I first built FPScanner during my PhD around 2017–2018, when I was doing research on browser fingerprinting and bot detection. After that I did not really maintain it for years.
I recently decided to revive it because things changed a lot. Automation is much easier now. With free automation libraries like Puppeteer/Playwright/Selenium + headless Chrome and cheap proxies, you can build decent bots very quickly. At the same time, open source defensive tooling is still quite limited, or very basic.
To be clear, FPScanner is not trying to be a silver bullet.
It is a small, self-hosted library that focuses on deterministic client-side signals:
- webdriver and automation flags
- CDP-related artifacts
- automation framework markers (Selenium, Playwright, etc.)
- JS cross-context inconsistencies: main JS context, iframes and workers
It also generates a JA4-inspired fingerprint ID for clustering sessions, and includes encrypted payload + simple anti-replay protections.
There is no ML here, no "AI detection", and no claim to block 100% of bots. The idea is just to expose strong, explainable signals and make automation a bit more expensive. I assume attackers can read the source code.
I tested it on different devices and browsers to avoid JS errors and obvious false positives, but I’m sure there are edge cases. If you try it on less common browsers or hardened setups and it breaks, please let me know or open an issue.
Happy to answer questions or discuss design choices / limitations.
I recently wrote about the limits of these kinds of fingerprinting tests. They tend to overly focus on uniqueness without taking into account stability. Moreover sample size is often really small which tends to artificially make a lot of users unique
Hi HN! I’m Antoine, Head of Research at Castle. We’re a YC-backed Series A startup helping companies like Canva, Atlassian, and Rockstar Games fight fraud and abuse. We're building modern, AI-powered bot detection and abuse prevention tech, with a focus on real-time protection and behavioral intelligence.
We’re a small, fast-moving team looking to add two technical roles:
Senior ML Engineer – Fraud & Bot Detection
You'll work on real-time ML pipelines, anomaly detection, and adversarial ML techniques to stop bots and malicious actors. We’re combining traditional fraud signals with modern AI—LLMs, behavioral clustering, and vector-based search—to stay ahead of attackers. You’ll own models end to end and deploy quickly, with direct access to rich, structured behavioral and fingerprinting data.
Ideal for someone with strong experience in the anti-fraud/anti-bot field who loves cutting-edge ML and wants immediate impact.
Senior Detection Engine Engineer (R&D)
You’ll build and scale the core infrastructure behind our detection logic—rule engines, fingerprinting pipelines, and high-speed signal ingestion. We’re integrating AI-driven detection and auto-adaptive logic that reacts in real time. If you enjoy real-time systems, security, and automation, this is a highly technical role that’s at the core of our detection stack.
Perfect if you’ve worked in security, data pipelines, or real-time analytics and want to outsmart fraudsters.
We pay US salaries globally | Fully remote from Europe/EMEA timezone | Flexible hours | Unlimited PTO | Paid parental leave
We're actively hiring and committed to responding to every qualified applicant.
I first built FPScanner during my PhD around 2017–2018, when I was doing research on browser fingerprinting and bot detection. After that I did not really maintain it for years.
I recently decided to revive it because things changed a lot. Automation is much easier now. With free automation libraries like Puppeteer/Playwright/Selenium + headless Chrome and cheap proxies, you can build decent bots very quickly. At the same time, open source defensive tooling is still quite limited, or very basic.
To be clear, FPScanner is not trying to be a silver bullet.
It is a small, self-hosted library that focuses on deterministic client-side signals: - webdriver and automation flags - CDP-related artifacts - automation framework markers (Selenium, Playwright, etc.) - JS cross-context inconsistencies: main JS context, iframes and workers
It also generates a JA4-inspired fingerprint ID for clustering sessions, and includes encrypted payload + simple anti-replay protections.
There is no ML here, no "AI detection", and no claim to block 100% of bots. The idea is just to expose strong, explainable signals and make automation a bit more expensive. I assume attackers can read the source code.
I tested it on different devices and browsers to avoid JS errors and obvious false positives, but I’m sure there are edge cases. If you try it on less common browsers or hardened setups and it breaks, please let me know or open an issue.
Happy to answer questions or discuss design choices / limitations.