• 5 Privacy Leaks Your Browser Has Right Now (And How to Fix Each One in Under 5 Minutes)
  • 1. DNS Leaks — Your ISP Sees Every Site You Visit
  • 2. WebRTC Leaks — Your Real IP Behind the VPN
  • 3. HTTP Security Headers — Missing Protection
  • 4. Browser Fingerprinting — You’re Unique Even Without Cookies
  • 5. Connection Security — Are You Actually Encrypted?
  • The Full Picture

§5 Privacy Leaks Your Browser Has Right Now (And How to Fix Each One in Under 5 Minutes)

Most people think browsing in “private mode” makes them invisible. It doesn’t. Your browser is likely leaking data through at least 3 of these 5 channels right now.

I built tools to detect each one. Here’s what they find — and how to fix it.

§1. DNS Leaks — Your ISP Sees Every Site You Visit

What’s happening: Even with a VPN, your DNS queries might bypass the tunnel and go directly to your ISP’s resolver. This means your ISP has a complete log of every domain you visit.

How to test: Visit devtoolkit.dev/dns-leak — it queries your DNS resolver and shows who’s handling your lookups.

The fix:

• Switch to encrypted DNS: 1.1.1.1 (Cloudflare) or 9.9.9.9 (Quad9)
• Enable DNS-over-HTTPS in your browser settings
• On Firefox: Settings → Privacy → Enable DNS over HTTPS

Time to fix: 2 minutes

§2. WebRTC Leaks — Your Real IP Behind the VPN

What’s happening: WebRTC (used for video calls) can reveal your real IP address even when connected to a VPN. Websites can exploit this with a few lines of JavaScript.

How to test: Run the privacy audit at devtoolkit.dev/privacy-audit — it includes WebRTC leak detection.

The fix:

• Firefox: Go to about:config, set media.peerconnection.enabled to false
• Chrome: Install “WebRTC Leak Prevent” extension
• Brave: Settings → Privacy → Disable WebRTC

Time to fix: 1 minute

§3. HTTP Security Headers — Missing Protection

What’s happening: When you visit a website, your browser trusts whatever security policies the server sends (or doesn’t send). Missing headers like Content-Security-Policy, X-Frame-Options, and Strict-Transport-Security leave you vulnerable to clickjacking, XSS, and protocol downgrade attacks.

How to test: Check any site with devtoolkit.dev/headers

The fix: This one’s on the website operators, but you can:

• Use HTTPS-only mode in Firefox (Settings → Privacy → HTTPS-Only Mode)
• Install uBlock Origin (blocks many header-related attacks)
• Avoid sites that score poorly on header checks

Time to fix: 1 minute

§4. Browser Fingerprinting — You’re Unique Even Without Cookies

What’s happening: Your browser configuration (screen size, installed fonts, GPU, timezone, language, plugins) creates a unique fingerprint. Studies show 83.6% of browsers have a unique fingerprint. No cookies needed.

How to test: The privacy audit at devtoolkit.dev tests your fingerprint entropy.

The fix:

• Use Firefox with privacy.resistFingerprinting set to true in about:config
• Or use Tor Browser (designed to make everyone look identical)
• Reduce uniqueness: use common screen resolutions, default fonts, standard timezone

Time to fix: 3 minutes

§5. Connection Security — Are You Actually Encrypted?

What’s happening: Not all HTTPS is equal. Outdated TLS versions (1.0, 1.1), weak cipher suites, and missing HSTS headers mean your “secure” connection might be vulnerable to downgrade attacks.

How to test: devtoolkit.dev/privacy-check shows your connection security details.

The fix:

• Update your browser (seriously, this fixes most issues)
• Enable HTTPS-only mode
• If you run a server: force TLS 1.3, enable HSTS with a long max-age

Time to fix: 1 minute (just update)

§The Full Picture

Want to check all 5 at once? The Privacy Audit at devtoolkit.dev runs all these tests in 30 seconds and gives you a score out of 100.

All tools are free, open, no signup, no tracking. If they’re useful, consider a Lightning tip to devtoolkit@coinos.io — it keeps the servers running.

Built by a developer who got tired of privacy tools that require accounts and sell your data. The irony was too much.