A supercookie (also called an evercookie or zombie cookie) is a tracking identifier that can reconstitute itself after deletion because it is simultaneously stored in multiple browser storage mechanisms. When you delete your regular cookies, the supercookie rebuilds itself from another source.
Where Supercookies Hide
- HTTP cookies — the standard location, deleted when you clear cookies
- localStorage / sessionStorage — JavaScript-accessible storage that persists even after cookie deletion
- IndexedDB — a browser database that stores structured data
- Cache API / Service Workers — offline-capable caches that survive standard clearing
- ETag caching — the browser caches ETags from web servers, which can encode a unique ID
- Flash / Silverlight LSOs — now largely obsolete but historically exploited
- HSTS supercookies — HTTP Strict Transport Security headers can encode a tracker at the network level
HSTS Supercookies: The Hardest to Block
HSTS supercookies are particularly stealthy because they operate at the TLS layer, not the application layer. A website sets HSTS headers on subdomains in a specific pattern (some forced HTTPS, some not) that encodes a binary ID. Every subsequent visit can read this pattern — even in a private browsing window — because HSTS preload data is cached by the browser, not a JavaScript API.
Supercookies vs Browser Fingerprinting
| Feature | Supercookies | browser fingerprinting |
|---|---|---|
| Stored where | Browser storage (multiple) | Not stored — derived in real time |
| Unique per device? | Yes, explicit ID | Yes, based on device characteristics |
| Survives cookie clear? | Yes (if other stores intact) | Yes — no cookies needed |
| Survives private mode? | Sometimes (HSTS) | Usually yes |
How to Protect Yourself
- Use Firefox with Total Cookie Protection — partitions storage per site
- Enable Enhanced Tracking Protection in Firefox or use uBlock Origin
- Use Brave Browser, which blocks HSTS-based tracking
- Regularly clear all site data — not just cookies — in your browser settings
- Use a VPN to hide your IP, which can correlate supercookie identity to real identity
People Also Ask
- Are supercookies legal?
- In most jurisdictions, using supercookies for tracking without consent is illegal under GDPR and CCPA. The UK's ICO fined companies for using ETag supercookies without disclosure. Several telecom companies were fined in the US for injecting supercookies into HTTP headers at the network level, which users could not remove at all.
- Can private browsing mode block supercookies?
- Partially. Private mode creates an isolated storage area that is discarded when the window closes, preventing most browser-storage supercookies. However, HSTS-based supercookies and network-level supercookies injected by ISPs persist even in private mode because they operate outside the browser's storage sandbox.
Related: Tracking pixels | Metadata and privacy | Online anonymity