Supercookie detection is the technical process of identifying and neutralizing tracking mechanisms that exploit browser features—such as HTTP Strict Transport Security (HSTS) flags, favicon caches, or ETag headers—to store identifiers that persist even after users clear standard cookies. Unlike conventional HTTP cookies, these supercookies respawn from redundant storage locations, making them resistant to deletion and a significant privacy concern.
Glossary
Supercookie Detection

What is Supercookie Detection?
Supercookie detection identifies persistent tracking mechanisms that abuse browser features to respawn cleared identifiers, bypassing user privacy controls.
Detection techniques involve analyzing browser storage anomalies, inspecting cache integrity, and monitoring for unauthorized identifier synchronization across isolated storage APIs. Security architects deploy supercookie detection within behavioral biometrics frameworks to distinguish between legitimate session persistence and privacy-invasive tracking, ensuring compliance with regulations like GDPR while maintaining robust fraud detection capabilities.
Core Characteristics of Supercookie Detection
Supercookie detection involves identifying and neutralizing tracking mechanisms that abuse browser features to persist identifiers beyond user deletion. These techniques exploit protocol-level artifacts to bypass conventional privacy controls.
HSTS Flag Abuse Detection
Identifies tracking that exploits HTTP Strict Transport Security flags to store persistent identifiers. Attackers encode values by toggling HSTS policies across subdomains, creating a bit-encoded fingerprint that survives cache clearing.
- Monitors HSTS cache state across subdomain requests
- Detects anomalous 307 Internal Redirect patterns
- Flags domains using HSTS as a storage channel
- Cross-references with known tracker domain lists
Favicon Cache Fingerprinting
Detects the abuse of favicon caches to store persistent identifiers. Trackers force browsers to cache unique favicon combinations across subdomains, creating a combinatorial identifier that persists even after cookies are cleared.
- Analyzes favicon request patterns for enumeration behavior
- Detects subdomain chains serving unique favicon.ico files
- Monitors cache probing via onload/onerror event timing
- Flags domains with excessive favicon subdomain variations
ETag Header Tracking
Identifies the misuse of HTTP ETag headers as persistent storage. ETags are cache validation tokens that browsers store indefinitely; trackers set unique ETag values that are echoed back on subsequent requests, functioning as a respawnable identifier.
- Inspects ETag values for encoded user identifiers
- Correlates ETag consistency across cleared sessions
- Detects If-None-Match header fingerprinting patterns
- Flags servers setting ETags without Cache-Control headers
TLS Session Resumption Tracking
Detects tracking via TLS session IDs and session tickets. These cryptographic tokens persist across browser restarts and can encode identifiers that survive all user clearing actions, operating below the HTTP layer.
- Monitors TLS handshake for static session ID reuse
- Detects session ticket rotation patterns indicating encoding
- Analyzes Server Name Indication (SNI) field consistency
- Flags connections with abnormally persistent session parameters
Storage API Enumeration Detection
Identifies tracking that probes browser storage APIs to reconstruct identifiers. Trackers test LocalStorage, IndexedDB, Service Worker caches, and other isolated storage mechanisms to find residual data after clearing attempts.
- Detects rapid sequential reads across storage APIs
- Monitors for storage quota probing patterns
- Flags cross-origin storage access attempts
- Identifies Service Worker registration as persistence vector
Browser Fingerprint Correlation
Links supercookie identifiers to browser fingerprinting signals for respawning. When a user clears cookies, trackers match the recreated fingerprint to a previously stored supercookie value, restoring the identifier.
- Correlates canvas fingerprint with HSTS snapshot state
- Detects fingerprint-to-supercookie binding events
- Monitors for identifier respawning after clearing events
- Flags domains combining multiple persistence techniques
Frequently Asked Questions
Clear, technical answers to the most common questions about identifying and mitigating persistent browser tracking mechanisms that bypass user privacy controls.
A supercookie is a persistent tracking identifier stored outside the browser's standard cookie storage mechanisms, making it resistant to user deletion. Unlike standard HTTP cookies, which are domain-specific, easily cleared, and regulated by browser privacy controls, supercookies exploit browser features to respawn identifiers even after a user explicitly clears their cache and cookies. They are not technically cookies at all—they are identifiers injected into HTTP Strict Transport Security (HSTS) flags, favicon caches, ETag headers, or TLS session IDs. The critical distinction is persistence and stealth: a standard cookie respects a user's deletion intent, while a supercookie actively circumvents it by reconstructing the identifier from immutable or semi-persistent browser storage locations.
Real-World Supercookie Detection Scenarios
Explore the technical scenarios where supercookies are deployed to bypass user privacy controls, and the forensic methods used to detect these persistent, respawning identifiers.
HSTS Flag Abuse Detection
Detecting the abuse of HTTP Strict Transport Security (HSTS) flags to create a persistent identifier. Attackers encode a unique value by setting HSTS policies across a range of subdomains (e.g., bit0.example.com, bit1.example.com).
- Mechanism: The browser stores a binary state (HSTS on/off) for each subdomain.
- Detection: Forensic analysis of HSTS cache entries and monitoring for requests to a large number of non-existent subdomains on a single apex domain.
