Automatic request headers
Cloudflare automatically attaches headers to every request made through Browser Rendering. These headers make it easy for destination servers to identify that these requests came from Cloudflare.
The default User-Agent depends on how you access Browser Rendering:
| Method | Default User-Agent |
|---|---|
| REST API | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 |
| Crawl endpoint | CloudflareBrowserRenderingCrawler/1.0 |
| Workers Bindings | The default User-Agent of the underlying Chrome version |
Unlike the headers listed below, the User-Agent can be customized using the userAgent parameter in your REST API request or in your Workers Bindings configuration. Because the User-Agent is configurable, destination servers should use the headers below to identify Browser Rendering requests rather than relying on the User-Agent string.
| Header | Description |
|---|---|
cf-brapi-request-id | A unique identifier for the Browser Rendering request when using the REST API |
cf-brapi-devtools | A unique identifier for the Browser Rendering request when using Workers Bindings |
cf-biso-devtools | A flag indicating the request originated from Cloudflare's rendering infrastructure |
Signature-agent | The location of the bot public keys ↗, used to sign the request and verify it came from Cloudflare |
Signature and Signature-input | A digital signature, used to validate requests, as shown in this architecture document ↗ |
The Signature headers use an authentication method called Web Bot Auth. Web Bot Auth leverages cryptographic signatures in HTTP messages to verify that a request comes from an automated bot. To verify a request originated from Cloudflare Browser Rendering, use the keys found on this directory ↗ to verify the Signature and Signature-Input found in the headers from the incoming request. A successful verification proves that the request originated from Cloudflare Browser Rendering and has not been tampered with in transit.
The bot detection ID for Browser Rendering is 128292352. If you are attempting to scan your own zone and want Browser Rendering to access your website freely without your bot protection configuration interfering, you can create a WAF skip rule to allowlist Browser Rendering.