The string above is the exact User-Agent header your browser sends on ordinary HTTP requests today. I keep this page because a production Next.js deploy once served the wrong layout to iPhone users: our middleware still parsed a frozen desktop token while Client Hints already reported Sec-CH-UA-Mobile: ?1. The bug was ours, not Apple's, but it taught me to log both the legacy string and the hint headers in every SSR ticket. Below I break down what each token means, how User-Agent Client Hints replace the old sniffing game, and when spoofing is legitimate for testing versus harmful for privacy.
What a user agent string actually is
The User-Agent request header is a single text field defined in RFC 9110. Servers historically parsed it with regular expressions to guess browser engine, OS, and device class. The format is not standardized beyond convention: product tokens like Chrome/136.0.0.0, compatibility tokens like KHTML, like Gecko, and a parenthesized comment block that often lists platform details.
Almost every browser still begins with Mozilla/5.0 because Netscape once dominated and sites gated features on that token. IE had to claim compatibility; everyone else inherited the habit. The comment does not mean you are running Mozilla Firefox; it is legacy syntax that survived three decades of web evolution.
User-Agent Client Hints and the frozen string
Chromium's User-Agent reduction keeps the legacy string coarse on purpose: fewer version bits, less platform entropy. Fine-grained data moved to opt-in Client Hints headers standardized in RFC 8942. Examples include Sec-CH-UA (brand list), Sec-CH-UA-Mobile, and Sec-CH-UA-Platform. JavaScript can read structured brands via navigator.userAgentData when the page is a secure context and permissions allow it.
Server frameworks must request hints explicitly (for example the Accept-CH response header) or they never arrive. That is why modern stacks log both worlds: the frozen UA for backwards compatibility and hints for accurate mobile detection. Our browser summary page complements this one with a human-readable breakdown when hints are available.
How to read a UA string (three real shapes)
Desktop Chromium on Windows typically embeds Windows NT 10.0 in the comment and ends with Chrome/โฆ Safari/537.36 because Blink keeps the WebKit token for site compatibility. Mobile Safari on iPhone uses iPhone; CPU iPhone OS โฆ and Version/โฆ Mobile/โฆ Safari/โฆwithout exposing "Chrome" even though WebKit also powers the engine. Automated crawlers shorten the pattern and add product names like Googlebot or GPTBot near the front.
# Illustrative patterns (versions change constantly)
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 โฆ Chrome/136.0.0.0 Safari/537.36
Mozilla/5.0 (iPhone; CPU iPhone OS 18_4 like Mac OS X) โฆ Version/18.4 Mobile/15E148 Safari/604.1
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)Copy the live string from the hero on this page when filing bugs. Do not rely on blog screenshots; vendors ship new major versions every four weeks.
How sites still use (and misuse) the user agent
Legitimate uses include analytics bucketing, serving a lighter mobile stylesheet, and blocking ancient clients that cannot execute required JavaScript. Problematic uses include hard-coded allowlists, paywall bypass detection based on UA alone, and fingerprinting pipelines that hash the entire string with canvas data.
Better practice is feature detection: test whether Intl, fetch, or a specific CSS property exists before branching. Bot management combines UA with IP reputation, TLS fingerprinting, and JavaScript challenges because spoofing the UA string is trivial.
Spoofing your UA for testing (and why not to live there)
Chrome DevTools โ Network conditions โ User agent lets you emulate another device for layout QA. Firefox offers a similar override in responsive design mode. Extensions can persist a fake UA across tabs, which is handy for reproducing a customer ticket and dangerous if you forget it is enabled.
Spoofing does not change your IP, timezone, or hardware capabilities. Sites that combine signals will still classify you correctly. Fraud systems may flag inconsistent pairs (mobile UA + desktop screen size from our screen tool).
Common crawler and bot user agents
| Bot | Typical UA fragment | Purpose | Respects robots.txt |
|---|---|---|---|
| Googlebot | Googlebot/2.1 | Search indexing | Yes (policy + robots) |
| Bingbot | bingbot/2.0 | Bing search indexing | Yes |
| GPTBot | GPTBot/1.0 | OpenAI training crawl (opt-out via robots) | Honors disallow rules when configured |
| ClaudeBot | ClaudeBot/1.0 | Anthropic crawler | Honors disallow rules when configured |
| PerplexityBot | PerplexityBot/1.0 | Perplexity answer indexing | Honors disallow rules when configured |
| AhrefsBot | AhrefsBot/7.0 | SEO backlink crawling | Yes (commercial crawler) |
Verify claims with reverse DNS for major search bots and your own robots.txt rules. Malware often impersonates Googlebot; do not trust the string alone.
Frequently asked questions
Why does every browser's user agent start with "Mozilla"?
Historical compatibility. Early servers sniffed for the Mozilla token to unlock JavaScript and CSS features. New engines adopted the prefix so they would not be locked out. The name stuck even though the Netscape browser market share vanished decades ago.
What are User-Agent Client Hints?
They are HTTP request headers (and a JavaScript API) that expose structured metadata about browser brand, version, mobile bit, and platform on an opt-in basis. They replace parsing the legacy UA string for sites that send Accept-CH and receive permission grants.
How do I change my user agent?
Use DevTools device emulation for temporary testing, or a dedicated extension for persistent overrides. Remember to disable overrides after debugging or you will chase phantom layout bugs. Spoofing does not relocate your IP or change TLS fingerprints.
Can a website tell if I am spoofing my user agent?
Often yes. Mismatches between UA, Client Hints, screen dimensions, touch support, and WebGL renderer strings are easy to score. Serious bot defenses do not rely on UA alone, but inconsistency raises risk scores.
What user agent does Googlebot use?
Google publishes multiple agents (smartphone, desktop, image). A common pattern is Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html). Confirm with Google's crawler documentation and verify the source IP via reverse DNS.
Related tools
Human-readable browser and engine summary: What Is My Browser. Display geometry and DPR: What Is My Screen Resolution. GPU renderer strings: What Is My WebGL / GPU.
Sources cited above
- RFC 9110: HTTP Semantics (User-Agent header)
- RFC 8942: Client Hints structure
- Chromium User-Agent reduction
- Google Search crawler overview