BadB
Professional
- Messages
- 2,296
- Reaction score
- 2,305
- Points
- 113
A deep dive into methods for detecting non-standard fonts using getComputedStyle and layout metrics
Why?
Because fonts can be detected even without Canvas. Modern fraud engines (Cloudflare, Forter, Sift) use CSS and JavaScript APIs to enumerate all installed fonts — including those you've "hidden" from Canvas.
In this article, we'll provide an in-depth technical analysis of how font enumeration methods work via getComputedStyle and layout metrics, and how [to B]fully protect[/B] against this leak.
This method uses text width adjustments when changing fonts.
How it works:
Modern browsers provide APIs for checking fonts.
Here's how it works:
js:
This method analyzes line-height and letter spacing (kerning).
How it works:
Systems are assembled:
Example of anomaly:
js:
Windows
Firefox
Chrome / Chromium
Dolphin Anty
Left Sphere
Stay minimal. Stay systematic.
And remember: in the world of network security, font is fingerprint.
Introduction: Fonts – An Invisible Imprint
You've carefully configured Canvas noise, the WebGL renderer, and WebRTC. You've limited the list of fonts to 25 system fonts. But the first time you visit the website, you're instantly blocked.Why?
Because fonts can be detected even without Canvas. Modern fraud engines (Cloudflare, Forter, Sift) use CSS and JavaScript APIs to enumerate all installed fonts — including those you've "hidden" from Canvas.
In this article, we'll provide an in-depth technical analysis of how font enumeration methods work via getComputedStyle and layout metrics, and how [to B]fully protect[/B] against this leak.
Part 1: Why Fonts Are a Powerful Fingerprinting Signal
Uniqueness statistics
- The average Windows 10 user has 40–60 fonts,
- A carder with custom fonts has 100–300+ fonts,
- Entropy: 15–20 bits → 1 in 1 million.
Key fact:
The presence of Adobe Fonts, Google Fonts, or Cyrillic fonts instantly gives away a fake profile.
Part 2: Font Detection Methods Without Canvas
Method 1: getComputedStyle + offsetWidth
This method uses text width adjustments when changing fonts.How it works:
- An element with the text is created:
HTML:<span id="test">mmmmmmmmmmlli</span> - The width is measured with the system font:
js:
const defaultWidth = document.getElementById('test').offsetWidth;Code:const defaultWidth = document.getElementById('test').offsetWidth; - The tested font is used:
js:
Code:document.getElementById('test').style.fontFamily = 'Arial, sans-serif'; - If the width has changed → the font is installed.
Problem:
This method does not require Canvas and works even in headless mode.
Method 2: FontFaceSet.check()
Modern browsers provide APIs for checking fonts.Here's how it works:
js:
Code:
// Check for font availability
if (document.fonts.check("12px 'Helvetica Neue'")) {
console.log("Helvetica Neue installed");
}
It is a native API that accurately detects the presence of a font.
Method 3: Layout Metrics via IntersectionObserver
This method analyzes line-height and letter spacing (kerning).How it works:
- An element is created with a pair of kerning-sensitive characters:
HTML:<span id="kern">AV</span> - The distance between characters is measured using getBoundingClientRect(),
- Compared to reference values for each font.
Even one unique font (for example, Cyrillic Font) creates a unique metric.
Part 3: How Fraud Engines Use This Data
Building a font profile
Systems are assembled:- List of all available fonts,
- Their metrics (width, height, kerning),
- Language affiliation (Latin, Cyrillic, hieroglyphics).
Example of anomaly:
| Parameter | Your profile | Real user |
|---|---|---|
| Fonts | 150 | 45 |
| Cyrillic | Yes | No (en-US) |
| Adobe Fonts | Yes | No |
Fraud Score = 95+, even if the Canvas is perfect.
Part 4: How to Test Your Vulnerabilities
Step 1: Use test sites
- https://amiunique.org — shows font entropy,
- https://browserleaks.com/fonts - lists all fonts.
Step 2: Run a local test
js:
Code:
// Test via getComputedStyle
const testFonts = ['Arial', 'Times New Roman', 'Helvetica', 'Cyrillic Font'];
testFonts.forEach(font => {
const span = document.createElement('span');
span.textContent = 'mmmmmmmmmmlli';
span.style.fontFamily = font;
document.body.appendChild(span);
const width = span.offsetWidth;
document.body.removeChild(span);
console.log(`${font}: ${width}px`);
});
If the width differs from the system fonts → the font is installed.
Part 5: How to fully protect yourself
Level 1: OS and Browser
Windows- Remove all non-system fonts:
- Open C:\Windows\Fonts,
- Remove everything except:
- Arial, Times New Roman, Calibri, Courier New, Verdana, Tahoma.
- Reboot the system.
Firefox- Enter about:config,
- Find:
- layout.css.font-visibility.level → 1 (shows only system fonts).
Chrome / Chromium- There is no built-in way to hide fonts,
- Use anti-detect browsers.
Level 2: Anti-detect Browsers
Dolphin Anty- When creating a profile,
- In the Fonts section,
- Select: "System Fonts Only"
- Make sure the list contains only 25 fonts.
Left Sphere- In the profile settings,
- Find "Font List"
- Unlock "Custom Fonts"
After setting up, be sure to test on amiunique.org
Part 6: Why Most Carders Fail
Common Mistakes
| Error | Consequence |
|---|---|
| Installing Adobe Fonts | Designer/carder issues → high-risk |
| Leaving Cyrillic fonts | Discrepancy with en-US → anomaly |
| Ignoring getComputedStyle | CSS leak → ban |
80% of failures are due to redundant font lists.
Conclusion: Fonts are not decoration, but data
Every font is a bit of information about your system. And fraud engines read this information even without Canvas.Final thought:
True anonymity lies not in the number of fonts, but in their authenticity.
Because in the world of fingerprinting, even a letter can give you away.
Stay minimal. Stay systematic.
And remember: in the world of network security, font is fingerprint.
