--- title: WHOX Glossary description: Definitions of every WHOX-specific and adjacent term used across the documentation. JA4, Trust Score, A/F/C axes, Sigil, Foresight, antidetect, deep scan, and the rest. last_updated: 2026-05-13 canonical_url: https://whox.com/glossary --- # Glossary Single source of truth for terminology used across the WHOX documentation. Sorted alphabetically. WHOX-specific terms are marked with `[WHOX]`. ## A axis [WHOX] The Anonymizer axis. Scores 0 to 100. Captures VPN, proxy, Tor, datacenter exposure. Lower score means more anonymization detected. One of three axes contributing to the Trust Score. See [Trust Score](#trust-score-whox). ## Antidetect browser A browser specifically built or modified to spoof fingerprints and evade detection. Commercial examples include Multilogin, Octo, Dolphin Anty, GoLogin, Kameleo, Linken Sphere, AdsPower, Incogniton, and Hidemium. Antidetect browsers typically spoof the easy fingerprint surfaces (canvas, WebGL renderer, fonts) and trip on cross-signal consistency checks. WHOX targets this class with the Consistency layer and the Sigil cross-layer probes. ## ASN (Autonomous System Number) A globally unique identifier for a network operator. Used by WHOX to classify IPs as residential, datacenter, hosting, mobile-carrier, or known-VPN. Most VPN providers operate in clearly identifiable ASN ranges; residential proxy networks are largely ASN-mappable as well. ## Authenticity [WHOX] One of the four Foresight scores. Answers the question "is there a human at the keyboard." Driven by behavioural entropy, RAF jitter that looks human rather than scheduled, mouse curvature with measurable randomness, scroll momentum, click distribution. Bots fake fingerprints reliably; faking Authenticity is hard. See [Foresight](/md/product/foresight.md). ## Behavioral Analysis [WHOX] One of the nine signal categories. 38+ signals on how the device gets used: mouse curvature entropy, jitter, scroll momentum, click timing, focus and blur patterns, RAF interval, scheduling drift. Real humans wiggle in measurable ways; scripted humans do not. ## C axis [WHOX] The Consistency axis. Scores 0 to 100. Captures whether the network claims and the browser claims agree with each other (User-Agent vs GPU vendor, claimed timezone vs DNS resolver country, JA4 OS marker vs `navigator.platform`). One of three axes contributing to the Trust Score. ## CalcuLatency [WHOX] The fourth Sigil probe (S04). Measures RTT to the same endpoint at the kernel TCP layer and at the JavaScript layer; a measurable gap means a transparent proxy is sitting between the browser and the network. See [WHOX Sigil](/md/product/sigil.md). ## Canvas fingerprinting Renders text or shapes to an HTML canvas, reads back pixel data, hashes it. Stable per device, varies measurably by GPU model, GPU driver, OS-level font rendering, and browser version. One of 80+ parameters in WHOX Fingerprint Analysis. ## CDP (Chrome DevTools Protocol) The protocol Chrome exposes for debugging and remote control. Selenium, Puppeteer, Playwright, and similar tools all use CDP. CDP markers in the page environment are a high-precision signal for headless automation. WHOX checks AUT04 and related codes. ## Client Hints Modern browser headers (`Sec-CH-UA`, `Sec-CH-UA-Platform`, etc.) that replace some User-Agent string information. WHOX cross-checks Client Hints against the legacy User-Agent and against the JavaScript-visible `navigator` block; mismatches are a Consistency signal. ## Cross-Signal AI [WHOX] The sixth detection layer. A correlation engine that runs across the other five (Network, Browser APIs, CSS-Only, Hardware, Behavioral) and scores contradictions. Drives the C-axis. ## Datacenter An IP that resolves to commercial hosting infrastructure rather than a residential ISP. Datacenter IPs are heavily over-represented in fraud traffic. WHOX detects them by ASN classification and reverse DNS. ## Deep Scan [WHOX] The longer of the two WHOX scan modes. Adds 80 active probes to the 230 Fast Check signals. Completes in 5-7 seconds. Includes timing fingerprints (GPU, WASM, GC, RAF), behavioural sampling, DNS/IPv6/QUIC/DoH/DoT/mDNS leak detection, port probes, JA4-UA correlation, Phase-20 fingerprints, Sigil cross-layer probes. Triggered via `POST /v1/fp/deep` against an existing `req_id`. ## Digital Shadow [WHOX] One of the four Foresight scores. Aggregates the leak signals the engine catches: mDNS hostname, IPv6 exposure under tunnel, WebRTC candidates, DoH leaking past the tunnel, QUIC streams that bypass the proxy. See [Foresight](/md/product/foresight.md). ## DNS leak The user's DNS queries are not going through the VPN tunnel; the