For as long as preserving privacy and device detection are taken into account, User-Agent HTTP headers text in italic are used to detect the browser and device information. Into the bargain, with the continuous growing demand for new features, the header size increased notably. It somewhere also affected user’s privacy since such data is also being sent to the webserver by default.
Until very recently, Google introduced User-Agent client hints keeping in view preserving privacy and also device detection. The motive behind expanding user agent header, which is a characteristic string that allows servers and network peers to identify the application, operating system, vendor or version of the requesting user agent, is not to replace the User-Agent string but to reduce the tracking activities. Originally, the User-Agent header-only accommodate users’ browser version and operating system like Android or iOS. But as the requirements grew, new browser versions supported attributes like architecture and information about the device as well.
User-Agent Client Hints are introduced as a substitute for the User-Agent string permitting access to the same data while protecting the user’s privacy as well. Thus, we can say User agent client hints are not replacement but an extension to the user agent header.
How does User Agent Client Hints transmit only the relevant information between browser and the server?
User agent client hints takes into account _3 steps to transfer the relevant information between browser and the server. _
STEP 1: Firstly, the client / bowser dispatches a request to the server without any hints. This is the primary page load request or navigation.
STEP 2: Secondarily, the server responds by generating a relevant request about the necessary data about the client. This response is inclusive of an Accept-CH header, which is responsible for letting the client know what the server actually needs.
STEP 3: Once the client obtains a response from the server, it will decide what needs to be conveyed, grants access to relevant data, and sends back in upcoming requests.
_Security and Privacy considerations taken into account while introducing User Agent Client Hints _
Secure Transport
With Client Hints, the information will not be delivered to non-secure endpoints. This proves that user agent information will not be shown over plaintext channels, minimizing the opportunity for network attackers to build a profile of a given agent’s behavior over the course of time.
Fingerprinting
With information not being leaked to non-secure endpoints, this would result in minimizing entropy available to the network for passive fingerprinting. This way no hackers would know the operating system, hardware devices, network protocols the client is using.
Delegation
Client Hints will be delegated from top-level pages via permissions policy. This minimizes the probability that user agent information will be delivered along with sub resource requests.
User Agent Client Hints are still under development and are forwardly looked at by most of the business organizations to ensure that their privacy and most importantly their customers privacy is taken up to a whole new level.