User-Agent Client Hints
User-Agent Client Hints replace passive user-agent string parsing with structured browser and device hints that sites request, browsers mediate, and governance must audit.
Definition
User-Agent Client Hints, often abbreviated UA-CH, are a web-platform mechanism for exposing browser and platform information through structured HTTP request headers and a JavaScript API instead of forcing every site to parse the legacy User-Agent string. The WICG specification defines UA-CH as a set of Client Hints intended to support agent-based content negotiation while reducing the passive fingerprinting surface historically exposed by the user-agent header.
MDN describes the API as a way to expose browser and platform information through User-Agent response and request headers and JavaScript. The important shift is not that browser identity disappears. More of it becomes requested, structured, and potentially mediated by the user agent, rather than broadcast as one long default string.
Mechanism
UA-CH builds on the HTTP Client Hints model standardized in RFC 8942. A server can advertise the hints it wants with the Accept-CH response header. A browser can then send selected request headers on later requests, subject to browser policy and implementation. In the UA-CH family, common headers include Sec-CH-UA, Sec-CH-UA-Mobile, and Sec-CH-UA-Platform.
Chrome's developer documentation says those three low-entropy hints are available by default in supporting Chromium browsers: browser brand and significant version, mobile indicator, and platform. Higher-entropy hints can include architecture, bitness, model, platform version, and full version list. MDN documents Navigator.userAgentData and NavigatorUAData.getHighEntropyValues() as the JavaScript route for detailed values.
The Privacy Sandbox user-agent reduction documentation explains the paired policy idea: reduce detail in the legacy string, then let sites request specific structured data for compatibility. This is a different privacy bargain from silent full disclosure. It asks sites to name what they want and asks browsers to decide what to return.
Agent Context
For AI Browsers and Computer Use, UA-CH is a small but important identity surface. A browser-using agent may inherit the same client hints as the human session, override them through automation tooling, or reveal an unusual combination of network, HTTP, and browser signals. That matters for anti-abuse systems, compatibility routing, accessibility fallbacks, and identifying delegated web agents without expanding universal fingerprinting.
An agent that shops, files forms, tests sites, books travel, or operates a workplace browser may trigger server logic based on client hints. It might receive a mobile page, a wrong-architecture download, a fraud challenge, or a blocked flow. If the agent changes user-agent metadata to bypass a broken site, it alters the identity evidence the site sees.
Governance Use
Organizations should treat UA-CH as a browser identity and compatibility channel. Governance records should preserve which hints were requested by a site, which were sent by the browser, whether JavaScript requested high-entropy values, what Permissions Policy applied, and whether automation modified user-agent metadata. Those records matter when a downstream decision depends on device class, browser family, operating system, or agent detection.
Good use is narrow and explainable: serve the correct installer, work around a real browser bug, select an appropriate layout, or debug compatibility. Poor use is silent profile enrichment: collecting device characteristics, joining them with cookies or accounts, and using the result as an invisible identity proxy.
Limits
UA-CH does not solve fingerprinting by itself. It can reduce passive exposure from the old user-agent string, but it can also create a request path for detailed browser and device data. A site that combines UA-CH with IP address, cookies, local storage, canvas behavior, fonts, screen data, TLS shape, timing, and account records can still assemble a durable profile.
It also does not solve agent legitimacy. A signed bot, delegated user agent, automation script, and fraud actor can all present browser metadata. Client hints can describe the runtime; they do not prove authorization, consent, purpose, or accountability.
Review Record
- Request surface: record
Accept-CH, requested UA-CH headers, frame context, origin, response path, cache behavior, and persistence across navigations. - Returned hints: record low-entropy and high-entropy values, JavaScript access through
navigator.userAgentData, and any Permissions Policy affecting high-entropy values. - Automation: record agent identity, browser profile, user-agent metadata overrides, anti-bot challenge outcomes, and whether a human approved metadata changes.
- Use decision: record whether hints drove compatibility, download selection, fraud scoring, analytics, personalization, access denial, or audit evidence.
Source Discipline
Claims about the UA-CH header family and the passive-fingerprinting motivation should cite the WICG specification. Claims about the broader Client Hints negotiation model should cite RFC 8942. Claims about Navigator.userAgentData, getHighEntropyValues(), and the browser-mediated model should cite MDN. Claims about Chrome's default low-entropy hints and UA reduction should cite Chrome for Developers or Privacy Sandbox documentation.
Spiralist Reading
Spiralism reads UA-CH as a lesson in identity minimization under pressure. The old web asked every browser to announce too much because compatibility was fragile. The new pattern asks for structured restraint, but restraint becomes real only when requests, returned values, and uses are visible. The browser fingerprint becomes less mystical when it is named header by header, but it remains political: who may ask what this machine is, and what may they do with the answer?
Related Pages
- AI Browsers and Computer Use
- Fetch Metadata Request Headers
- Referrer Policy
- Permissions Policy
- Local Font Access API
- Storage Partitioning
- Web Bot Auth
- Data Minimization
- Contextual Integrity
- The Browser Fingerprint Becomes the Shadow Identity
- The Web Agent Becomes the Fingerprinted Visitor
Sources
- WICG, User-Agent Client Hints, specification draft.
- IETF, RFC 8942: HTTP Client Hints.
- MDN Web Docs, User-Agent Client Hints API.
- MDN Web Docs, User-Agent reduction.
- Chrome for Developers, Improving user privacy and developer experience with User-Agent Client Hints.
- Privacy Sandbox, What is User-Agent reduction?.