Websites See More Than Your IP: What Your Browser Gives Away in One Visit

When you open a website, the browser sends a request. At this level, the site usually sees a public IP address: your home network, office, mobile carrier, VPN server, proxy, or corporate gateway. Cloudflare explains Internet Protocol as the addressing and routing system for packets, with sender and receiver addresses.

An IP address can roughly suggest a country, region, or city. Roughly is the key word. It is not GPS and not an exact point on a map.

The browser sends technical data with the request. MDN explains that an HTTP request includes a start line, headers, and sometimes a body. Those headers can include the browser language, browser type, version, and sometimes the address of the page you came from.

A VPN is useful here. It can replace the visible IP with the VPN server's IP and hide traffic contents from the owner of the Wi-Fi or office network. In a hotel, airport, coworking space, or someone else's office, that is a normal use case.

But a VPN does not change the browser itself. After the page loads, the website is no longer looking only at the connection.

The site opens, JavaScript runs, and the page can see more details: language, time zone, window size, browser storage, network capabilities, and how the browser draws graphics.

Some of this is normal web functionality. A site needs the window size to fit the layout. It may need language for the interface. Canvas and WebGL help render maps, charts, video, and games. But the same graphics behavior can become part of a browser fingerprint.

A website can also see actions on the page: clicks, typing, scrolling, navigation, and form submissions. This is not magic. It is normal JavaScript on the page.

One signal rarely proves much on its own. One browser language proves nothing. One screen size does not either. But together, those details can become a browser fingerprint.

EFF Cover Your Tracks explains browser fingerprinting as a way to recognize a browser through a set of characteristics. W3C Fingerprinting Guidance describes the same risk more broadly: browser, device, and behavior properties can be combined to identify or link activity.

That is why changing IP does not always change the picture for a website. If language, time zone, screen, graphics behavior, and stored data stay the same, the visit can still look familiar. We go deeper into the mechanism in what a browser fingerprint is.

People often treat incognito as "the website will not know anything." It is useful for something else.

A private window helps avoid leaving history and temporary data on the device after the window closes. That is useful on someone else's laptop, a shared computer, or when you need to open a site without old cookies.

But while the window is open, the site still sees the request, the browser, actions on the page, and the account if you log in. Closing the window does not delete records on the website's side.

Cookies are only the best-known part. MDN describes HTTP cookies as browser data used for sign-in, personalization, and tracking. Websites also have other local browser storage that works in more complicated ways than ordinary cookies.

There is one more nuance: some websites can check whether a private window is open. Fingerprint's article on incognito detection describes methods based on API availability, storage quotas, and code behavior. The reliability of these methods is limited and browser-dependent, but the point matters: private windows can still leave technical differences. That does not mean the site learned your real name. It is another browser-level sign.

More on the limits of private windows: what incognito actually hides.

There is a link that does not need to be inferred: logging in.

If you use the same email, phone number, payment card, shipping address, or Google or Apple account, the website does not need to guess from a fingerprint. You gave it the main sign yourself.

That is why "I turned on a VPN, opened incognito, and logged into the same account" often disappoints people. The IP is different. The window is private. The account is the same.

The same goes for a phone number, payment method, or shipping address. The browser may look different, but account data can still connect the actions.

Location works the same way. It is not one setting.

An IP address can suggest an approximate country, region, or city. A VPN or proxy can change that layer.

But precise geolocation is different. The Geolocation API works through user permission. If you give a site access, it can receive more precise device location data, and a VPN does not fix that by itself.

There is also account data: billing country, shipping address, phone number, or account region.

So "I turned on a VPN in Germany" does not mean the whole picture became German. A site can see a German IP while also receiving language, time zone, account login, or geolocation permission.

A VPN is useful when you want to change the visible IP and protect yourself from an untrusted network. It does not change cookies, logins, language, time zone, or the browser fingerprint. More here: is using a VPN safe.

Incognito helps when you do not want to leave history on the device or when you want to open a site without old cookies. It does not permanently separate work and personal websites.

Ad and tracker blockers reduce the amount of third-party code on the page. That is useful: less outside code means less unnecessary observation. But blocking ads by itself does not separate personal, work, and client tasks. More here: how to block ads online.

One setting only covers its own part. IP, local history, cookies, logins, browser fingerprint, and geolocation live at different levels.

NOID does not make the website blind. The website still sees the current visit, the account you use, and the information you submit.

NOID helps when the problem is bigger than the IP. Personal, work, and client browsing should not all reuse the same browser with the same stored data.

In NOID, each identity can have its own site data, browser settings, notes, tags, and connection. For example, one identity can be for personal sites, another for client work, and a third for temporary checks. If a task needs a separate country or connection location, you set it for that identity instead of changing every tab on the device.

This does not remove links you create yourself: a shared account login, phone number, payment method, or support details. If you repeat them in different places, a website can still connect the actions.

The idea is simple: different tasks should not look to websites like the same browser with the same data. More here: how NOID protects you.

Run a simple check.

Open your regular browser and run a test. Then switch to a separate work identity in NOID and run the same test.

Do not look only at the IP. Compare language, time zone, browser details, graphics behavior, storage, and login state.

EFF Cover Your Tracks is useful as an independent fingerprinting and tracker check. Check ID is useful for comparing what websites see inside different NOID identities.

This shows more than a green or red result. It shows how similar your personal and work visits look to each other.