ThumbmarkJS vs cside: Fingerprinting Compared (2026)

Comparison Summary

• Both produce a visitor ID from device and browser signals. The core fingerprinting capability overlaps. The differences are in licensing, price, and what each vendor builds around the fingerprint.
• ThumbmarkJS leads on cost and openness. The library is free and MIT-licensed (self-hostable, ~80% uniqueness), and the commercial API starts at €15/month for 15,000 calls with a free tier. If you just need a cheap or self-hosted visitor ID, ThumbmarkJS is hard to beat on price.
• cside is the platform option. Fingerprinting is one product; browser-layer script monitoring is another, and the two bundle under one vendor. That brings PCI DSS 4.0.1 compliance coverage, chargeback evidence (CE 3.0), AI agent detection, and protection against attacks like web skimming.
• The honest split: pick ThumbmarkJS when fingerprinting is the whole job and budget matters. Pick cside when fingerprinting is part of a broader fraud or client-side security problem and you want it solved from one place.

Introduction

If you're evaluating ThumbmarkJS, you're probably looking to identify returning visitors, detect bots, or stop fraud, and you've found a fast-growing, developer-friendly FingerprintJS alternative. ThumbmarkJS comes in two forms: a free open-source library, and a commercial cloud API at thumbmarkjs.com that adds server-side signals and higher accuracy.

cside is a competitor in this category. We're an award winning web security platform with a dedicated fingerprinting product. Both tools collect similar signals (IP, canvas, fonts, WebGL, audio, behavioral patterns) to produce a visitor ID. The differences are in licensing, pricing, and what each vendor does beyond that core capability.

Note from the author: As a disclosure - we built cside, and we acknowledge the bias. This comparison aims to be factually accurate about both products and help you understand when each vendor is the right pick. It's based on publicly available information as well as user reports and we try to update it periodically to keep it current.

Comparison Table: cside vs ThumbmarkJS

ThumbmarkJS vs cside: head-to-head comparison

Free plan and open source

ThumbmarkJS:

• The ThumbmarkJS library is free and open source under an MIT license, usable in commercial projects. It runs entirely in the browser, so you can self-host with no per-call cost.
• The commercial API has a free tier: 1,000 calls per month with the advanced fingerprint, visitor ID, bot detection, VPN and datacenter detection, threat level, and country detection.

cside:

• Free forever. Basic fingerprinting signals. 1,000 API calls per month.
• Free trial for the full Business plan if you want to test advanced signals before committing.

The open-source library is the clearest point in ThumbmarkJS's favor. If you want code you can read, fork, and run yourself with no vendor dependency, cside does not offer an equivalent.

Pricing

ThumbmarkJS:

• Library: free (MIT).
• API Free tier: 1,000 calls/month, overage around €1 per 1,000 calls.
• API Pro: €15/month, includes 15,000 calls, plus webhooks and custom domain.
• Enterprise: custom quote with volume discounts, custom SLAs, and a DPA.

cside:

• $99/month. Includes 50,000 API calls.
• $2 per 1,000 additional calls.
• Enterprise: custom quote. Adds chargeback fingerprinting, 90-day data retention, SSO.

On raw fingerprinting cost, ThumbmarkJS is the cheaper option, especially at low volume. cside's entry price reflects a wider platform: script monitoring, compliance controls, and chargeback evidence are part of what you're paying for, not just a visitor ID.

Signals collected

Both collect a broad client-side signal set: canvas, audio, WebGL and GPU data, fonts, hardware details, languages, timezone, screen and media queries, plugins and permissions, and WebRTC. ThumbmarkJS's commercial API adds server-side signals (TLS handshake, HTTP headers, connection data) to push uniqueness past 99%. cside collects 102+ signals including IP, geolocation, VPN/proxy indicators, and behavioral patterns like click timing and scroll velocity.

The difference is what happens to those signals. cside ships pre-configured rules that turn raw signals into actionable verdicts (impossible travel, device limit breaches, velocity anomalies) and enforcement actions. ThumbmarkJS returns a visitor ID and a threat level; the decision logic is yours to build.

Reviews

• cside: 4.8/5 on G2. 4.9/5 on Sourceforge (35 reviews and ratings shown: 24 native SourceForge reviews plus 11 verified third-party ratings surfaced there).
• ThumbmarkJS: no significant presence on G2 at the time of writing. Its credibility comes from open-source adoption (GitHub stars and forks) and self-reported scale ("60,000+ websites, ~1B monthly API calls") rather than third-party review platforms.

Implementation

Both products are web-only and install via a script tag or NPM package. ThumbmarkJS can run fully client-side from the open-source library or call the cloud API. cside installs via a script tag. Typical time to live is under a day for either. Neither ships native mobile SDKs; if you need Android, iOS, React Native, or Flutter coverage, look at Fingerprint instead.

Compliance (GDPR, PCI DSS, SOC 2)

If your legal or security team needs to approve new vendors before anything goes live, compliance comes up early. Here is what matters for both.

