Fingerprint Engine

v4.5.2 · Adaptive hybrid fingerprinting with privacy-aware detection. Combines server-side signals (CloudFront JA4, ASN, timezone) with client-side techniques to produce a 64-character SHA-256 hash.

Public API — `window.h`

Method	Returns	Description
`h.generateStable()`	`Promise<string>`	Generate or return cached 64-char hybrid fingerprint
`h.generate()`	`Promise<string>`	Alias for `generateStable()`
`h.getCookieTest()`	`Promise<{allowed, reason}>`	Test third-party cookie support
`h.version`	`string`	Library version (`"4.5.2"`)

Debug Object — `window.__fpDebug`

After fingerprint generation, inspect the strategy used:

{
  strategy: "complete" | "stable" | "cached",
  cookieTest: { allowed: boolean, reason: string },
  serverHash: "abc123...",   // 16 chars used
  clientHash: "def456...",   // 48 chars used
  hybrid: "abc123def456...", // 64 chars total
  cached: false
}

Hybrid Fingerprint Composition

The fingerprint is a 64-character SHA-256 hash composed of server and client portions:

hybrid = serverHash[0:16] + clientHash[0:48]
         ╰── 16 chars ──╯   ╰──── 48 chars ────╯

Server components (injected by Lambda@Edge):
  ├─ JA4 fingerprint (stable parts: a + c segments)
  ├─ Accept-Language (primary)
  ├─ CloudFront viewer timezone
  ├─ CloudFront viewer ASN
  └─ sec-ch-ua-platform

Client components (depends on strategy):
  COMPLETE (cookies allowed):
  ├─ Canvas fingerprint
  ├─ WebGL renderer + vendor
  ├─ AudioContext oscillator
  ├─ Font detection (5 test fonts)
  ├─ WebRTC IP addresses
  ├─ Service Worker count
  ├─ UA, lang, platform, hwConcurrency
  ├─ Timezone offset, locale
  ├─ Device memory, color scheme
  └─ GPC (Global Privacy Control)
  
  STABLE (cookies blocked):
  ├─ User-Agent, platform, language
  ├─ Screen color depth
  ├─ Timezone (rounded to 15min)
  ├─ Max touch points, color scheme
  ├─ Vendor, PDF viewer
  ├─ GPC status
  └─ Service Worker count

Adaptive Strategy

Privacy-aware: The engine first tests 3rd-party cookie support via a hidden iframe to t.getimpress.io/cookie-test. Based on the result, it chooses a more or less invasive fingerprinting strategy.

Condition	Strategy	Entropy
Cookie in `__fp` exists (64 chars)	`cached` — return immediately	—
3rd-party cookies allowed	`complete` — Canvas, WebGL, Audio, Fonts, WebRTC	~300 bits
3rd-party cookies blocked	`stable` — UA, timezone, screen only	~80 bits
All methods fail	`fallback` — JA4 + UA only	~40 bits

SHA-256 Implementation

The engine uses a dual-path SHA-256 implementation:

Native: crypto.subtle.digest('SHA-256', ...) — used on HTTPS and localhost
Fallback: CDN-loaded js-sha256@0.11.0 — used on HTTP or when subtle crypto fails

Caching

Once generated, the hybrid fingerprint is stored in cookie __fp with a 365-day expiry. Subsequent calls to h.generateStable() return the cached value immediately, avoiding recomputation.

Server Context Injection

Lambda@Edge replaces the placeholder ___IMPRESSIO_SERVER_CONTEXT_PLACEHOLDER___ with a JSON object containing CloudFront viewer headers:

var serverContext = {
  "cloudfront-viewer-ja4-fingerprint": "t13i..._aa..._bb...",
  "accept-language": "es-ES,es;q=0.9,en;q=0.8",
  "cloudfront-viewer-time-zone": "Europe/Madrid",
  "cloudfront-viewer-asn": "3352",
  "sec-ch-ua-platform": "macOS"
};