- Indicator: A script that systematically probes 32+ subdomains to reconstruct a 32-bit user ID.
Favicon Cache Fingerprinting
Identifying the use of favicon caches as a storage vector. A tracking script forces the browser to request a unique set of favicons from distinct paths, encoding a user ID in the pattern of cached and uncached icons.
- Mechanism: The script checks if a specific favicon is loaded from cache (fast) or fetched from the network (slow) using the
onloadevent. - Detection: Monitoring for rapid, sequential requests to numerous unique favicon URLs on a single domain, especially those returning
404or301status codes. - Red Flag: JavaScript that iterates through an array of paths like
/id-0.ico,/id-1.icoand measures load timing.
ETag Header Respawning
Detecting the use of ETag HTTP response headers to respawn deleted cookies. The server sets a unique ETag value for a cached resource, which the browser sends back on subsequent requests via the If-None-Match header.
- Mechanism: Even after a user clears cookies, the browser cache retains the ETag, allowing the server to reconstruct the identifier.
- Detection: Inspecting network traffic for static resources with ETag values that appear to be high-entropy strings or Base64-encoded data, rather than standard content hashes.
- Forensic Artifact: An ETag value that remains constant across multiple cache-clearing events.
TLS Session ID Resumption
Uncovering tracking via TLS Session Identifiers. A server can issue a unique Session ID during the TLS handshake, which the client caches and presents on the next connection to resume the session without a full handshake.
- Mechanism: The Session ID acts as a persistent token stored outside of the browser's cookie jar.
- Detection: Analyzing the ClientHello message in TLS traffic for Session IDs that persist across browser restarts and cookie deletions.
- Key Distinction: Legitimate session resumption uses short-lived tickets; supercookies use long-lived, static identifiers.
Storage Quota Enumeration
Detecting tracking scripts that abuse the Storage API to estimate available disk space and generate a semi-unique fingerprint. By requesting a specific quota and measuring the granted bytes, a script can derive a device-specific value.
- Mechanism:
navigator.storage.estimate()returns quota and usage data that can vary slightly between browsers and devices. - Detection: Monitoring for scripts that call the Storage API without any legitimate file-saving or caching operation.
- Context: This is often combined with other signals to create a high-entropy cross-browser fingerprint.
Supercookies vs. Standard Tracking Mechanisms
A technical comparison of supercookie implementations against conventional browser tracking methods across key dimensions of persistence, user control, and detection difficulty.
| Feature | Standard HTTP Cookies | HSTS Supercookies | Favicon Supercookies |
|---|---|---|---|
Storage Location | Browser cookie jar (document.cookie) | Browser HSTS cache | Browser favicon cache (disk or memory) |
User Deletable via Browser Settings | |||
Survives Incognito/Private Mode | |||
Persistence After Clear History | |||
Cross-Browser Tracking Capability | |||
Requires JavaScript Execution | |||
Detection Difficulty | Trivial | Moderate | High |
Storage Capacity | 4KB per cookie | 1 bit per domain (visited or not) | ~32 bits per domain (cache miss/hit pattern) |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Explore the interconnected techniques and countermeasures essential for identifying and mitigating persistent, privacy-invasive tracking mechanisms that bypass standard cookie controls.
HSTS Supercookie Fingerprinting
Exploits the HTTP Strict Transport Security cache to store a persistent identifier. A tracking site forces the browser to connect via HTTPS for a set of subdomains, encoding bits of a user ID. Detection involves analyzing the pattern of 307 Internal Redirects versus direct HTTPS requests across a known set of tracking domains to reveal the stored identifier.
Favicon Cache Pinning
A technique where a unique identifier is encoded by forcing the browser to cache specific favicons from a set of subdomains. The tracker then probes which favicons are loaded from cache versus fetched from the network. Detection requires monitoring cache hit ratios for favicon requests and identifying anomalous, deterministic request patterns to non-existent or uniquely generated icon paths.
ETag Header Tracking
Abuses the HTTP ETag response header, a cache validation token, as a persistent storage vector. The server sets a unique ETag value, and on subsequent requests, the browser echoes it back in the If-None-Match header. Detection involves stripping or rotating ETag values and monitoring for client-side scripts that programmatically extract and exfiltrate these cache tokens.
TLS Session Resumption Identifiers
Leverages TLS Session IDs and Session Tickets to persist an identifier across browser restarts. The server encodes a tracking ID within the encrypted session ticket. Detection focuses on analyzing the lifecycle of TLS session tickets, identifying tickets with abnormally long lifetimes, and correlating resumed sessions with the absence of first-party authentication cookies.
Browser Fingerprinting Correlation
Supercookies are rarely used in isolation. They serve as a respawn mechanism for cleared traditional cookies. Detection requires correlating the presence of a supercookie with a browser fingerprint hash. If a user clears cookies but the supercookie and fingerprint hash remain constant, the tracker can re-link the new cookies to the old identity profile.
Storage API Enumeration
Detection scripts must systematically probe all browser storage vectors abused for supercookies. This includes:
window.localStorageandsessionStorage- IndexedDB databases
- Service Worker caches
- Blob URLs
window.nameproperty Any data written to these stores without explicit user consent is a potential tracking vector.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us