Automatic request headers

Cloudflare automatically attaches headers to every request made through Browser Rendering. These headers make it easy for destination servers to identify that these requests came from Cloudflare.

User-Agent

The default User-Agent depends on how you access Browser Rendering:

Method	Default User-Agent	Customizable
REST API	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36	Yes, using the userAgent parameter
Crawl endpoint	CloudflareBrowserRenderingCrawler/1.0	No
Workers Bindings	The default User-Agent of the underlying Chrome version	Yes, via Puppeteer/Playwright configuration

Note

Because the User-Agent is configurable for most methods and the Chrome version may change as Browser Rendering updates its underlying browser engine, destination servers should use the non-configurable headers below to identify Browser Rendering requests rather than relying on the User-Agent string.

Non-configurable headers

Note

The following headers are meant to ensure transparency and cannot be removed or overridden (with setExtraHTTPHeaders, for example).

Header	Description
cf-brapi-request-id	A unique identifier for the Browser Rendering request when using the REST API
cf-brapi-devtools	A unique identifier for the Browser Rendering request when using Workers Bindings
cf-biso-devtools	A flag indicating the request originated from Cloudflare's rendering infrastructure
Signature-agent	The location of the bot public keys ↗, used to sign the request and verify it came from Cloudflare
Signature and Signature-input	A digital signature, used to validate requests, as shown in this architecture document ↗

About Web Bot Auth

The Signature headers use an authentication method called Web Bot Auth. Web Bot Auth leverages cryptographic signatures in HTTP messages to verify that a request comes from an automated bot. To verify a request originated from Cloudflare Browser Rendering, use the keys found on this directory ↗ to verify the Signature and Signature-Input found in the headers from the incoming request. A successful verification proves that the request originated from Cloudflare Browser Rendering and has not been tampered with in transit.

Bot detection

Browser Rendering uses different bot detection IDs depending on the method. The REST API (excluding the crawl endpoint) and Workers Bindings share one ID, while the crawl endpoint has its own.

Method	Bot detection ID
REST API and Workers Bindings	119853733
Crawl endpoint	128292352

If you are attempting to scan your own zone and want Browser Rendering to access your website freely without your bot protection configuration interfering, you can create a WAF skip rule to allowlist Browser Rendering.