Client Hints

Client Hints test — every Sec-CH-UA your browser leaks

Sec-CH-UA Client Hints are the modern replacement for the User-Agent string. They're HTTP request headers — sent on every request your browser makes — that encode your browser brand, platform, OS version, CPU architecture, and bitness. As part of any browser fingerprint test, Client Hints add 4–6 high-quality bits of entropy that JavaScript-side spoofing alone can't hide.

Live test

This card runs only the client hints probe. To run all six fingerprint surfaces at once, use the full browser fingerprint test.

Client Hints (Sec-CH-UA)

measuring…

Modern Chrome sends Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Arch on every request. The JS API exposes high-entropy versions on demand.

What are Client Hints?

Client Hints are a family of HTTP request headers — Sec-CH-UA, Sec-CH-UA-Mobile, Sec-CH-UA-Platform, plus high-entropy variants like Sec-CH-UA-Platform-Version, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, and Sec-CH-UA-Wow64 — that browsers send to identify themselves more precisely than the old freeform User-Agent string allowed.

The matching JavaScript API is navigator.userAgentData, with getHighEntropyValues() for the more revealing fields. Any anti-fingerprinting effort has to spoof both the JS API and the HTTP headers, otherwise a server-side script detects the mismatch.

How the test works

The test reads navigator.userAgentData.brands, .mobile, and .platform directly, then calls getHighEntropyValues() with all known high-entropy hints to retrieve platformVersion, architecture, bitness, model, fullVersionList, and wow64.

The HTTP-side test would require a server roundtrip — visit browserleaks.com/client-hints for a side-by-side view of HTTP vs JS values. With browser fingerprint shield installed, both sides return the spoofed identity consistently.

How to spoof Client Hints

JavaScript-side spoofing is straightforward — override navigator.userAgentData with a fake object whose getHighEntropyValues returns lies. HTTP-side spoofing is harder because Chrome sends the headers before any extension JS runs. The fix is declarativeNetRequestWithHostAccess, the modern MV3 API that lets an extension rewrite outgoing request headers — including User-Agent and every Sec-CH-UA-* header.

Browser Leaks Fingerprint Shield's Pro tier rewrites both sides in lockstep: the JS userAgentData object and the HTTP Sec-CH-UA-* headers report the same spoofed Chrome 143 macOS / Windows / Linux identity, with explicit excludes for captcha providers (challenges.cloudflare.com, recaptcha, hCaptcha) so verification widgets still work.

FAQ

Client Hints questions

Are Client Hints sent to every website?

The low-entropy hints (Sec-CH-UA, Sec-CH-UA-Mobile, Sec-CH-UA-Platform) are sent on every request by default. High-entropy hints (architecture, bitness, model, full version list) are sent only when a server requests them via the Accept-CH response header — but most major trackers do request them.

Why is my Sec-CH-UA-Platform-Version 'unknown' or empty?

On Linux Chrome explicitly sends an empty Sec-CH-UA-Platform-Version because exact kernel versions are too easily fingerprintable. On Windows and macOS the version is sent in full unless an extension rewrites it.

Can I disable Client Hints in Chrome?

There is no first-party UI to disable Client Hints. The Privacy Sandbox includes a "User-Agent Reduction" feature that limits the Sec-CH-UA-Full-Version-List to a coarse value, but full Client Hints control requires a browser extension.

What's the difference between User-Agent and Client Hints?

User-Agent is one freeform string that's been sent for 25 years. Client Hints are structured per-axis headers (brand vs platform vs arch) that are easier for servers to parse and harder for browsers to lie about — which is exactly why they're a better tracker signal.

Run the full browser fingerprint test.

See your composite hash across all six surfaces — canvas, WebGL, audio, WebRTC, Client Hints, and User-Agent — in one click.

Open the browser fingerprint test →