User-Agent

The User-Agent header is supposed to identify the client making an HTTP request — browser name, version, OS, etc. It is also the most overgrown header in HTTP history, lying about its own contents for backwards-compatibility reasons that compound year over year.

A typical modern Chrome User-Agent string:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36

Chrome claims to be Mozilla, Apple WebKit, and Safari, all at the same time. None of those tokens are accurate — they exist because some 1998 server-side code checked for “Mozilla” before serving modern HTML, so every subsequent browser added “Mozilla/5.0” to avoid being downgraded. The string has been a museum of compatibility hacks ever since.

Modern alternatives:

• User-Agent Client Hints (Sec-CH-UA family of headers) — Chrome started sending structured client hints in 2020. Servers can opt in via Accept-CH. Cleaner data, smaller default footprint.
• Feature detection instead of UA sniffing — check whether the API you need exists rather than guessing from the browser version.

User-Agent strings can be spoofed trivially; treat them as a hint, not a security boundary. For analytics, the UA gives a rough breakdown of client share; for actual decisions, feature-detect.