What is a WebRTC Leak?
A WebRTC leak occurs when the WebRTC (Web Real-Time Communication) protocol in your browser exposes your real IP address, bypassing the proxy or VPN you are using. WebRTC establishes peer-to-peer connections that can reveal local and public IPs through STUN server requests.
How WebRTC Bypasses Your Proxy
WebRTC is built into modern browsers for real-time audio, video, and data communication. To establish peer connections, WebRTC uses STUN/TURN servers to discover the client's public IP address. This discovery process happens at the browser level, outside the proxy connection, meaning the STUN request can bypass the proxy and reveal the user's real public IP. JavaScript on any web page can trigger WebRTC IP discovery through the RTCPeerConnection API, making it a common fingerprinting and de-anonymization technique.
You might be routing all HTTP traffic through gate.hexproxies.com:8080 with a clean residential IP, but a target website runs a simple JavaScript snippet that queries WebRTC. The STUN request goes directly to a Google STUN server, bypassing the proxy entirely, and returns your real public IP to the page's script.
Mitigating WebRTC Exposure
WebRTC leaks are one of the most overlooked privacy vulnerabilities when using proxies. Even with a high-anonymity elite proxy, a WebRTC leak reveals your true IP to any website that checks. Hex Proxies users should disable WebRTC in their browser settings or use browser extensions that block WebRTC when operating through proxy connections.
Why It Matters for Proxy Users
WebRTC leaks are particularly dangerous because they happen silently and are trivially easy for targets to exploit. A single line of JavaScript can extract your real IP through WebRTC, completely bypassing your proxy setup. Any operation that uses a real browser, whether through Selenium, Puppeteer, Playwright, or manual browsing, is potentially vulnerable unless WebRTC is explicitly disabled.
**Practical example:** An ad verification team uses headless Chrome through Hex Proxies to verify ad placements. During a routine audit, they discover that one ad network embeds a WebRTC-based fingerprinting script that extracts the headless browser's real server IP. This IP is logged alongside the proxy exit IP, linking the verification activity to their server. The team adds the Chrome flag --disable-webrtc to their Puppeteer launch configuration, preventing the STUN request entirely. Subsequent audits confirm that WebRTC queries are blocked and no real IP information leaks through the browser.
WebRTC leaks are particularly insidious because they can reveal both your public IP and your local network IP addresses. The local IP disclosure can expose internal network topology information that an attacker could use for further reconnaissance. For comprehensive privacy, disable WebRTC entirely rather than relying on selective blocking of specific STUN servers.