But it's not just a matter of "open"/"close". It's more like signal/noise. Much of the signal is legit: source IP is needed to deliver response, screen resolution, audio/video codec support, transfer protocol, cache headers are all needed to render the page correctly and as quick as possible.

Unfortunately, much of that signal persists across sessions as well as websites and can therefore be aggregated into a hash that works as a "super cookie". The signal is based on the device, the connection, not so much the HTTP/HTML you're looking at.

The best approach to mitigate is therefore: adding noise: add random gibberish to User-Agent, tunnel IP though VPN/NAT, lie about codecs or screen resolution.

While that degrades user experience, it give no guarantees to actually preventing fingerprinting. So, the good news, if that fingerprinting is hard too, and doesn't work as well as is usually claimed!

Which then pushes a lot of web use-cases into mobile apps locked to a few corporate platforms that make tracking much much easier. Yes, even iOS.