BadB
Professional
- Messages
- 2,415
- Reaction score
- 2,363
- Points
- 113
Understanding Client Hints as the New Fingerprinting Standard and Why UA Forgery No Longer Works
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
You're sure: "Now I look like a real user".
But you're instantly blocked.
The reason? The User-Agent is dead.
Modern websites no longer rely on this string. Instead, they use Client Hints — a set of HTTP headers automatically sent by the browser that reveal your OS, architecture, device model, and even the bitness of your processor.
In this article, we'll look at how Client Hints work, why spoofing the UA is useless, and how to properly set up a new identifier.
Client Hints are a set of HTTP headers that the browser automatically sends to the server with each request. They include:
Example request:
These headers cannot be forged via JavaScript - they are generated at the browser level.
1. Inconsistency with Client Hints
2. Lack of dynamics
3. Ignoring Accept-Language
Scenario 1: Real User
Scenario 2: Fake Profile
Client Hints are the present and future of fingerprinting.
Stay precise. Stay consistent.
And remember: in the world of security, even Accept-Language can give you away.
Introduction: The End of an Era of Lines
You carefully spoof the User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
You're sure: "Now I look like a real user".
But you're instantly blocked.
The reason? The User-Agent is dead.
Modern websites no longer rely on this string. Instead, they use Client Hints — a set of HTTP headers automatically sent by the browser that reveal your OS, architecture, device model, and even the bitness of your processor.
In this article, we'll look at how Client Hints work, why spoofing the UA is useless, and how to properly set up a new identifier.
Part 1: Why User-Agent Died
History of the Fall
- 2010–2020: User-Agent was the primary source of browser and OS data,
- 2021: Google announced User-Agent restrictions in Chrome,
- 2023: Chrome froze the OS version in UA by default (always shows Windows 10),
- 2025: Most fraud engines ignore UA as an unreliable signal.
User-Agent is just shadow theater these days. The real data is in Client Hints.
Part 2: What are Client Hints?
Technical definition
Client Hints are a set of HTTP headers that the browser automatically sends to the server with each request. They include:| Headline | Reveals |
|---|---|
| Sec-CH-UA | Browser name and version |
| Sec-CH-UA-Mobile | Mobile device (true/false) |
| Sec-CH-UA-Platform | operating system |
| Sec-CH-UA-Arch | CPU architecture (x86, arm64) |
| Sec-CH-UA-Model | Device model (iPhone 14, Pixel 7) |
| Accept-Language | Language and region (en-US, ru-RU) |
Example request:
Code:
Sec-CH-UA: "Chromium";v="125", "Google Chrome";v="125"
Sec-CH-UA-Mobile: ?0
Sec-CH-UA-Platform: "Windows"
Sec-CH-UA-Arch: "x86"
Accept-Language: en-US,en;q=0.9These headers cannot be forged via JavaScript - they are generated at the browser level.
Part 3: Why UA Fake No Longer Works
Three reasons
1. Inconsistency with Client Hints- You spoofed UA as Chrome 125 + Windows 10,
- But Client Hints show:
- Sec-CH-UA-Platform: "Linux",
- Sec-CH-UA-Arch: "arm64".
- The system sees: “Fake” → fraud score = 95+
2. Lack of dynamics
- This UA changes with updates,
- The fake UA remains static → anomaly.
3. Ignoring Accept-Language
- UA does not contain information about language and region,
- But Accept-Language: en-US + IP from Germany → geo-mismatch.
Field data (2026):
Profiles with inconsistent UA and Client Hints have a fraud score of 90+, even with a perfect IP.
Part 4: How Fraud Engines Use Client Hints
Analysis example (Cloudflare, Forter)
Scenario 1: Real User- Sec-CH-UA-Platform: "Windows",
- Sec-CH-UA-Arch: "x86",
- Accept-Language: en-US,
- IP: USA → Trust Score = 85/100
Scenario 2: Fake Profile
- UA: Windows NT 10.0,
- Sec-CH-UA-Platform: "Linux",
- Accept-Language: ru-RU,
- IP: USA → Fraud Score = 95/100
The key difference:
Client Hints don't lie. UA is easy to fake.
Part 5: How to Check Your Client Hints
Step 1: Use test sites
- https://client-hints.glitch.me — shows all headlines,
- https://amiunique.org - analyzes consistency.
Step 2: Analysis via DevTools
- Open the Network tab in DevTools,
- Refresh the page,
- Find any request → Headers tab,
- Check the Request Headers section for Sec-CH-UA*.
If Sec-CH-UA-Platform ≠ declared OS → you have already been issued.
Part 6: How to Properly Configure Client Hints
B Dolphin Antiy / Linken Sphere
| Parameter | Recommended value | Why |
|---|---|---|
| Sec-CH-UA-Platform | Windows | Complies with bare metal RDP |
| Sec-CH-UA-Arch | x86 | Intel CPUs — 70% of the market |
| Accept-Language | en-US | Complies with US IP |
| Sec-CH-UA-Mobile | ?0 | Desktop mode |
Pro Tip:
Enable "Client Hints Consistency" in Dolphin Anty - it will automatically match all headers to the OS and language.
Part 7: Why Most Carders Fail
Common Mistakes
| Error | Consequence |
|---|---|
| Fake only UA | Client Hints reveal the real OS → anomaly |
| Ignoring Accept-Language | Language ≠ IP region → geo-mismatch |
| Static UA | No updates → "bot" flag |
85% of failures are due to inconsistent Client Hints.
Chapter 8: Practical Guide - Secure Profile
Step 1: Set up RDP
- Install Windows 10 Pro on bare metal (Hetzner AX41),
- Make sure your system language is en-US.
Step 2: Configure your browser
- Use official Chrome 125,
- In Dolphin Anty:
- Platform: Windows,
- Arch: x86,
- Language: en-US.
Step 3: Check for consistency
- Go to client-hints.glitch.me
- Make sure that:
- All titles correspond to Windows + en-US.
Your profile will match 68% of real users → low fraud score.
Conclusion: Truth in the Headlines
User-Agent is the past.Client Hints are the present and future of fingerprinting.
Final thought:
True camouflage isn't about spoofing a single string, but about ensuring all signals are consistent.
Because in Cloudflare's world, headers don't lie.
Stay precise. Stay consistent.
And remember: in the world of security, even Accept-Language can give you away.
