User Agent
BeginnerThe string your browser sends identifying itself — browser, version, and operating system — and the first, least-trusted layer of every fingerprint.
In depth
The user agent is a text string a browser attaches to every request, announcing what it is: something like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36. Servers historically used it to adapt content per browser and platform; today it doubles as the opening claim in every identity check.
The most-forged string on the internet
Because it's trivially settable — one header — the user agent is the first thing every bot forges and, consequently, the last thing any defender trusts alone. Its modern role is as a consistency anchor: defenders compare the story it tells against evidence that's harder to fake. Claim Chrome-on-Windows and you'd better have Chrome's TLS handshake, Windows-typical fonts, matching JavaScript API behavior (navigator.platform, Client Hints), and plausible WebGL output. Any mismatch is worth more to a detector than the string itself.
Notes for practitioners
- Keep it current: a user agent from a browser version several releases old is itself a soft flag, since real browsers auto-update. Antidetect browsers refresh profile user agents for this reason.
- Client Hints are the successor: Chromium has frozen much of the classic string and moved detail into structured
Sec-CH-UAheaders, which defenders also cross-check. - Legitimate bots self-identify: Googlebot and friends declare themselves in the user agent — and sites verify those claims via reverse DNS, since bad bots impersonate them.
Rule of one story
Whatever the user agent claims, every other observable layer must corroborate. Forging the string without aligning the fingerprint behind it fails against any modern defense.
Examples
- A site serves its mobile layout after reading an iPhone user agent.
- An anti-bot system flags a session claiming Safari-on-macOS whose fonts and TLS handshake say Linux automation.
- A scraper declares itself honestly in its user agent so site owners can identify and whitelist it.
Common use cases
FAQs
Usually, yes — the string is checked against harder evidence: TLS fingerprints, JavaScript API values, fonts, rendering behavior, and Client Hints. A forged user agent that contradicts any of them is a stronger bot signal than an honest one.
Barely. It's one easily-spoofed attribute among dozens in your fingerprint, and an unusual or inconsistent value can make you more distinctive, not less. Meaningful protection requires managing the whole fingerprint coherently.
Chromium browsers froze much of the classic string and introduced User-Agent Client Hints — structured headers a site must request. The change reduces passive entropy leakage while keeping capability detection possible.