How to Check Anti-Detect Cleanliness: Deep Dive into Pixelscan, Iphey, and CreepJS

Every anti-detect browser user has opened Pixelscan, Iphey, or CreepJS at some point and stared at the results trying to understand whether their setup is clean. These checker services have become the de facto validation tools for the anti-detect community, and their green checkmarks or high scores feel like confirmation that a setup is ready for production use. The reality is considerably more nuanced, and a clear understanding of what these services actually test — and what they deliberately do not test — changes how you interpret their results.

What Checker Services Are Actually Measuring

The three major checker services operate on different principles and measure different aspects of browser fingerprinting. Treating them as interchangeable is a category error.

Pixelscan focuses primarily on consistency checks — verifying that the various signals your browser emits are internally coherent. It checks whether your IP geolocation matches your declared timezone. It verifies that your user-agent string matches the browser version implied by your JavaScript API fingerprint. It looks for inconsistencies between your declared platform (Windows, macOS, Linux) and the behavior of platform-specific APIs. It checks WebRTC behavior and whether WebRTC is leaking an IP that conflicts with your proxy.

The Pixelscan model is essentially: does your browser fingerprint have internal contradictions? A real browser on a real device is naturally consistent because all its components come from the same software stack running on the same hardware. Anti-detect browsers that configure different components independently without ensuring cross-component consistency will fail Pixelscan checks. For example, declaring a Windows user-agent but returning macOS-typical timezone offsets, or declaring a 1920x1080 screen but setting window dimensions that would only fit on a larger display.

Iphey takes a different approach, focusing heavily on the IP reputation and network-level signals rather than browser fingerprinting per se. Iphey evaluates your IP address against databases of known VPN exits, datacenter IP ranges, Tor exit nodes, proxy pools, and residential ISP assignments. It provides a trust score for the IP independent of what the browser claims. It also performs some basic browser signal checks, but its primary value is as an IP reputation checker.

Understanding Iphey’s model clarifies when it matters: if you are using a residential proxy with a genuinely clean IP, Iphey will confirm that. If your “residential” proxy turns out to be on a flagged range, Iphey catches it. But a perfect Iphey score tells you nothing about your browser fingerprint quality.

CreepJS is the most technically sophisticated of the three and the most misunderstood. CreepJS is an open-source fingerprinting library developed by abrahamjuliot that tests an enormous range of browser properties and looks for the specific signs of browser modification and API injection that anti-detect browsers use. Its tests include:

• Worker scope consistency: Checking whether APIs available in the main window context are also available and consistent in Web Workers. Anti-detect browsers that only inject overrides in the main page context often miss Worker scopes, creating detectable inconsistencies.

• Iframe fingerprint matching: Testing whether a fingerprint taken inside an iframe matches the fingerprint in the main frame. Inconsistencies reveal selective injection that does not apply to all frame contexts.

• Prototype chain integrity: Checking whether native APIs have been modified by examining the toString() output of functions. Naively overriding browser APIs without also spoofing the toString() result leaves a detectable trace.

• Audio fingerprinting: Generating audio context output and comparing it to expected values. Anti-detect browsers that inject audio fingerprint modifications often do so inconsistently or in ways that produce mathematically impossible values.

• Canvas and WebGL consistency: Not just checking canvas output values but verifying that the canvas rendering pipeline behaves consistently with the declared hardware and software environment.

CreepJS aggregates these checks into a “trust score” and provides detailed breakdowns. A low trust score from CreepJS typically indicates specific technical failures in how the anti-detect browser implements its fingerprint overrides.

Why 100% Cleanliness Does Not Guarantee Detection Safety

This is the most important point and the one most frequently misunderstood. Passing all checks on Pixelscan, Iphey, and CreepJS does not mean you will not be detected. Here is why.

Checker services test what they know to test. These services are public tools that have been deployed for years. Anti-detect browser developers specifically optimize their products to pass these checkers. There is a selection bias: the tests that checkers run are the tests that anti-detect browsers have learned to pass. Actual commercial detection platforms (Cloudflare, PerimeterX, DataDome, Akamai) use proprietary signals that are not published and are actively developed to stay ahead of anti-detect evasion.

Behavioral signals are not checked at all. None of the major checker services measure how you interact with pages — mouse movement patterns, scroll behavior, click timing, form interaction speed. These behavioral signals are increasingly important components of detection decisions on major platforms. A perfectly clean fingerprint attached to robotic behavioral patterns will be detected by platforms that analyze behavior.