The most common concern is GDPR. Because fingerprinting collects device and browser information to create an ID, teams want to know if it requires consent banners. For fraud prevention it generally does not: Recital 47 of the GDPR names fraud prevention as a valid legitimate interest. Both cside and ThumbmarkJS operate within this framework, and Thumbmark offers a DPA for enterprise customers.

Where the two diverge is client-side security compliance. cside's script monitoring satisfies PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1 (script inventory and integrity verification on payment pages). ThumbmarkJS is a fingerprinting product and is not positioned against PCI DSS or other client-side security frameworks. If payment-page compliance is on your roadmap, that gap matters.

When ThumbmarkJS is the best fit

ThumbmarkJS is built for developers who want a fingerprint without the platform overhead. If you value openness and price, it's a strong choice.

ThumbmarkJS is uniquely suited for:

• Open-source and self-hosting: The MIT-licensed library runs in the browser with no vendor lock-in and no per-call cost. You can read the code, fork it, and ship it inside your own stack.
• Low-cost visitor identification: A €15/month Pro plan and a free tier make it accessible for side projects, startups, and high-volume use cases where per-call price dominates.
• Simple bot and abuse signals: When you only need a stable visitor ID plus bot, VPN, and datacenter flags to feed your own logic, the commercial API covers it without extra products you won't use.

When cside is the best fit

cside is built for teams whose fraud surface centers on identity abuse in the browser, and who want fingerprinting bundled with client-side security from one vendor.

cside has a focus on:

• Account takeover: Detect when a new device, location, or browser environment appears on an existing account. Flag credential-stuffing attempts by correlating device fingerprints against known session patterns.
• Account sharing: Identify when a single account is accessed from more devices than your policy allows. Trigger enforcement actions like MFA challenges, device management screens, or upgrade prompts when limits are exceeded.
• Chargeback evidence: Produce device-level evidence for Visa Compelling Evidence 3.0 disputes through a Chargebacks911 partnership.
• AI agent detection: Use behavioral signals to separate automated agents from real users on sensitive flows.

Where cside and ThumbmarkJS fit in the landscape of anti-fraud tools

Both cside and ThumbmarkJS primarily serve as a data capture layer. They collect signals (IP, geolocation, canvas rendering, behavioral patterns like click timing and typing velocity) and produce a visitor ID with enrichments. That output feeds anti-fraud workflows. It does not replace them.

• Those signals might go to an anti-fraud suite like Sift or SEON that aggregates data from multiple sources into a risk score.
• They might feed a dedicated chargeback management tool like Chargebacks911 that plugs into Visa and Mastercard dispute programs and needs device-level evidence to win cases.
• Or they might feed your own in-house rules engine: show an "upgrade plan" screen when a user shares their account across too many devices, or force an MFA challenge when a login comes from a new device in a high-risk geography.

Neither cside nor ThumbmarkJS replaces a full fraud stack. They provide the browser-level intelligence the rest of your stack needs to make decisions.

What is cside?

cside is a web security platform that prevents fraud on your website by monitoring the browser runtime. The fingerprinting product collects 102+ signals and focuses on four use cases: account takeover, account sharing, chargeback evidence (CE 3.0 through Chargebacks911), and AI agent detection. The script monitoring product watches every script executing on a page, catching injections, tampering, and skimming attacks that fingerprinting alone does not see.

What is ThumbmarkJS?

ThumbmarkJS is a browser fingerprinting project with two parts. The first is a free, MIT-licensed open-source JavaScript library that runs client-side and produces a visitor ID with roughly 80% uniqueness. The second is a commercial cloud API at thumbmarkjs.com that combines the client-side fingerprint with server-side signals (TLS, HTTP headers, connection data) to reach 99%+ uniqueness, adding bot detection, VPN and datacenter detection, threat scoring, and country detection. It is web-only, with no mobile SDKs.

What cside covers that ThumbmarkJS does not

• Third-party script monitoring: cside monitors every script executing on your pages. Credential-stuffing injections, session-hijacking payloads from compromised vendors, unauthorized data exfiltration through rogue analytics tags. ThumbmarkJS does not offer script monitoring. cside ships it as a separate product, bundleable with fingerprinting under one vendor.
• Client-side controls for PCI DSS and other frameworks: cside's script monitoring satisfies PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1 (script inventory and integrity verification on payment pages), and gives compliance teams visibility into third-party scripts that leak personal data without consent. ThumbmarkJS is not positioned against any of these frameworks.
• Chargeback evidence and enforcement: cside produces device-level evidence for CE 3.0 disputes and ships pre-built rules with block and enforce actions through Cloudflare or server-side. ThumbmarkJS returns a visitor ID and a threat level; you build the decision and enforcement logic yourself.
• Browser tamper detection scope: Both detect browser tampering. ThumbmarkJS checks for inconsistencies inside the signals its own code collects. cside sees one layer out: script monitoring observes an anti-detect plugin or stealth wrapper while it is actively tampering, not only the downstream evidence. The difference shows up most with novel tooling that statistical models have not learned yet.