general
User-Agent
Free-form identifier of the client software, historically used for content negotiation and now largely for analytics and abuse detection. Modern browsers are freezing/reducing this string in favor of the Client Hints (Sec-CH-UA-*) family.
User-Agent: <product>/<version> [<comment>] [<product>/<version> ...] Common directives / values
| Directive | Purpose |
|---|---|
| Mozilla/5.0 (...) ... | Legacy browser format kept for compatibility with old sniffers. |
| curl/8.4.0 | Simple product/version — typical for CLIs and SDKs. |
| MyApp/1.2.3 (iPhone; iOS 17.2) | Custom app UA including platform info in a comment. |
| GoogleBot/2.1 | Well-known crawler identifiers used by robots.txt matching. |
Examples
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Typical modern Chrome on Windows.
User-Agent: curl/8.4.0 Standard curl UA — many sites gate content on this.
User-Agent: MyApp/1.2.3 (iPhone; iOS 17.2; Model iPhone15,3) Native app identifying platform in the comment section.
User-Agent: MyBot/1.0 (+https://example.com/bot) Well-behaved crawler including a contact URL — helps admins whitelist you.
Gotcha
Do NOT parse User-Agent for feature detection — use feature detection or Client Hints. Chrome's User-Agent Reduction freezes the string; rely on Sec-CH-UA-* headers for granular info instead.
Related headers
Host
Identifies the target host and optional port of the request, so a single IP can serve many virtual hosts. Missing Host in an HTTP/1.1 request MUST yield 400 Bad Request.
Origin
Identifies the origin that caused the request without exposing path or query, sent on CORS requests and on all POST-like navigations. Central to CSRF defense and CORS policy decisions.
Vary
Tells caches which request headers were used for content negotiation, so they know to store and serve separate variants keyed by those headers. Missing or wrong Vary causes users to see cached content meant for someone else (wrong language, encoding, or device).
Referrer-Policy
Controls how much of the current URL is sent as the Referer header on outgoing requests and navigations. Tightening it limits leakage of query strings, session tokens, and internal paths to third parties.
Location
In 3xx redirects, tells the client where to go next; in 201 Created, points at the newly created resource. Per RFC 9110 the value may be a relative reference resolved against the request URL.