Audit

Everything a website can see about your browser and connection.

Client-Side

Run an audit to surface what this connection exposes.

What is Audit?

A browser transparency tool. No accounts, no tracking, no data sent anywhere. Everything reflects your current session only.

What it surfaces

Audit populates 22 panels covering everything a website can observe about your browser and system. One request to the server provides your IP address, country, HTTP version, and TLS version. Every other signal comes directly from browser APIs:

  • User-Agent string parsed into browser, engine, OS, and device type
  • Reconstructed outgoing request headers (Accept, Accept-Language, DNT, Sec-GPC, Sec-Fetch headers, and others)
  • Hardware: CPU core count, device memory, screen resolution, color depth, pixel ratio, touch points, color gamut, dynamic range
  • OS preferences: timezone, locale, language list, dark mode, reduce motion, reduce transparency, contrast preference, forced colors
  • Network: connection type, effective type, downlink speed, round-trip time, data saver flag
  • Privacy flags: Do Not Track, Global Privacy Control, cookie availability, document referrer
  • Permission states for 12 APIs including geolocation, camera, microphone, clipboard, and sensors
  • Canvas rendering: two live test patterns rendered directly in the page (text across font stacks, and geometric shapes), each hashed to produce a fingerprint value
  • WebGL: GPU vendor and renderer, GL and GLSL versions, max texture size, max viewport dimensions, shader precision formats, and the full list of supported extensions
  • Audio context: sample rate, channel count, and an oscillator/compressor fingerprint value
  • Installed fonts: canvas text-width probing across roughly 65 common fonts from Windows, macOS, Linux, and the web, plus a font fingerprint hash
  • Layout and rendering: DOMRect measurements at fractional font sizes, subpixel rendering detection, performance.now() timer resolution and jitter
  • Execution context flags: isSecureContext and crossOriginIsolated
  • WebRTC IP exposure via ICE candidate probe (no data connection opened)
  • Battery status (where available): level, charging state, time to full or empty
  • Media devices: camera, microphone, and speaker count, with hashed device IDs and group IDs per device
  • User-Agent Client Hints (Chromium-based browsers): architecture, bitness, full version list, platform version, model
  • Browser storage: localStorage and sessionStorage keys, per-type quota breakdown, window.name value, opener status
  • JS heap memory usage (Chrome only), navigation type, page visibility state
  • Plugin list with filenames and associated MIME types
  • 28 browser capability checks (WebAssembly, Service Workers, WebXR, File System Access, and others)
  • Sensor and device API availability: Bluetooth, USB, HID, Serial, NFC, Vibration, Accelerometer, Gyroscope, Magnetometer, Gamepad, and others

How it works

On run, the page makes a single same-origin request that echoes back the server-observed IP, country, TLS version, and HTTP version. All other data is read from browser APIs without any outbound network calls. Nothing is stored, logged, or transmitted. The page works entirely in your browser.

The request headers panel is labeled as inferred because JavaScript cannot read its own outgoing headers. The values shown reflect standard browser behavior for this type of request.

Canvas fingerprinting draws two deterministic test patterns. Different operating systems use different font renderers, GPU rasterizers, and anti-aliasing approaches, so the same drawing commands produce different pixel output on different systems. The hash captures that difference.

Font detection works by measuring canvas text width. If a named font renders text at a different width than the fallback family, the font is installed. No font data leaves the browser.

Why it exists

Most people know websites can see their IP and browser. Few know the full picture. Audit makes that concrete with no abstraction and no paraphrasing.