What Your HTTP Request Headers Reveal

Fingerprints are computed by the page; HTTP request headers are sent voluntarily by your browser on every request. They are the most basic — and most overlooked — exposure surface.

What common headers contain

• User-Agent: your OS, browser, and version.
• Accept-Language: your preferred languages (e.g. zh-CN, en), hinting at region.
• Accept / Accept-Encoding: supported content types and compression.
• Sec-CH-UA (client hints): more structured browser/platform info, gradually replacing the UA string.
• Referer: which page you came from.
• DNT / Sec-GPC: whether you send a "do not track" signal.

What they add up to

Combine UA + language + client hints and a site roughly knows your system, browser, and language region. Together with your IP and fingerprint, the profile gets more complete.

Can you hide them

You cannot remove headers entirely — servers need some to serve content correctly. What you can do is avoid looking abnormal: spoofing a UA that contradicts your real environment (claiming to be an iPhone while exposing Windows fonts) is more suspicious, not less. Consistent and ordinary is the quiet path.

How to check

Our home page echoes your key request headers, so you can see exactly what you send on each request.