User Agent Strings: Reading Browser Fingerprints
What that weird string tells you about your visitors and why it's often misleading.
Every HTTP request includes a User-Agent header. Something like:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
This is supposed to identify the browser. In practice, it's a historical mess.
Why Every Browser Lies
That Chrome user agent mentions Mozilla, AppleWebKit, KHTML, and Safari. Chrome isn't any of those.
Here's why: websites used to check user agents and serve different content. New browsers got blocked because sites didn't recognize them.
So browsers started lying. "I'm compatible with Mozilla" became standard. "I'm compatible with AppleWebKit" got added. Every browser claims to be every other browser.
What You Can Actually Learn
Despite the chaos, user agents still contain useful information:
Browser name and version: The actual browser is usually at the end. "Chrome/120" or "Firefox/121".
Operating system: "Windows NT 10.0" or "Mac OS X 10_15_7" or "Linux".
Device type: Mobile user agents include device names or "Mobile".
Bot identification: Googlebot, Bingbot, and other crawlers identify themselves.
Common Detection Patterns
Desktop Chrome:
...Chrome/120.0.0.0 Safari/537.36
Mobile Chrome on Android:
...Android 10; Pixel 4...Chrome/120.0.0.0 Mobile Safari/537.36
Safari on iPhone:
...iPhone; CPU iPhone OS 17_0 like Mac OS X...Safari/605.1.15
Firefox:
...Firefox/121.0
Edge, Opera, Brave, and others are Chrome-based and look similar to Chrome.
Why Feature Detection Is Better
User agent detection answers "what browser?" Feature detection answers "can this browser do X?"
// User agent detection (fragile)
if (navigator.userAgent.includes('Chrome')) {
// assume Chrome features
}
// Feature detection (robust)
if ('serviceWorker' in navigator) {
// use service workers
}
Browsers change. User agent strings get modified. Feature detection works regardless.
When User Agents Still Matter
Analytics. Understanding your audience: browser market share, mobile vs desktop, OS distribution.
Bot detection. Identifying crawlers and adjusting server behavior.
Targeted testing. Reproducing issues reported by users on specific browsers.
Legacy support decisions. If 0.1% of users run IE11, maybe you stop supporting it.
Spoofing and Privacy
User agents are easily faked. Privacy extensions modify them. Some browsers let users change them manually.
Don't rely on user agents for security. They're hints, not authentication.
Browser fingerprinting combines user agent with other signals (screen size, fonts, plugins) for tracking. This is controversial and increasingly blocked by browsers.
Client Hints: The Modern Alternative
User-Agent Client Hints are a newer approach. Servers request specific information:
Sec-CH-UA: "Chromium";v="120", "Google Chrome";v="120"
Sec-CH-UA-Platform: "Windows"
Sec-CH-UA-Mobile: ?0
Structured, reliable, privacy-respecting. But adoption is still growing.
Parsing Libraries
Don't parse user agents with regex. The edge cases will defeat you.
Use established libraries that maintain pattern databases:
- ua-parser-js (JavaScript)
- user-agents (Python)
- DeviceDetector (PHP)
These handle the historical mess and update when new browsers appear.
User agents are useful for analytics and diagnostics but unreliable for feature decisions. Parse them with libraries, prefer feature detection for functionality, and remember that any user can fake their user agent.