User-Agent reduction

Limit browser data shared to remove sensitive information and reduce fingerprinting.

Published on Updated on

Implementation status

What is User-Agent reduction?

User-Agent (UA) reduction is the effort to minimize the identifying information shared in the User-Agent string which may be used for passive fingerprinting. As these changes are rolled out, all resource requests will have a reduced User-Agent header. As a result, the return values from certain Navigator interfaces will be reduced, including: navigator.userAgent, navigator.appVersion, and navigator.platform.

Web developers should prepare for the reduced User-Agent string by reviewing their site code for instances and uses of the User-Agent string. If your site relies on parsing the User-Agent string to read the device model, platform version, or full browser version, you'll need to implement the User-Agent Client Hints API.

Review the latest timeline for User-Agent reduction.

Key Term

The User-Agent string is an HTTP request header which allows servers and networks to identify the application, operating system (OS), vendor, and / or version of a user agent. Currently, the User-Agent is shared on every HTTP request and exposed in JavaScript.

User-Agent Client Hints (UA-CH)

User-Agent Client Hints allow access to the full set of user-agent data, but only when servers actively declare an explicit need for specific pieces of data.

By removing passively exposed user-data, we can better measure and reduce the amount of information that is intentionally exposed by request headers, JavaScript APIs, and other mechanisms.

Why do we need reduced UA and UA-CH?

Currently, the User-Agent string broadcasts a large string of data about a user's browser, operating system, and version every HTTP request. This is problematic for two reasons:

  • The granularity and abundance of detail can lead to user identification.
  • The default availability of this information can lead to covert tracking.

We improve user privacy by only sharing basic information by default.

The reduced User-Agent includes the browser's brand and a significant version, where the request came from (desktop or mobile), and the platform. To access more data, User-Agent Client Hints allow you to request specific information about the user's device or conditions.

Further, the User-Agent string has grown longer and more complex, which led to error-prone string parsing. UA-CH provides structured and reliable data that is easier to interpret. Existing code which parses the UA string shouldn’t break (though it will return less data), and you’ll need to migrate to UA-CH if your site needs specific information information.

How do the reduced UA and UA-CH work?

Here is a brief example of how the reduced User-Agent string and UA-CH work. For a more in-depth example, review Improving user privacy and developer experience with User-Agent Client Hints.

  1. A user opens the browser and enters into the address bar.
  2. The browser sends a request to load the webpage.
    1. The browser includes the User-Agent header with the reduced User-Agent string. For example: User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Mobile Safari/537.36
    2. The browser includes that same information in the default User-Agent Client Hint headers. For example:
      Sec-CH-UA: "Chrome"; v="93"
      Sec-CH-UA-Mobile: ?1
      Sec-CH-UA-Platform: "Android"
  3. The server can ask the browser to send additional client hints with the Accept-CH response header. For example: Accept-CH: Sec-CH-UA-Arch
  4. The browser applies policies and user configuration to determine what data is allowed to return to the server in subsequent request headers. For example:
    Sec-CH-UA: "Chrome"; v="93"
    Sec-CH-UA-Mobile: ?1
    Sec-CH-UA-Platform: "Android"
    Sec-CH-UA-Arch: "arm"

If you need a specific set of Client Hints on your initial request, refer to Client Hints Reliability to ensure Client Hints are available on site load and optimized.

How do I prepare for reduced UA?

As we get closer to the rollout of the reduced User-Agent string in Chrome Stable, review your site code for instances and uses of the User-Agent string. If your site relies on parsing the User-Agent string to read the device model, platform version, or full browser version, you’ll need to implement the UA-CH API.

Once you’ve updated to the UA-CH API, you should test to ensure you get the data you expect from the User-Agent. There are three ways to test, each increasing in complexity.

Test the string locally

There are a couple of methods to test the reduced User-Agent locally:

  • Enable the chrome://flags/#reduce-user-agent flag.
    • This will set your local browser to receive just the reduced user-agent string for all sites, before it becomes the default setting.
  • Configure an emulated device in DevTools with the right user-agent string and client hints.
    • In the top right of DevTools, click Settings > Devices > Add custom device... to configure an emulated device with any combination of user-agent string and User-Agent Client Hints values you need.
    • In the top left of DevTools, click Toggle Device Toolbar to open the DevTools UI to emulate a device.
  • Launch Chrome with the --user-agent="Custom string here".

Transform the string in your site’s code

If you process the existing Chrome user-agent string in your client-side or server-side code, you can transform that string to the new format to test compatibility. You can test by either overriding and replacing the string, or generating the new version and test side-by-side.

Review these User-Agent reduction snippets for example regular expressions.

Test on real user traffic with an origin trial

Register for the Chrome origin trial to test the reduced User-Agent with your platform on real user traffic.

If you create content that is embedded onto other websites (in other words, 3rd-party content), then you can participate in a third-party origin trial and test this change across multiple sites. When you register for the Chrome origin trial, select the "third-party matching" option to allow the script to be injected when your site is embedded on third-parties.

Engage and share feedback

Find out more

Last updated: Improve article

We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.