jonasstrehle/supercookie — explained in plain English
Analysis updated 2026-06-22
Run the demo locally to see favicon-based browser tracking in action and understand how it works.
Study the technique to design defenses or audit whether your browser is vulnerable to this type of fingerprinting.
Use the persistence comparison table to understand which privacy measures fail against supercookies.
| jonasstrehle/supercookie | lerist/fakelocation | railsgirls/guides.railsgirls.com | |
|---|---|---|---|
| Stars | 7,050 | 7,053 | 7,064 |
| Language | HTML | HTML | HTML |
| Setup difficulty | easy | moderate | easy |
| Complexity | 2/5 | 2/5 | 1/5 |
| Audience | developer | developer | general |
Figures from each repo's GitHub metadata at analysis time.
Requires Docker or Node.js and setting two environment variables for hostname and port.
Supercookie is a demonstration project that shows how a website can assign a unique, persistent identifier to a browser by exploiting the way browsers cache favicons. Favicons are the small icons you see in browser tabs and bookmarks. The project is explicitly educational, intended to illustrate a privacy vulnerability rather than to enable tracking in practice. Browsers store favicons in a separate local cache, apart from the regular browser cache, to load them quickly on return visits. A web server can detect whether your browser already has a favicon cached for a specific URL path. By serving favicons for some paths and withholding them from others, a server can create a unique binary pattern across dozens of paths. When you revisit the site, the browser only requests the favicons it does not yet have cached. The server reads which requests are made and which are not, reconstructs the pattern, and identifies you without any cookies being set. What makes this technique notable is its persistence. Unlike ordinary cookies, which a user can clear, the favicon cache survives: clearing cookies, clearing the browser cache, closing and reopening the browser, rebooting the computer, using incognito or private browsing mode, and using a VPN. The README includes a comparison table showing that supercookie beats conventional cookies on every category of persistence and anti-tracking resistance it tested. The project is backed by research from scientists at the University of Illinois at Chicago. A live demo is available online. The source code can be run locally using either Docker or Node.js. Installation involves cloning the repository, setting a couple of environment variables for the hostname and port, and then starting the server. Full documentation covering the technical details is linked from the README.
An educational demo showing how websites can persistently identify browsers by exploiting the favicon cache, a tracking technique that survives clearing cookies, cache, and even incognito mode.
Mainly HTML. The stack also includes HTML, Node.js, Docker.
No license information is mentioned in the explanation.
Setup difficulty is rated easy, with roughly 30min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.