A practical guide to device intelligence
A practical reference on the techniques behind device fingerprinting, bot detection, account abuse, scraping, and payment fraud. Written for the engineers and security teams who build and operate these systems.
Fingerprinting foundations
How browser and device identity work, what signals matter, and why a single hash is never enough.
- What is a browser fingerprint? A working definition, the signals that build one, and why fingerprints stay useful long after cookies disappear.
- Browser fingerprinting techniques Canvas, WebGL, AudioContext, fonts, TLS, and the dozens of other surfaces that contribute to a stable identity.
- Canvas fingerprinting, explained How HTML5 canvas rendering exposes hardware and driver fingerprints, and how to detect canvas spoofing.
- TLS fingerprinting JA3, JA4, and what the handshake reveals before a single HTTP byte: the network layer of client identity.
- What is device fingerprinting? Device identity for fraud and abuse, not ad tracking. What persists, what changes, and how to design around both.
- Device fingerprinting in JavaScript A code-first walkthrough of how a browser fingerprint is collected and why server-side verification matters.
Bots and browser automation
Detecting headless browsers, framework artifacts, anti-detect stacks, and AI agents.
- Bot detection in 2026 Why user-agent rules and rate limits miss modern automation, and the signals that still work.
- Bot management Allow, throttle, challenge, block. How to design a policy that distinguishes verified bots from bad ones.
- Bot mitigation Server-side decisioning for sign-up, login, checkout, and scraped endpoints.
- CAPTCHA alternatives Why puzzles stopped working, and the invisible replacements: device intelligence, proof-of-work, and attestation.
- Headless browser detection The umbrella view: which classic headless tells died with new headless mode, and the five layers that still catch it.
- CDP detection Why driving Chrome over the DevTools Protocol leaks, what the 2025 patch changed, and how CDP-minimal drivers get caught.
- Selenium bot detection Selenium-specific tells, the WebDriver flag, and what stealth plugins do and do not hide.
- Puppeteer bot detection Headless Chrome leaks, CDP fingerprints, and how puppeteer-extra-stealth fails closed under cross-checks.
- Playwright bot detection How Playwright differs from Puppeteer in detectability, and the signals that catch its drivers.
- Anti-detect browser detection Multilogin, Linken Sphere, Octo, Dolphin, AdsPower and friends, and the cross-layer signals they cannot fake.
- AI agent detection OpenAI Operator, Anthropic Computer Use, Browser Use, Browserbase, and how to tell agentic traffic apart from humans.
Account and abuse
Account takeover, credential stuffing, fake accounts, free tier abuse, and promo manipulation.
- Account takeover prevention How modern ATO works, the device signals that fire before a password is checked, and what step-up looks like.
- Credential stuffing Inside the credential reuse economy, the tooling attackers use, and why password-only defenses fail.
- Fake account prevention Linking accounts by device continuity to defeat signup farms, free tier abuse, and ban evasion.
- Promo abuse prevention Multi-accounting, reset farms, and how to keep promotions targeted to legitimate users.
- SMS pumping fraud When bots turn your OTP endpoint into someone else's revenue stream, and the device-level controls that stop it.
Scraping and infrastructure
Stopping content harvesting without breaking legitimate crawlers.
- Web scraping prevention A practical defense plan for protecting public pages and APIs from headless browsers and AI agents.
- Price scraping Why ecommerce and travel get scraped most, and the detection signals that hold up against rotating proxies.
- Datacenter proxy detection How to identify traffic originating from AWS, GCP, Azure, OVH, and residential proxy farms.
- Residential proxy detection When the IP is a real household: catching proxied traffic by its physics, incoherence, and clustering instead.
Fraud at the point of sale
Payments, ecommerce, and the developer-facing APIs that score them.
- Payment fraud detection Card testing, BIN attacks, friendly fraud, and the device signals that improve approval accuracy at checkout.
- Chargeback fraud Friendly fraud is most disputes now. Preventing the preventable ones and winning the rest with device evidence.
- Ecommerce fraud prevention The full taxonomy of ecommerce abuse and where device intelligence reduces both losses and false positives.
- Building on a fraud detection API What to expect from a developer-first fraud API, integration patterns, and the trade-offs around sealed scoring.