{ "id": "a6bcaa9d-6c18-491e-a366-a55f6fb110db", "created_at": "2026-04-06T00:22:08.959147Z", "updated_at": "2026-04-10T03:36:48.025817Z", "deleted_at": null, "sha1_hash": "5a526be1ae1a9a762f88f47dede3e89620359648", "title": "User-Agent header - HTTP | MDN", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 92084, "plain_text": "User-Agent header - HTTP | MDN\r\nPublished: 2025-10-28 ยท Archived: 2026-04-05 17:50:47 UTC\r\nSyntax\r\nCommon format for web browsers:\r\nDirectives\r\n\u003cproduct\u003e\r\nA product identifier โ€” its name or development codename.\r\n\u003cproduct-version\u003e\r\nVersion number of the product.\r\n\u003ccomment\u003e\r\nZero or more comments containing more details. For example, sub-product information.\r\nUser-Agent reduction\r\nThe information exposed in the User-Agent header has historically raised privacy concerns โ€” it can be used to\r\nidentify a particular user agent, and can therefore be used for fingerprinting. To mitigate such concerns, supporting\r\nbrowsers provide a reduced set of information in their User-Agent header, and in related API features such as\r\nNavigator.userAgent , Navigator.appVersion , and Navigator.platform .\r\nFor example, whereas previously the User-Agent string for Chrome running on Android might have looked like\r\nthis:\r\nMozilla/5.0 (Linux; Android 16; Pixel 9) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.12.45 Mo\r\nAfter the User-Agent reduction update, it now looks like this:\r\nMozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Mobile Saf\r\nThe platform version is always a fixed value, in this case, Android 10 .\r\nThe device model is always a fixed value, in this case, K .\r\nThe Chrome major version number shows correctly, but the minor version numbers are always shown as\r\nzeros โ€” 0.0.0 .\r\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/User-Agent\r\nPage 1 of 5\n\nServers that need more information can request it via User-Agent client hints. After the initial connection, the\r\nserver can send an Accept-CH response header detailing the data items they want, and the client can then send\r\nthe data back via Sec-CH-UA-* headers. This information can also be accessed via the User-Agent Client Hints\r\nAPI.\r\nFor more detailed information, including a guide to retrieving more information as required, see User-Agent\r\nreduction. You can also find examples of reduced User-Agent strings in the following sections.\r\nFirefox UA string\r\nFor more on Firefox- and Gecko-based user agent strings, see the Firefox user agent string reference. The UA\r\nstring of Firefox is broken down into 4 components:\r\nMozilla/5.0 (platform; rv:gecko-version) Gecko/gecko-trail Firefox/firefox-version\r\n1. Mozilla/5.0 is the general token that says that the browser is Mozilla-compatible. For historical reasons,\r\nalmost every browser today sends it.\r\n2. platform describes the native platform that the browser is running on (Windows, Mac, Linux, Android,\r\netc.) and if it is a mobile phone. Note that platform can consist of multiple ; -separated tokens. See below\r\nfor further details and examples.\r\n3. rv:gecko-version indicates the release version of Gecko (such as \"17.0\"). In recent browsers, gecko-version is the same as firefox-version.\r\n4. Gecko/gecko-trail indicates that the browser is based on Gecko. (On the desktop, gecko-trail is always the\r\nfixed string 20100101 .)\r\n5. Firefox/firefox-version indicates that the browser is Firefox and provides the version (such as \"17.0\").\r\nDesktop examples:\r\nMozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0\r\nMozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/42.0\r\nChrome UA string\r\nThe Chrome (or Chromium/Blink-based engines) user agent string is similar to Firefox's. For compatibility, it adds\r\nstrings like KHTML, like Gecko and Safari . It adds \"CriOS/\u003cversion\u003e\" on iPhone.\r\nDesktop examples:\r\nMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Saf\r\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/User-Agent\r\nPage 2 of 5\n\nAndroid phone example:\r\nMozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Mobile Saf\r\nOpera UA string\r\nThe Opera browser is also based on the Blink engine, which is why it almost looks the same as the Chrome UA\r\nstring, but adds \"OPR/\u003cversion\u003e\" on desktop and Android, and \"OPT/\u003cversion\u003e\" on iPhone. For preview\r\nversions, Opera also includes a description of the particular browser edition in parentheses, for example (Edition\r\ndeveloper) .\r\nDesktop examples:\r\nMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Saf\r\nAndroid phone example:\r\nMozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Mobile Saf\r\nMicrosoft Edge UA string\r\nThe Edge browser is also based on the Blink engine. It adds \"Edg/\u003cversion\u003e\" on desktop platforms,\r\n\"EdgA/\u003cversion\u003e\" on Android, and \"EdgiOS/\u003cversion\u003e\" on iPhone.\r\nDesktop examples:\r\nMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Saf\r\nAndroid phone example:\r\nMozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Mobile Saf\r\nSafari UA string\r\nSafari is based on the WebKit engine, but its UA string is also similar to the Blink-based browsers. It tends to\r\ninclude a Version/xxx string before the actual engine build version to indicate the browser release version,\r\nwhich unlike Blink-based browsers is different. In the case of iPhone (Mobile) Safari, the string also includes\r\nMobile .\r\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/User-Agent\r\nPage 3 of 5\n\nNote: At the time of writing, non-Apple iPhone browsers (such as Firefox, Chrome, and Edge) are still based on\r\nWebKit, therefore their UA strings are similar to the Safari UA string.\r\nDesktop example:\r\nMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0\r\niPhone example:\r\nMozilla/5.0 (iPhone; CPU iPhone OS 18_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Versi\r\nPre-user-agent reduction examples\r\nThis section provides some examples of UA strings in earlier browser versions, prior to the introduction of user-agent reduction:\r\nGoogle Chrome:\r\nMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/53\r\nMicrosoft Edge:\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124\r\nOpera:\r\nMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/53\r\nOlder, Presto-based Opera releases used a structure like this:\r\nOpera/9.80 (Macintosh; Intel Mac OS X; U; en) Presto/2.2.15 Version/10.00\r\nOpera/9.60 (Windows NT 6.0; U; en) Presto/2.1.1\r\nCrawler and bot UA strings\r\nExamples\r\nMozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\r\nMozilla/5.0 (compatible; YandexAccessibilityBot/3.0; +http://yandex.com/bots)\r\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/User-Agent\r\nPage 4 of 5\n\nExamples\r\ncurl/7.64.1\r\nPostmanRuntime/7.26.5\r\nSpecifications\r\nSpecification\r\nHTTP Semantics\r\n# field.user-agent\r\nBrowser compatibility\r\nSee also\r\nUser-Agent detection, history and checklist\r\nFirefox user agent string reference\r\nBrowser detection using the user agent\r\nClient hints\r\nSource: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/User-Agent\r\nhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/User-Agent\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/User-Agent" ], "report_names": [ "User-Agent" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434928, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5a526be1ae1a9a762f88f47dede3e89620359648.pdf", "text": "https://archive.orkl.eu/5a526be1ae1a9a762f88f47dede3e89620359648.txt", "img": "https://archive.orkl.eu/5a526be1ae1a9a762f88f47dede3e89620359648.jpg" } }