Time zone is a valuable signal in both bot and fraud detection. It's commonly used in browser fingerprinting and can be correlated with other data, like IP geolocation or language preferences, to flag inconsistencies.
For example, a user claiming to be in Paris but presenting a system time zone of "America/New_York" could warrant further inspection. While mismatches don’t prove fraud, they are weak signals that can help in risk scoring.
In this post, we’ll show two ways to extract the client's time zone in JavaScript.
Why time zone matters for detection
Time zone can help:
- Correlate browser-derived location with IP-based geolocation.
- Compare against language settings (
Accept-Languageheader ornavigator.languages). - Detect automation frameworks and spoofing setups (common in anti-detect browsers).
- Add entropy to the fingerprint for more accurate user/device identification.
1. Preferred method: using the Internationalization API
The best way to get the user’s time zone is via the Intl.DateTimeFormat().resolvedOptions().timeZone API, introduced in modern browsers (supported since Chrome 24, Safari 10, Firefox 29).
Intl.DateTimeFormat().resolvedOptions().timeZone;
This returns a standard IANA time zone name, such as:
"America/New_York""Europe/London""Asia/Tokyo"
This is a more descriptive and precise signal than just an offset, as it accounts for daylight saving time and region-specific definitions.
2. Fallback: using getTimezoneOffset()
For older browsers, you can use Date.prototype.getTimezoneOffset():
new Date().getTimezoneOffset();
This returns the offset in minutes between the local time and UTC. For example:
- UTC-8 →
480 - UTC+3 →
180
This is less precise than a named time zone and can’t distinguish between regions sharing the same offset (e.g. Paris vs. Berlin), but it’s still a useful signal.
Security considerations
These methods read from the user’s system configuration, not their actual location. They:
- Do not use GPS, Wi-Fi, or IP-based geolocation.
- Do not require permission.
- Can be manipulated in anti-detect browsers or bot frameworks.
As with all fingerprinting signals, you should treat them as input for correlation, not ground truth. For more context, see our post on why traditional bot detection techniques are not enough.
Summary
To detect a user’s time zone in the browser:
Best option (most accurate):
Intl.DateTimeFormat().resolvedOptions().timeZone;
Fallback (numeric offset):
new Date().getTimezoneOffset();
Use these signals to enrich fingerprinting or detect inconsistencies, but be aware they can be spoofed and should never be used in isolation.
