User-Agent Parser
Paste any User-Agent string and see what it really tells a server: browser, engine, OS, device, and the scraper tells anti-bot systems look for. Free, runs entirely in your browser, no data leaves this page.
Scraper detection signals
What an anti-bot system would notice about this UA on its own. These checks look at the string only, real fingerprinting also inspects TLS, HTTP/2, headers, and JavaScript.
- CleanNo obvious scraper tells
This UA looks like a real browser. That alone is not enough, anti-bot systems also check TLS/JA3, HTTP/2 fingerprint, headers order, and JS execution.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36How this tool works
The structural parse (browser, engine, OS, device, CPU) uses the open-source UAParser.js library, the same parser shipped in millions of production sites. The scraper-detection layer is our own: a curated set of regex checks for tokens that anti-bot vendors flag, HeadlessChrome, python-requests, curl, wget, Selenium, and bot keywords, plus structural heuristics like missing Mozilla prefix or unusual length.
Everything runs client-side. We do not log User-Agent strings you paste, and the parser never makes a network request with your input.
Frequently asked questions
What is a User-Agent string?
The User-Agent (UA) is an HTTP header browsers and HTTP clients send with every request. It advertises the client's product name, version, rendering engine, operating system, and sometimes the device. Servers use it to pick markup variants, deliver mobile vs desktop assets, and increasingly to flag automated traffic.
Why does my User-Agent start with 'Mozilla/5.0'?
Historical compatibility. In the 1990s servers checked for 'Mozilla' to send the fancier HTML branch, so every competing browser (IE, Safari, Chrome, Firefox) adopted the same prefix to receive that markup. The convention stuck, today every desktop and mobile browser still leads with Mozilla/5.0.
Can a server trust the User-Agent?
No. The UA is a plain header that any client can set to any value. Treat it as a hint, not an identity claim. Modern anti-bot stacks combine it with TLS/JA3, HTTP/2 frame ordering, header casing, JavaScript fingerprints, and behavioural signals, all things that are much harder to spoof than the UA string.
Why is my scraper blocked even with a real Chrome User-Agent?
A spoofed UA only fixes the first layer. If you are using requests/httpx, your TLS handshake still looks like Python. If you are using Selenium or Playwright with defaults, navigator.webdriver is true, the Chrome version in your UA may not match the binary, and your TLS/JA3 says 'automation framework'. Anti-bot vendors cross-check all of these.
What does 'HeadlessChrome' mean in a User-Agent?
Chrome's headless mode appends 'HeadlessChrome' to the UA by default. It is one of the easiest tells in the entire anti-bot industry, every commercial WAF blocks it. If you are running headless Chrome for scraping you should override the UA and use the new --headless=new flag, or run in headful mode with xvfb.
Should I rotate User-Agents?
Yes, but carefully. Random UA rotation per request is itself a fingerprint: real users keep the same UA for the lifetime of a browser session. Rotate per session, not per request, and make sure the UA is internally consistent: the Chrome version, OS, and Sec-CH-UA client hints must all match.
What are Client Hints and how do they relate to the UA?
Sec-CH-UA headers are Google's UA Reduction replacement. Chromium browsers freeze the UA string and move detailed info (full version, platform, architecture, model) into Sec-CH-UA-* headers that are sent selectively. If you spoof the UA but forget the matching client hints, your request is trivially inconsistent.
Where can I get a list of realistic User-Agent strings?
Use the actual UA from a recently updated Chrome, Firefox, or Safari install, then keep it pinned for the session. Public lists exist (useragentstring.com, browser-fingerprint.com) but they go stale fast. Better: scrape your own UA from a real browser monthly and keep your pool fresh.
Related reading on Scraping Central
- How sites detect headless browsers: why a spoofed UA is not enough.
- Browser fingerprinting at scale: the layers beyond the User-Agent header.
- TLS and HTTP/2 fingerprinting: the signals that survive any UA rotation.
- Browser Fingerprint Check: full fingerprint audit for a real browser session.