User-Agent Parser

Break down any User-Agent string into browser, OS, device, and engine. Spot bot and automation signals. Everything runs in your browser.

User-Agent string

What is a User-Agent and how much should you trust it?

The 30-second version

A User-Agent (UA) is a short text string that a browser or other client sends with every HTTP request. It is meant to advertise what software is making the request: the browser name and version, the rendering engine, the operating system, and sometimes the device. Servers historically used it to decide which version of a page to serve.

It is trivially spoofable

The UA is just a header that the client sets. Anyone can change it in one line of code, a browser setting, or a command-line flag. A Python script can claim to be Safari on an iPhone, and a real browser can be told to report anything at all. Because of this, the UA should not be used for security or access-control decisions on its own. Treat it as a hint, not as identity.

Client hints are replacing it

Browsers are gradually freezing and shrinking the legacy UA string. The replacement is User-Agent Client Hints (UA-CH), exposed in JavaScript as navigator.userAgentData. Instead of one long string, the browser offers structured, requestable values such as the platform, a mobile boolean, and a list of brands. These are still set by the client, so they are not proof either, but they are cleaner to read and a bit harder to fake casually.

Why bot and headless tokens matter for fraud work

Automated clients often leave fingerprints in the UA: tokens like bot, crawler, HeadlessChrome, python-requests, curl, or Go-http-client. Honest crawlers (search engines, monitoring tools) usually identify themselves this way on purpose. Less honest automation sometimes forgets to hide it.

A bot token is a weak signal worth corroborating, not a verdict:

A real attacker will simply remove or fake the token, so the absence of one proves nothing.
A legitimate user can sit behind a tool that adds one (some VPNs, accessibility software, and security proxies do this).
Confirm it against other evidence: IP reputation, request rate, header order and consistency, TLS fingerprint, and behavior over time.

In short, the UA is useful for analytics, troubleshooting, and as one input among many. It is not an identity document.