Statistical population analysis is not checkable through a simple tool. Real detection systems do not just check if individual signals are plausible — they check whether the combination of signals is statistically consistent with a real user population. A very specific combination of hardware, OS version, browser version, resolution, and other attributes may individually all seem normal but be a combination that only appears in 0.001% of real browsers. Tools like Pixelscan and CreepJS cannot surface this kind of population-level anomaly because they lack access to the comparison dataset of real traffic.

Temporal consistency is not measured by checkers. A checker sees a single visit. Actual detection platforms maintain profiles of account behavior over time. A fingerprint that changes dramatically between sessions, or that uses an unusually wide variety of hardware configurations across an account’s history, is suspicious in ways that cannot be detected by a single-visit checker.

Cross-site tracking signals are invisible to checkers. Platforms like Cloudflare and Google see your browser across many sites simultaneously. They can correlate behavior and fingerprint signals across properties in ways that no single-site checker can replicate.

How Checker Services Can Be Deceived

The inverse problem is equally important: if checker services can miss real detection vulnerabilities, they can also give false positives — high scores for anti-detect configurations that look good to checkers but are still detectable by real platforms.

Optimizing for checkers rather than real detection is a documented failure mode. Some anti-detect browsers have been specifically engineered to pass the exact tests that public checkers run, without addressing the underlying fingerprinting problems that make them detectable to more sophisticated analysis. Scoring 100% on Pixelscan is easier than evading Cloudflare’s bot detection, and conflating the two is dangerous.

CreepJS in particular is gameable because it is open-source. Anyone can read the CreepJS source code, understand exactly what checks it performs and how it scores them, and implement targeted fixes that make an anti-detect browser pass CreepJS without addressing broader fingerprinting inconsistencies. Several browser vendors have done exactly this. A product that scores well on CreepJS specifically because its developers implemented targeted fixes for CreepJS checks may still fail against other fingerprinting systems that use different techniques.

Pixelscan’s consistency checks can be satisfied by consistent wrongness. If an anti-detect browser consistently reports wrong but internally coherent values — a non-existent GPU model that is always reported the same way — Pixelscan will see consistency and not flag it. But a platform with access to real-browser traffic distributions will identify the non-existent GPU model immediately.

What Checker Services Are Actually Useful For

Given their limitations, what are these services genuinely useful for?

Diagnosing basic configuration errors. If you have set up an anti-detect profile and it shows obvious inconsistencies on Pixelscan — timezone mismatch, WebRTC leak, user-agent/platform contradiction — those are real problems that will cause failures on most platforms. Checker services are good at finding these gross errors.

Comparing anti-detect browsers against each other. When evaluating different products, running identical configuration tests through checker services reveals which ones handle consistency correctly. A product that scores poorly on multiple checker dimensions has real implementation problems, even if passing all checks does not guarantee production readiness.

Verifying proxy configuration. Iphey is genuinely useful for confirming that a residential proxy is what the provider claims — not a datacenter IP or known proxy range. This is a real quality check that translates directly to detection outcomes.

Catching Web Worker and iframe injection failures. CreepJS’s cross-context consistency checks identify a real category of anti-detect implementation failure. If a browser fails these tests, it means the fingerprint injection is incomplete and will fail against any detection system that checks Worker or iframe contexts.

A More Complete Testing Approach

Rather than relying solely on public checkers, a more comprehensive testing approach includes:

Commercial detection platforms like Cloudflare’s bot detection (accessible by visiting Cloudflare-protected sites) provide a real-world test of whether a fingerprint bypasses production systems. A clean Pixelscan score combined with consistent Cloudflare challenges tells you something checkers are missing.

Behavioral testing by actually completing human-like interactions on sensitive sites — with appropriate caution and without violating platform terms — provides the behavioral signal data that checkers cannot.

Comparison with reference browsers. Running the same checker on a fresh, unmodified browser installation on real hardware gives you a baseline for what a truly clean fingerprint looks like. Comparing your anti-detect profile’s output to this baseline reveals deviations that the checker normalizes but real detection systems may not.

Long-term account health tracking. The ultimate test of whether an anti-detect configuration works is whether accounts remain healthy over time. Systematic tracking of account longevity across different anti-detect configurations is the most reliable signal — more reliable than any checker score.

Checker services are valuable diagnostic tools when understood correctly. The mistake is treating them as certification systems — as if passing them guarantees detection safety in production environments. They are necessary but far from sufficient validation steps in any serious anti-detect configuration process.