real ISP's resolver answers them. WHOX detects DNS leaks actively rather than passively trusting the resolver the user claims. See [Identify VPN and proxy leaks](/md/examples/identify-vpn-leak.md). ## DNSBL (DNS Blacklist) A reputation list distributed via DNS that catalogs IPs known for spam, abuse, malware, Tor exit, or botnet activity. WHOX queries 15+ DNSBLs in parallel as one input to the Anonymizer axis. ## DoH / DoT DNS over HTTPS / DNS over TLS. Encrypted DNS protocols. WHOX checks whether the resolver behind DoH/DoT is consistent with the rest of the session and whether DoH bypasses the VPN tunnel. ## Edge beacon [WHOX] A geographically distributed measurement endpoint operated by WHOX. Used for RTT triangulation against the claimed GeoIP location (Speed-of-Light Geo verification, Sigil S05). ## Engine DNA [WHOX] The second Sigil probe (S02). Cross-validates TLS JA4, HTTP/2 SETTINGS frame fingerprint, and CSS rendering capabilities to confirm they all belong to the same browser engine. Catches sessions where the User-Agent says Chrome but TLS says Firefox. ## F axis [WHOX] The Fingerprint axis. Scores 0 to 100. Captures how rare your hardware/software signature is in the population. Lower score means more uniquely fingerprintable. ## Fast Check [WHOX] The shorter of the two WHOX scan modes. 230 passive signals. Returns in under 100ms. Triggered via `POST /v1/fp/ingest`. ## Fingerprint The combined set of stable signals that identify a browser/device across sessions. WHOX uses 80+ parameters spanning canvas, WebGL, WebGPU, audio context, fonts, screen, CSS, hardware timing, behavioural entropy. ## Foresight [WHOX] The WHOX derived analytical layer. Computes four predictive scores (Traceability, Authenticity, Digital Shadow, Hardware DNA) from the base 300+ signals. Included on Business and Enterprise tiers. See [WHOX Foresight](/md/product/foresight.md). ## Hardware DNA [WHOX] One of the four Foresight scores. Measures how much silicon-level information leaks: WebGPU shader compilation hash, WASM execution timing, GC patterns. The most adversary-resistant of the four because silicon does not lie under cross-examination. ## Headless browser A browser running without a visible UI, typically driven by automation. Headless Chrome, headless Firefox, headless Edge are first-party offerings; Selenium, Puppeteer, Playwright are the common driving frameworks. WHOX detects headless browsers via 48+ checks in the Automation Detection category. ## HTTP/2 SETTINGS The frame HTTP/2 clients send during connection setup. The values (max concurrent streams, header table size, initial window size) and the order they appear in are distinctive per browser engine. WHOX uses HTTP/2 SETTINGS as one input to Engine DNA (Sigil S02). ## JA4 A TLS-handshake fingerprint developed by FoxIO. Captures a TLS client by the cipher suites it offers, the extensions it lists, and the order of those extensions. Different TLS implementations produce different JA4 strings. Cloudflare, AWS CloudFront, Akamai, and Fastly forward JA4 in headers. WHOX uses JA4 as one input to the Anonymizer and Consistency axes. ## JA4H The HTTP variant of JA4. Captures the order and case of HTTP headers a client sends. Antidetect tools that spoof the User-Agent often forget to reorder headers, producing a JA4H mismatch. ## mDNS leak The local network hostname (the "Vasya's MacBook" tell) leaks via WebRTC candidate gathering. WHOX checks for mDNS leaks during Deep Scan; they contribute to the Digital Shadow score. ## Penalty code [WHOX] A stable identifier for a specific signal that affected the Trust Score. Format: prefix + number. Common prefixes: A (Anonymizer), F (Fingerprint), C (Consistency), AUT (Automation), BEH (Behavioral), LEAK (Leak), S (Sigil). Codes are stable across versions; new codes can be added but existing codes do not change meaning. ## Persona [WHOX] The Lab API endpoint that returns a derived classification of the session ("privacy-conscious user," "automation," "VPN-using legitimate user," etc.) based on the combined score and signal pattern. Available via `GET /v1/lab/persona`. ## QUIC leak Some VPN clients route TCP traffic through the tunnel but let QUIC (UDP) bypass it. WHOX detects QUIC leaks during Deep Scan; they contribute to the Digital Shadow score. ## RAF (requestAnimationFrame) The browser API that runs a callback on the next paint cycle, typically every 16.67ms at 60Hz. The interval entropy (variation in actual time between calls) is a behavioural signal: real interactive sessions show measurable jitter from competing main-thread work; scripted sessions look mechanically regular. ## Residential proxy A proxy network