- Arabic: Arabic Typesetting, Simplified Arabic, Sakkal Majalla
- Hindi/Devanagari: Mangal, Nirmala UI, Aparajita
For checking what your IP reveals separately, use our WHOIS Lookup and IP Geolocation tools.
Font Leak Test for Privacy-Focused Browsers: Firefox, Brave, and Tor
Running our font leak tester on different browsers shows dramatically different results. Here is what to expect from each privacy-focused browser.
| Browser | Font Protection | Expected Detections | Risk |
|---|---|---|---|
| Chrome / Edge | None | 50-200+ (all system fonts) | High |
| Firefox (default) | Partial | 30-100+ (most system fonts) | Medium |
| Firefox (resistFP) | Strong | 10-20 (standard set only) | Low |
| Brave | Farbling | Randomized per session | Low |
| Tor Browser | Full block | 5-10 (bundled fonts only) | Minimal |
Our system font privacy test adapts its risk scoring based on the number of detected fonts. Fewer than 20 detected fonts indicates strong font blocking protection. More than 50 suggests your full font library is exposed.
Advanced: CSS-Only Font Detection Using Unicode Range
Even if JavaScript is disabled, advanced trackers can still detect some fonts using a CSS-only technique based on Unicode range declarations. This method is harder to block and does not require JavaScript measureText.
How the CSS-Only Attack Works
The tracker creates a @font-face declaration that loads an external resource (like a tiny image or CSS file) only when a specific Unicode range is needed for rendering. If the browser requests that resource, the tracker knows the user's system does not have a font covering that Unicode range — or conversely, that it does.
/* CSS-only font detection (no JavaScript needed) */
@font-face {
font-family: 'FontProbe';
src: url('/track?font=calibri') format('woff2');
unicode-range: U+0041; /* Letter 'A' */
}
.probe-text {
font-family: 'Calibri', 'FontProbe', serif;
}
/* If Calibri is installed, the browser uses it */
/* If Calibri is missing, browser loads FontProbe */
/* The server-side request reveals the result */
This technique is less precise than JavaScript measureText but works even when JavaScript is completely disabled. It represents the cutting edge of CSS font introspection attacks.
How to Block Font Enumeration in Firefox and Chrome
Here are step-by-step instructions for reducing your font fingerprinting exposure on the two most popular browsers.
Firefox Configuration
# Method 1: ResistFingerprinting (recommended)
# Open about:config and set:
privacy.resistFingerprinting = true
# Method 2: Limit fonts to specific list
# Open about:config and set:
font.system.whitelist = Arial, Verdana, Times New Roman, Courier New
# Method 3: Block CSS font-face loading
browser.display.use_document_fonts = 0
# Warning: This breaks web fonts on many sites
Chrome Configuration
Chrome does not have built-in font blocking settings. Your options are limited to extensions. Install Font Fingerprint Defender or the Trace extension which blocks multiple fingerprinting vectors including font detection, canvas, and WebGL.
Reducing Your Font Footprint
Beyond browser settings, you can reduce your font fingerprint by keeping separate machines for different purposes. Use a "privacy machine" with minimal software for sensitive browsing and a "work machine" for Adobe and Office. Avoid installing unnecessary language packs unless you actively need them.
For complete privacy audit coverage, also check your WebRTC Leak, Battery Status Leak, and Canvas Fingerprint exposure.
Free Tool to See List of Fonts Installed in Your Browser
Our font leak tester is a free, open font enumeration tool that scans 200+ font names against your browser. Here is what it tests and how to interpret the results.
What We Scan
- OS Default Fonts: Core fonts shipped with Windows, macOS, and Linux — these reveal your operating system.
- Office Suite Fonts: Fonts from Microsoft Office (Calibri, Cambria) and LibreOffice (Liberation series) — these reveal your productivity software.
- Design Software Fonts: Adobe Creative Suite fonts (Myriad Pro, Minion Pro) — these identify professional design tools.
- Language Pack Fonts: CJK fonts, Arabic fonts, Devanagari fonts — these suggest your language background.
- Developer Fonts: Coding fonts (Fira Code, JetBrains Mono, Source Code Pro) — these identify developer workstations.
How to Read the Results
- 0-20 fonts detected: Excellent privacy hardening. Your browser is blocking most font enumeration.
- 21-50 fonts detected: Moderate protection. Mostly OS defaults are visible.
- 51-100 fonts detected: High risk. Software fonts are leaking your installed applications.
- 100+ fonts detected: Critical risk. Your full font library creates a nearly unique digital signature.
Frequently Asked Questions About Font Fingerprinting
What is a font leak tester and why does it matter?
A font leak tester detects which system fonts your browser reveals to websites using CSS font introspection and JavaScript measureText. Your unique font list creates a digital signature that enables browser fingerprinting without cookies.
Why do websites check my system fonts?
Websites use font enumeration for advertising tracking, fraud prevention, and OS identification. Your font list provides high-entropy identifying data that persists across sessions — unlike cookies which can be cleared.
How to prevent browser font fingerprinting in 2026?
Use Firefox with privacy.resistFingerprinting enabled, Brave (font farbling), or Tor Browser (bundled fonts only). In Chrome, install Font Fingerprint Defender. Also avoid installing unnecessary font packs and language support.
What is the difference between font fingerprinting and canvas fingerprinting?
Font fingerprinting detects installed font names via text width comparison. Canvas fingerprinting extracts GPU pixel rendering hashes. Both are stateless tracking methods that survive VPNs and incognito mode, but they measure different system properties.
How to block font enumeration in Firefox and Chrome?
In Firefox, enable privacy.resistFingerprinting in about:config. Chrome has no built-in font blocking — use Font Fingerprint Defender or Trace extension. Brave farbles font measurements automatically.
Is my unique font list leaking my identity?
Very likely. The average computer has 50-200 fonts. The combination of OS fonts, Office fonts, Adobe fonts, and language packs creates a nearly unique digital signature. Research shows font lists alone can identify browsers with over 80% accuracy.
Does disabling JavaScript stop font fingerprinting?
It stops the common JavaScript measureText method. However, CSS-only techniques using @font-face and Unicode range can still detect fonts without JavaScript. Disabling JS also breaks most websites.
Which browsers protect against font fingerprinting?
Firefox (resistFingerprinting = standard font set), Brave (farbling = random noise), Tor Browser (bundled fonts only), and Safari (ITP restrictions). Chrome and Edge expose all fonts by default.
Related Privacy & Fingerprinting Tools
Complete your fingerprint audit with our free toolkit.
Are Your Fonts Leaking Your Identity?
Free Browser Font Fingerprinting Check
Your system fonts create a unique digital signature that tracks you without cookies — surviving VPNs, incognito mode, and cache clearing. Run our free font leak tester to see exactly what your browser reveals.