User Agent Parser

User Agent Parser

Parse and analyze browser User-Agent strings. Detect browser, OS, device type from UA. Free online User-Agent decoder and analyzer

A typical 2026 User-Agent string is around 100 characters of mostly-lies: every browser pretends to be every other browser, and Chrome's UA still says "Mozilla/5.0 (like Gecko)" three decades after Netscape Communications shipped. This parser extracts the actual browser, version, OS, device class, and rendering engine — and tells you when the UA itself is suspect (headless browsers, ancient legacy clients, deliberate spoofers).

Why User-Agent strings are absurd

The "Mozilla/5.0" prefix on every modern browser dates to the late 1990s — sites checked UA for "Mozilla" to send the modern HTML version instead of basic markup. Every competing browser learned to claim Mozilla compatibility. Then sites checked for specific Mozilla products, so browsers claimed those too. Chrome's UA today says it is Mozilla, like Gecko, like Safari, AND Chrome. None of those are individually true; the cascading claims are a historical fossil.

Browsers have been moving away from UA. Chrome ships User-Agent Client Hints (UA-CH) — a structured header set replacing the freeform UA. UA-CH provides Sec-CH-UA, Sec-CH-UA-Mobile, Sec-CH-UA-Platform with explicit fields. Parse those instead when the client supports them; fall back to UA parsing otherwise.

Working example

Input

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36

Output

Browser:        Chrome 124
Engine:         Blink (537.36)
OS:             macOS 10.15.7 (Catalina-reported, likely newer; Apple freezes major in UA at 10.15.7 to reduce fingerprinting)
Device:         Desktop
Mobile:         No
Bot:            No

Notes:
  - "Intel Mac" is reported even on Apple Silicon Macs (M1/M2/M3) because the
    browser runs in Rosetta-compatible mode for UA reporting. Use
    navigator.userAgentData.platform for accurate platform.
  - macOS version is frozen at 10.15.7 by Apple deliberately (anti-fingerprinting).
  - Chrome 124 → likely actual major version, but Chrome ships UA-CH headers with
    finer-grained version info if you ask for them.

The "Intel Mac" and "10.15.7" frozen values are real privacy mitigations. Same with Safari on iOS — every iPhone reports the same iOS major version per UA. Real version comes through other channels (Apple's Privacy Report, server-side feature negotiation, UA-CH).

What the parser can extract

  • Browser family — Chrome, Firefox, Safari, Edge, Opera, Brave, Vivaldi, Samsung Internet, etc. ~30 distinct families in active use 2026.
  • Version — major.minor.patch. Most modern browsers report only major; minor/patch typically zeroed for fingerprint reduction.
  • Engine — Blink (Chrome/Edge/Opera), Gecko (Firefox), WebKit (Safari). All three converge on web standards; engine still matters for CSS/JS quirks.
  • OS family and version — Windows, macOS, Linux, iOS, Android, Chrome OS. Version reporting varies in granularity.
  • Device class — desktop, mobile, tablet, console (PS5, Xbox), TV. Inferred from UA hints and screen-size signals where available.
  • Bot detection — Googlebot, Bingbot, Slackbot, social-preview crawlers (Facebookexternalhit, Twitterbot), and known scrapers. Bots that try to look like Chrome require behavioral signals, not UA inspection.

When UA-based logic is appropriate

  • Analytics — segmenting users by browser/OS for reporting is fine. The UA is approximate; analytics tolerate noise.
  • Bot vs human detection — partial. Many bots send legitimate UAs; many humans send unusual UAs. Pair UA with CAPTCHA or behavior.
  • Logging and debugging — recording UA helps reproduce client-side bugs ("only happens on iOS Safari 17 in private mode").
  • Compatibility shimming — for known-broken-on-X behavior, UA branching can be appropriate. Prefer feature detection (`if ("flexbox" in style)`) where possible.

