About privacyscore.dev

A free utility that shows you, in plain numbers, how much data your browser leaks to every website you visit — and rates it on a 0–100 privacy score.

Why this exists

Most people think they're anonymous online unless they log in or fill out a form. They aren't. From a single page load, an average website can extract somewhere between 80 and 120 distinct signals about you and your device — your IP and approximate location, your browser and OS, your screen, your fonts and graphics card, the hash of how your browser draws shapes, your local network IPs (yes, behind your router), your battery level, your timezone and locale, what permissions your browser has already granted, and more.

Most of those signals look harmless on their own. Together they form a fingerprint that is, for the average user, more identifying than a third-party cookie ever was. Cookie banners and "ad blockers" do almost nothing about it.

privacyscore.dev's job is to make that visible in seconds. Open the home page; you see exactly what every site you visit could see; you act on it (use a privacy-respecting browser, install uBlock Origin, switch on resist-fingerprinting in Firefox, etc.) or you don't.

How the detection works

Server-side, from the request alone

• IP address from the connection's source. Both IPv4 and IPv6 are surfaced.
• Geolocation via a self-hosted MaxMind GeoLite2-City database — your IP is never sent to a third party.
• Browser and OS by parsing the User-Agent header and the modern Sec-CH-UA Client Hints suite (browser, OS, platform version, architecture, mobile flag).
• Languages from the Accept-Language header, ranked by their q-values.
• Privacy headers — Do Not Track, Save-Data, referer, TLS version.

Client-side, run in your browser by JavaScript

• Screen and hardware — resolution, available area, color depth, device pixel ratio, CPU cores, RAM (rough), maximum touch points.
• Battery — level and charging state, where the API still exists.
• Connection — effective network type (4G, WiFi…), downlink and round-trip time.
• Time and locale — timezone offset, IANA timezone, full locale tag, clock skew vs the server.
• Canvas fingerprint — same text and shape drawn in a hidden canvas, the result hashed. Subtle differences in antialiasing and font metrics produce a stable per-device signature.
• WebGL — unmasked GPU vendor and renderer string ("NVIDIA GeForce RTX 4090", "Apple M2 Pro"), no permission needed.
• Audio — an oscillator-through-compressor graph rendered offline; the resulting waveform hashed.
• Fonts — character-width measurement against three baselines to detect which named fonts are actually installed.
• WebRTC — a stunless RTCPeerConnection enumerates ICE candidates, leaking your local network IPs from behind NAT.
• Permissions API — the current state (granted / prompt / denied) for notifications, geolocation, camera, microphone, clipboard, and persistent-storage, queried without prompting.

The privacy score

The score starts at 100 and deducts points for each finding. Larger leaks (public IP, city-level geolocation, WebRTC LAN-IP leak, canvas fingerprint) cost more; smaller signals (Do Not Track off, no ad blocker detected) cost less. The score is a heuristic, not a security audit — but it gives you a single number to compare browsers, devices, and privacy tweaks.

Open principles

• Your IP and User-Agent are never stored. See the privacy policy.
• No third-party analytics or marketing pixels. We run our own anonymous counter.
• No login, no profile, nothing to delete because there is nothing to keep.
• The same data is available as JSON at /api/v1/lookup for developers who want to integrate it.

Who built this

One developer in Croatia. If you have ideas, find a bug, or want to suggest a new fingerprint surface to add, write to [email protected].