Can I hide my user agent?

Extensions and devtools can spoof it, but sites may cross-check with Client Hints, JavaScript APIs, or behavior. Consistent spoofing is harder than flipping one header.

Why do broken UA strings break sites?

Legacy code branches on substrings like 'MSIE' or specific WebKit tokens. Overly generic frozen UAs can land in the wrong branch unless developers modernize feature detection.

Are user agents personal data?

Alone they are usually coarse (browser family + OS). Combined with other signals they contribute to fingerprinting; regulators may treat fingerprinting under ePrivacy-style rules.

April 16, 2026 · 13 min read

What Does Your User Agent Reveal About You? A Complete 2026 Breakdown

How UA strings are built, why servers read them, and how Client Hints and UA reduction change the privacy picture.

Every HTTP request from your browser can carry a User-Agent header — a structured text blob that historically advertised browser name, rendering engine, OS, and sometimes device class. Servers use it for analytics, compat shims, and occasionally blocking. It was never meant as a privacy control, and the industry is slowly reducing its granularity.

Anatomy of a classic UA string

A Chromium desktop example might mention:

Mozilla/5.0 — legacy token many engines keep for historical compatibility.
Platform — Windows NT 10.0; Win64; x64 or Macintosh; Intel Mac OS X 10_15_7.
AppleWebKit/537.36 (KHTML, like Gecko) — WebKit lineage note carried forward.
Chrome/124.0.0.0 — major browser brand and version.
Safari/537.36 — another compatibility echo.

The exact order and tokens vary between Chrome, Firefox, and Safari, but the theme is the same: self-identification for server-side branching.

Why websites still parse UAs

Feature gating — serve simplified pages to very old engines (declining).
Bot management — differentiate crawlers, headless automation, legacy libraries.
Analytics — market share dashboards (being supplemented by first-party metrics).
A/B layout tests — coarse device class hints.

Modern best practice is feature detection (matchMedia, CSS supports queries, progressive enhancement) instead of UA sniffing — but large properties maintain UA pipelines for operational reasons.

User-Agent Client Hints (UA-CH)

Chromium-family browsers can send Client Hints (Sec-CH-UA-*) on permission / policy, exposing structured brand/version information with more control than a single frozen string. Servers must request hints (Accept-CH, Critical-CH) and respect privacy modes. This matters because defense in depth against fingerprinting involves limiting both UA entropy and hint entropy.

“UA reduction” and frozen major versions

Browsers have moved toward fixed or coarse UA strings for non-privileged contexts — e.g., major version pinned or generic platform tokens — to reduce passive fingerprinting. That improves parity for average users but complicates support teams that relied on fine-grained version numbers in logs.

Relation to fingerprinting

A raw UA is only one signal. Scripts can combine:

Screen size & color depth
Installed fonts (where detectable)
Canvas / WebGL shader variance
Audio stack timing
Timezone & language

The UA contributes low-cost entropy early in the connection (HTTP layer), before JavaScript runs — hence the push to shrink it.

Practical takeaway

If you are debugging what your browser advertises, use our User Agent page for the exact string your session emits, then compare with DevTools Network request headers. If you are building a site, prefer Client Hints where appropriate, avoid brittle substring checks, and document your bot allowlists explicitly.

For most readers: treat the UA as operational metadata, not a secret. Pair network-level tools with sane cookie banners and minimal third-party scripts if you care about tracking surface area.