Frequently Asked Questions

Table of Contents

• Real-World ETag Tracking Example
• Detecting ETag Tracking on Your Own Sites
• Browser Protection Against ETag Tracking
• Server-Side Defense Implementation
• Client-Side - Service Worker Masking
• ETag Behavior Comparison - Browsers and Technologies
• Audit - Finding Problematic ETags
• Prevention Checklist for Developers

Who is this article written for?

This article is written for developers, technical professionals, and power users who want practical guidance. Whether you are evaluating options or implementing a solution, the information here focuses on real-world applicability rather than theoretical overviews.

How current is the information in this article?

We update articles regularly to reflect the latest changes. However, tools and platforms evolve quickly. Always verify specific feature availability and pricing directly on the official website before making purchasing decisions.

Are there free alternatives available?

Free alternatives exist for most tool categories, though they typically come with limitations on features, usage volume, or support. Open-source options can fill some gaps if you are willing to handle setup and maintenance yourself. Evaluate whether the time savings from a paid tool justify the cost for your situation.

Can I trust these tools with sensitive data?

Review each tool’s privacy policy, data handling practices, and security certifications before using it with sensitive data. Look for SOC 2 compliance, encryption in transit and at rest, and clear data retention policies. Enterprise tiers often include stronger privacy guarantees.

What is the learning curve like?

Most tools discussed here can be used productively within a few hours. Mastering advanced features takes 1-2 weeks of regular use. Focus on the 20% of features that cover 80% of your needs first, then explore advanced capabilities as specific needs arise.

Real-World ETag Tracking Example

How a tracking network exploits ETags:

Step 1 - Pixel embed on 50+ websites
Every website includes - <img src="https://tracker.com/pixel.gif" />

Step 2 - First visit to Website A
Browser requests - GET /pixel.gif
Response includes:
  ETag: "user-12345-abc"
  Set-Cookie: track_id=user-12345

Step 3 - User clears cookies
(thinks they've removed tracking)

Step 4 - Visit Website B
Browser has no cookie but still has ETag cached
Requests - GET /pixel.gif
Includes header - If-None-Match: "user-12345-abc"
Tracker sees - "Same user with ETag user-12345-abc visited"
User is re-identified even without cookies!

This technique became known as “ETag respawning” after Princeton researchers documented it in 2014.

Detecting ETag Tracking on Your Own Sites

1. View all ETags your browser has cached
Chrome - chrome://cache
Firefox - about:cache

2. Check which sites are assigning user-specific ETags
Open DevTools (F12) → Network tab
Look for ETags that contain usernames, IDs, or hashes

3. Test ETag persistence
Visit site, note ETag value
Clear cookies and session storage
Reload page, check if same ETag is used

Browser Protection Against ETag Tracking

Modern browsers implement defenses:

// Browser behavior changes
// Firefox: ETag isolation (separate ETag per domain)
// Chrome: Partitioned cache (each domain has isolated cache)
// Safari: Third-party ETag blocking

// Check if your browser supports ETag partitioning:
if (performance.getEntriesByType &&
    performance.getEntriesByType("resource")[0]) {
  console.log("ETag partitioning supported");
}

Server-Side Defense Implementation

// Express.js example: Implementing privacy-respecting ETag strategy

const express = require('express');
const crypto = require('crypto');
const app = express();

// Privacy-conscious ETag middleware
function privacyAwareETag(req, res, next) {
  // WRONG: User-specific ETag
  // const etag = crypto.createHash('sha256')
  //   .update(req.user.id + content)
  //   .digest('hex');

  // CORRECT: Content-based ETag only
  const etag = crypto.createHash('sha256')
    .update(contentString)
    .digest('hex');

  res.setHeader('ETag', `"${etag}"`);

  // Additional privacy headers
  res.setHeader('Cache-Control', 'public, max-age=3600');
  res.setHeader('Vary', 'Accept-Encoding');

  // For sensitive content, disable caching entirely
  if (req.path.includes('/sensitive/')) {
    res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate');
  }

  next();
}

app.use(privacyAwareETag);

app.get('/resource', (req, res) => {
  const content = generateContent();
  const etag = crypto.createHash('sha256').update(content).digest('hex');

  if (req.headers['if-none-match'] === `"${etag}"`) {
    return res.status(304).send();
  }

  res.set('ETag', `"${etag}"`);
  res.send(content);
});

Client-Side - Service Worker Masking

// Service Worker: Intercept and mask ETag headers
self.addEventListener('fetch', event => {
  event.respondWith(
    fetch(event.request)
      .then(response => {
        // Clone response to modify headers
        const modifiedResponse = response.clone();
        const newHeaders = new Headers(modifiedResponse.headers);

        // For tracking domains, remove ETag
        if (isTrackingDomain(event.request.url)) {
          newHeaders.delete('ETag');
        }

        return new Response(modifiedResponse.body, {
          status: modifiedResponse.status,
          headers: newHeaders
        });
      })
  );
});

function isTrackingDomain(url) {
  const trackers = [
    'doubleclick.net',
    'google-analytics.com',
    'facebook.com/tr',
    'pinterest.com/v3'
  ];
  return trackers.some(tracker => url.includes(tracker));
}

ETag Behavior Comparison - Browsers and Technologies

Browser      ETag Isolation  Respawn Risk  Protection Level
Firefox      Yes (by domain) Low           STRONG
Safari       Partial         Low           STRONG
Chrome       Yes (partition) Low           STRONG
IE/Edge      Legacy          High          WEAK

CDN          Respawn Risk    Tracking Risk
Cloudflare   Low             Medium (multiple IPs)
Akamai       Low             Medium
jsDelivr     Very Low        Low
Fastly       Very Low        Low
BunnyCDN     Very Low        Low

Audit - Finding Problematic ETags

Script to find ETags that might enable tracking

import hashlib
import json

def analyze_etag(etag_value):
    """Check if ETag looks like it contains user identifier"""
    suspicious_patterns = [
        r'\d{6,}',  # Long numbers (user IDs)
        r'[a-f0-9]{32,}',  # MD5 hashes
        r'[a-f0-9]{40,}',  # SHA1 hashes
        r'user[-_]',  # Explicit user prefix
        r'uuid[-_]',  # UUID patterns
    ]

    import re
    for pattern in suspicious_patterns:
        if re.search(pattern, etag_value):
            return {'risky': True, 'pattern': pattern}

    return {'risky': False, 'assessment': 'Content-based ETag (safe)'}

Test examples
examples = [
    '"33a64df551425fcc55e4d42a148795d9f25f89d4"',  # SHA1 (safe)
    '"user-abc123-xyz789"',  # User-specific (risky)
    '"12345-67890"',  # ID-based (risky)
]

for etag in examples:
    result = analyze_etag(etag)
    print(f"{etag}: {result}")

Prevention Checklist for Developers

When deploying assets:

• Generate ETags based on content hash only (not user/session)
• Never include user identifiers in ETag values
• Set appropriate Cache-Control headers
• Use VARY header to indicate cache variance factors
• For sensitive pages, disable caching entirely (Cache-Control: no-store)
• Rotate third-party resources between CDNs monthly
• Audit third-party scripts for ETag-based tracking

Related Articles

• Bounce Tracking How Redirects Through Tracker Domains
• Dating App Cross Platform Tracking How Ad Networks Follow
• Email Tracking Pixel Detection
• Chrome Privacy Sandbox Explained What It Means For Tracking
• Tor Browser Cookies Tracking Prevention Guide
• AI Coding Assistant Session Data Lifecycle Built by theluckystrike. More at zovo.one