DoH, adblock, fingerprint.

The set of protections that act between you and the rest of the internet — on the wire, on the page, in the browser signature.

DNS-over-HTTPS (DoH)

Husk ships a built-in DoH proxy. With it enabled, name resolution leaves your machine encrypted to the DoH endpoint of your choice — not to the DNS resolver advertised by your ISP or by the network you're attached to.

Built-in providers:

• AdGuard (default — also filters trackers at DNS level)
• Cloudflare 1.1.1.1
• Quad9
• NextDNS (bring your own profile ID)
• Mullvad
• Custom — point to any DoH endpoint you trust

Strict mode

Enable from Settings → Network. The chrome shows a small "DoH" badge near the URL bar whenever DoH is active; the badge changes to a warning when strict mode blocks a navigation.

What DoH does NOT hide

• SNI. The TLS handshake still includes the hostname in cleartext (ClientHello SNI extension). A network observer sees which site you're visiting even with DoH on. ECH (Encrypted Client Hello) ships in Husk when WebView2 supports it.
• IP-level destinations. Whoever sees the packets sees the destination IP. Combine with a VPN or Tor if you need to hide the endpoint.

Native adblock

Husk's adblock is a curated EasyList + EasyPrivacy starter, applied at two levels:

• Network rules — outbound requests matching known tracker / ad-network hostnames are dropped before they hit DNS. Implemented both natively (request interceptor) and via the JavaScript fetch + XHR wraps.
• Cosmetic rules — generic ad-container CSS selectors are hidden on every page via a constructed stylesheet attached to document.adoptedStyleSheets. No detectable DOM id; the page can't trivially detect the block.

Toggle adblock per-tab via the chrome icon, or globally in settings. A small counter shows blocked requests for the current page.

Anti-fingerprint

The browser fingerprint is the set of stable signals a page can read to recognise you across sessions: canvas pixel differences, audio context output, installed fonts, user-agent strings, plugin lists. Husk spoofs these with seeded noise:

• Canvas. Each tab adds tiny, deterministic noise to getImageData, toDataURL and measureText outputs. The noise is keyed to a per-tab seed so a single page sees consistent values on repeated reads, but different tabs / sessions look different.
• Audio. AudioContext outputs are perturbed in the same way, defeating the standard AudioContext fingerprint vector.
• Fonts. The font-enumeration trick (probing for fonts by measuring text width) is blocked at the offsetWidth / offsetHeight level.
• User-Agent & navigator. Returned values track the WebView2 baseline rather than the host system.

Rotating the seed

Long-press the reload button to roll a new seed. Useful when you want the current page to see a fresh "you".

Compat mode (the escape hatch)

Some sites — bank logins, video players, captchas — break under the spoof because they rely on stable signatures. Husk's compat mode disables the fingerprint spoof for a specific origin.

Toggle from the shield icon → Big-Tech compatibility mode. A small set of essential origins (currently youtube-nocookie for embedded YouTube players) is whitelisted by default to keep baseline browsing working.

Per-site cookie block

Block JavaScript-readable cookies for a specific origin without disabling cookies globally. document.cookie on a blocked origin reads empty and silently drops writes, and any cookies the page tried to set in the current session are wiped on the next navigation.

Cookie editor

Per-site cookie viewer / editor accessible from the chrome shield menu. View existing cookies, edit values, delete individual entries, or wipe everything for the origin. Useful for clearing a sticky tracker without nuking your whole session.