that routes traffic through real consumer ISP IPs. Makes the IP look residential. Detected by WHOX through ASN labelling, Sigil tunnel forensics, and behavioural patterns. See [FAQ](/md/faq.md#what-is-a-residential-proxy-and-can-whox-detect-it). ## req_id [WHOX] The unique identifier returned by `POST /v1/fp/ingest`. Used to attach a Deep Scan to an existing Fast Check, to fetch the result, and to reference the session in webhooks. Repeated calls with the same `req_id` do not double-charge. ## Sigil [WHOX] The WHOX cross-layer verification subsystem. Five probes during Deep Scan: TCP Stack Identity (S01), Engine DNA (S02), Tunnel Forensics (S03), CalcuLatency (S04), Speed-of-Light Geo (S05). Catches contradictions that single-layer detection cannot. See [WHOX Sigil](/md/product/sigil.md). ## Speed-of-Light Geo [WHOX] The fifth Sigil probe (S05). Measures physical RTT to the nearest WHOX edge node and compares against the great-circle distance to the claimed GeoIP location. Catches sessions whose claimed location is impossible at lightspeed. ## Stealth plugins Modifications to Selenium, Puppeteer, or Playwright that try to hide their automation tells (puppeteer-extra-plugin-stealth being the canonical example). Reduces but does not eliminate the automation signature; WHOX detects most stealth setups via the AUT20-39 cluster. ## TCP Stack Identity [WHOX] The first Sigil probe (S01). Identifies the OS by the kernel TCP fingerprint (window scaling, MSS, options order) and compares against the OS the User-Agent claims. Catches sessions running a Linux kernel while spoofing Windows in the browser. ## Tor A network that routes traffic through three relays for anonymization. Tor exit nodes are publicly listed; WHOX cross-references against the live exit list. Tor users score low on the Anonymizer axis intentionally; the threat-model page covers the false-positive case for journalists and researchers. ## Traceability [WHOX] One of the four Foresight scores. Answers "how easily can sites track this device across sessions, even without cookies." High Traceability means the device fingerprint is unique enough to re-identify regardless of cookie state. ## Trust Score [WHOX] The headline 0-to-100 number returned by the WHOX API. Computed from the three axes (A, F, C) and the derived signals. Every check that affected the score appears in the `why` array with a stable code, points delta, and reason string. ## Tunnel Forensics [WHOX] The third Sigil probe (S03). Reads MTU and encapsulation patterns to infer whether a session is direct or tunnelled. Catches VPN setups that hide from IP databases but cannot hide their MTU signature. ## undetected-chromedriver A Python library that patches Selenium's ChromeDriver to evade detection. The patches are themselves a signature; WHOX matches them in the AUT40-48 cluster. ## User-Agent The legacy HTTP header that identifies the client browser, version, and platform. Trivially spoofable. WHOX cross-checks the User-Agent against Client Hints, JA4 (which reveals the actual TLS library), HTTP/2 SETTINGS, and JS-visible `navigator` properties. ## visitorId A persistent identifier returned by FingerprintJS Pro for a visitor. Not a WHOX concept; included here because comparison docs reference it. WHOX does not return a visitorId; it returns a Trust Score and an explained `why` array per session, with no cross-session identifier exposed. ## WebGPU A modern browser API for GPU compute. WHOX uses WebGPU shader compilation hash as a hardware-tied fingerprint signal. The compile time is stable per GPU model + driver and varies measurably across machines. One of the most adversary-resistant signals because it ties to silicon. ## WebRTC leak WebRTC candidate gathering exposes local network IPs and sometimes the real public IP behind a VPN. WHOX detects WebRTC leaks during Deep Scan; they contribute to the Digital Shadow score and the Trust Score directly. ## why array [WHOX] The audit trail returned with every WHOX scoring response. Array of `{ code, delta, text }` objects, one per signal that affected the score. The codes are stable; the integration treats unknown codes as informational rather than failing. ## Widget API [WHOX] The endpoint group `/v1/widgets/*` for embeddable third-party integrations. Includes init, collect, and result endpoints. Designed so that the API key stays on the server while client-side fingerprint collection runs through a per-domain short-lived session token. ## Related - [FAQ](/md/faq.md) - [Product overview](/md/product/overview.md) - [Signal categories](/md/product/signals.md) - [WHOX Foresight](/md/product/foresight.md) - [WHOX Sigil](/md/product/sigil.md)