Validating visitorId

[beshoo]

Thank you for this add on.
Simple question. how can we validate on the server side the visitorId if it is generated by this lib or it is a fake ID?

[Finesse]

Hi @beshoo. This is more a general question than an issue, so I've converted it to a discussion.

You can't validate a fingerprint. You can only make it harder to fake the fingerprints, for example by:

• obfuscating the code of your frontend;
• obfuscating the content of the HTTP requests that contain fingerprints;
• sending the fingerprints in multiple HTTP requests.

In general, browser fingerprinting is not designed to withstand hackers that modify the frontend code or fake HTTP requests. Please search "http request integrity" to learn how to protect your HTTP requests from faking.

[makma]

I know the question is regarding FingerprintJS open-source repository, nevertheless, I believe info about FingerprintJS Pro and its requestId might be beneficial for the op.

The commercial tool FingerprintJS Pro (with available free tier) addresses this issue. The Pro version uses requestId, which is associated with each identification. Moreover, the identification payload with its signals is obfuscated, so it's harder for malicious users to spoof them. You can learn more about requestId in the official docs.