User-Agent Spoofing
What is User-Agent Spoofing?
User-Agent SpoofingForging the User-Agent header or related client hints so that a request appears to come from a different browser, device, or operating system than it actually does.
User-Agent spoofing is the practice of changing the HTTP User-Agent string (and related Client Hints such as Sec-CH-UA) sent by a client to misrepresent the underlying browser, version, or platform. Legitimate uses include testing responsive layouts, debugging compatibility issues, and accessing content gated by deprecated browser checks. Attackers use the same technique to bypass weak bot detection, impersonate Googlebot to obtain different content, fingerprint defense bypass, and exploit server-side conditional logic. Because the header is fully controlled by the client, security teams treat User-Agent as untrusted input and combine it with TLS fingerprinting, JavaScript challenges, and behavioral analytics to detect automation.
● Examples
- 01
A scraping bot sending User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1) to access content normally cloaked for SEO.
- 02
A penetration tester using Burp Suite Match and Replace to test mobile-only endpoints from a desktop browser.
● Frequently asked questions
What is User-Agent Spoofing?
Forging the User-Agent header or related client hints so that a request appears to come from a different browser, device, or operating system than it actually does. It belongs to the Application Security category of cybersecurity.
What does User-Agent Spoofing mean?
Forging the User-Agent header or related client hints so that a request appears to come from a different browser, device, or operating system than it actually does.
How does User-Agent Spoofing work?
User-Agent spoofing is the practice of changing the HTTP User-Agent string (and related Client Hints such as Sec-CH-UA) sent by a client to misrepresent the underlying browser, version, or platform. Legitimate uses include testing responsive layouts, debugging compatibility issues, and accessing content gated by deprecated browser checks. Attackers use the same technique to bypass weak bot detection, impersonate Googlebot to obtain different content, fingerprint defense bypass, and exploit server-side conditional logic. Because the header is fully controlled by the client, security teams treat User-Agent as untrusted input and combine it with TLS fingerprinting, JavaScript challenges, and behavioral analytics to detect automation.
How do you defend against User-Agent Spoofing?
Defences for User-Agent Spoofing typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for User-Agent Spoofing?
Common alternative names include: UA spoofing, User-Agent override.
● Related terms
- appsec№ 468
Headless Browser
A web browser that runs without a graphical user interface and is driven programmatically, commonly used for testing, scraping, and security automation.
- attacks№ 232
Credential Stuffing
An automated attack that replays large lists of username/password pairs leaked from one service against other services, exploiting password reuse to take over accounts.
- appsec№ 942
robots.txt
A text file served at the site root that tells well-behaved web crawlers which paths they may or may not fetch, formalized in IETF RFC 9309.