When UA-based logic is wrong

  • Feature detection — never use UA to decide "can the browser do X". Use `typeof X === "function"` or `"X" in object`. Browsers misreport, users spoof, and UA is brittle.
  • Security decisions — UA can be set to anything by curl or any HTTP client. Authentication, rate limiting, abuse prevention should not depend on UA matching any pattern.
  • Mobile detection for layout — use CSS media queries (`@media (max-width: 768px)`) or container queries. UA-based mobile detection misses tablets in landscape, foldables, large phones, small laptops.
  • Cookie / consent gates — UA spoofing trivially bypasses. Use behavioral and IP-based signals where stakes are high.

When to reach for this tool

  • You are reading server logs and want to know what kind of client generated a specific request.
  • You are debugging "this user-agent breaks our flow" — paste the UA, see what it parses as, decide whether it is a real client or a bot.
  • You are auditing what UA strings your site receives and want to bucket them by browser/OS/version for compatibility decisions.
  • You are testing your analytics or bot-detection logic with sample UAs and want to verify each parses correctly.

What this tool will not do

  • It will not detect spoofed UAs. A curl request with `--user-agent "Chrome/124"` parses as Chrome 124 — there is no signal in the UA itself that says "fake". Behavioral fingerprinting (TLS fingerprint, header order, timing) detects spoofers; UA parsing alone cannot.
  • It will not perfectly identify every bot. Hundreds of crawlers and scrapers exist; new ones daily. Coverage is "most common" not "all".
  • It will not parse UA-CH. The structured Client Hints headers (Sec-CH-UA, Sec-CH-UA-Platform) are the new standard and require separate parsing logic from your server-side code.

Frequently asked questions

Why does Edge's UA say "Chrome"?

Edge has been Chromium-based since 2020. The UA includes both Edg/<version> and Chrome/<version> tokens — Edge identifies itself but also says "I am Chromium underneath". Older Edge (EdgeHTML, pre-2020) had a different UA entirely.

Should I rely on User-Agent for SEO bot detection?

Partially. Googlebot, Bingbot, and other major crawlers send identifiable UAs. But UA can be spoofed — to confirm a request is really from Google, reverse-DNS the IP and check it resolves to a *.googlebot.com or *.google.com domain. Google publishes the procedure officially.

What is User-Agent Client Hints?

A modern replacement for the UA string. Instead of one freeform header, the browser sends structured Sec-CH-UA-* headers. Some are sent by default (Sec-CH-UA, Sec-CH-UA-Mobile, Sec-CH-UA-Platform); finer-grained ones (version, model, bitness) require the server to opt in via Accept-CH response header.

Why is the macOS version always "10.15.7"?

Apple started freezing macOS major version in the UA in Safari 14 (2020) to reduce fingerprinting. Newer Safari may report "10.15.7" even on macOS 14 Sonoma. Same pattern for iOS — version is coarsened. This is intentional; do not rely on UA for the real OS version.

How accurate is "device type" detection?

Phone vs tablet vs desktop is approximately right but imperfect. iPad on iPadOS 13+ reports as macOS (intentional, makes desktop sites render). Large Android phones are reported as Mobile but have tablet-class screens. For layout, use viewport size; for content, ignore the device class — your site should work on any.

Are there privacy issues with reading UA?

UA is one component of browser fingerprinting. Combined with screen size, timezone, fonts, and Canvas/WebGL signatures, it can identify a user across sessions even without cookies. Tracker scripts use exactly this combination. As a publisher, log UA for debugging but consider whether you really need it for analytics — most use cases are served by general categories without fine-grained version data.

Related tools

CORS Debugger

Debug CORS issues, analyze headers, generate server configurations. Support for Express, Nginx, Apache, Django, Flask, Spring Boot. Learn CORS concepts. Free online CORS tester

HTTP Status Codes Reference

Complete list of HTTP status codes with descriptions and examples. Learn 200, 301, 404, 500 error codes. Free HTTP response code reference guide

What's My IP

Find your public IP address with geolocation, ISP, timezone info. Check IPv4/IPv6 address, hostname, browser details. Free online IP lookup tool

API Response Mocker

Generate mock API responses with fake JSON data. Create realistic REST API test data. Free mock server response generator for developers

Published · Updated · E-Utils editorial team