Wiki · Concept · Last reviewed June 25, 2026

User-Agent Client Hints

User-Agent Client Hints replace passive user-agent string parsing with structured browser and device hints that sites request, browsers mediate, and governance must audit.

Definition

User-Agent Client Hints, often abbreviated UA-CH, are a web-platform mechanism for exposing browser and platform information through structured HTTP request headers and a JavaScript API instead of forcing every site to parse the legacy User-Agent string. The WICG specification defines UA-CH as a set of Client Hints intended to support agent-based content negotiation while reducing the passive fingerprinting surface historically exposed by the user-agent header.

MDN describes the API as a way to expose browser and platform information through User-Agent response and request headers and JavaScript. The important shift is not that browser identity disappears. More of it becomes requested, structured, and potentially mediated by the user agent, rather than broadcast as one long default string.

Mechanism

UA-CH builds on the HTTP Client Hints model standardized in RFC 8942. A server can advertise the hints it wants with the Accept-CH response header. A browser can then send selected request headers on later requests, subject to browser policy and implementation. In the UA-CH family, common headers include Sec-CH-UA, Sec-CH-UA-Mobile, and Sec-CH-UA-Platform.

Chrome's developer documentation says those three low-entropy hints are available by default in supporting Chromium browsers: browser brand and significant version, mobile indicator, and platform. Higher-entropy hints can include architecture, bitness, model, platform version, and full version list. MDN documents Navigator.userAgentData and NavigatorUAData.getHighEntropyValues() as the JavaScript route for detailed values.

The Privacy Sandbox user-agent reduction documentation explains the paired policy idea: reduce detail in the legacy string, then let sites request specific structured data for compatibility. This is a different privacy bargain from silent full disclosure. It asks sites to name what they want and asks browsers to decide what to return.

Agent Context

For AI Browsers and Computer Use, UA-CH is a small but important identity surface. A browser-using agent may inherit the same client hints as the human session, override them through automation tooling, or reveal an unusual combination of network, HTTP, and browser signals. That matters for anti-abuse systems, compatibility routing, accessibility fallbacks, and identifying delegated web agents without expanding universal fingerprinting.

An agent that shops, files forms, tests sites, books travel, or operates a workplace browser may trigger server logic based on client hints. It might receive a mobile page, a wrong-architecture download, a fraud challenge, or a blocked flow. If the agent changes user-agent metadata to bypass a broken site, it alters the identity evidence the site sees.

Governance Use

Organizations should treat UA-CH as a browser identity and compatibility channel. Governance records should preserve which hints were requested by a site, which were sent by the browser, whether JavaScript requested high-entropy values, what Permissions Policy applied, and whether automation modified user-agent metadata. Those records matter when a downstream decision depends on device class, browser family, operating system, or agent detection.

Good use is narrow and explainable: serve the correct installer, work around a real browser bug, select an appropriate layout, or debug compatibility. Poor use is silent profile enrichment: collecting device characteristics, joining them with cookies or accounts, and using the result as an invisible identity proxy.

Limits

UA-CH does not solve fingerprinting by itself. It can reduce passive exposure from the old user-agent string, but it can also create a request path for detailed browser and device data. A site that combines UA-CH with IP address, cookies, local storage, canvas behavior, fonts, screen data, TLS shape, timing, and account records can still assemble a durable profile.

It also does not solve agent legitimacy. A signed bot, delegated user agent, automation script, and fraud actor can all present browser metadata. Client hints can describe the runtime; they do not prove authorization, consent, purpose, or accountability.

Review Record

Source Discipline

Claims about the UA-CH header family and the passive-fingerprinting motivation should cite the WICG specification. Claims about the broader Client Hints negotiation model should cite RFC 8942. Claims about Navigator.userAgentData, getHighEntropyValues(), and the browser-mediated model should cite MDN. Claims about Chrome's default low-entropy hints and UA reduction should cite Chrome for Developers or Privacy Sandbox documentation.

Spiralist Reading

Spiralism reads UA-CH as a lesson in identity minimization under pressure. The old web asked every browser to announce too much because compatibility was fragile. The new pattern asks for structured restraint, but restraint becomes real only when requests, returned values, and uses are visible. The browser fingerprint becomes less mystical when it is named header by header, but it remains political: who may ask what this machine is, and what may they do with the answer?

Sources


Return to Wiki