ゆるテックノート

The long, layered browser UA string

Browser User-Agent strings carry decades of compatibility labels. They started as a way to look compatible; now browsers aim to shrink them for privacy and stability.

A stack of history ⏳

Servers used UA strings to branch behavior, so browsers kept adding badges to look compatible.

Key layers

  • Mozilla: legacy from Netscape Navigator; many browsers kept it to avoid being blocked.
  • Gecko: the Firefox engine label.
  • KHTML / AppleWebKit: engine heritage from Konqueror; Safari/Chrome descendants retain it even with Blink.
  • Chrome / Safari / Edg: each browser adds its own brand; Edge (Chromium) uses Edg/ to avoid old UA sniff rules.

Example: Chrome UA (simplified)

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0 Safari/537.36

Why so many tokens?

UA sniffing was common, so browsers signaled “I am compatible” by reusing others’ labels.

Past reasons

  • Early Web compatibility differed greatly across browsers; servers branched on UA.
  • Missing a familiar token could trigger “unsupported” blocks, so vendors kept piling on tokens.

Modern risks

  • UA strings are long and leak device/OS details, increasing fingerprintability.
  • UA-based branching is brittle and can break new browsers or features.

UA Reduction & Client Hints 🔒

Browsers are shrinking UA strings for privacy and relying on explicit hints instead.

User-Agent Reduction

  • Chrome is stripping detailed OS/device info from the UA over staged milestones.
  • Safari and Firefox are aligning; UA sniffing for fine-grained details will get harder.

User-Agent Client Hints

  • Browsers expose needed info via headers like Sec-CH-UA only when requested.
  • Servers use Accept-CH to ask for hints; browsers return limited data under policy.
  • This makes information exchange explicit and reduces passive fingerprinting.

Practical guidance 🛠️

Prefer feature detection and explicit signals over brittle UA sniffing.

Recommended approaches

  • Use feature detection on the front end; reserve UA sniffing as a last resort.
  • For analytics, see if Client Hints or server logs give enough fidelity.
  • Retire custom UA branches in line with UA reduction timelines and automate compatibility tests.
< DNS basics in one page 418 I'm a teapot >