When it comes to bot and fraud detection, identifying the exact browser being used can be important, especially for privacy-focused browsers like Brave. Tools like Brave implement anti-fingerprinting features (e.g. canvas randomization), which can skew detection results or even cause false positives if misinterpreted. As we discussed here, users of non-mainstream browsers often experience higher friction in security systems.
In this article, we cover two reliable techniques to detect Brave as of June 2025: one via HTTP headers, and another using JavaScript.
1. Detecting Brave via HTTP headers
Although Brave is Chromium-based and uses a standard Chrome user agent string like:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
...it reveals itself in the sec-ch-ua header. For example:
sec-ch-ua: "Chromium";v="136", "Brave";v="136", "Not.A/Brand";v="99"
You can detect Brave by checking for the presence of the Brave substring in this header.
2. Detecting Brave with JavaScript
Two techniques can be used in JavaScript:
a. Using navigator.userAgentData.brands
const isBrave = navigator.userAgentData?.brands?.some(x => x.brand === 'Brave');
This mirrors the HTTP header method but is retrieved from JS via the User-Agent Client Hints API.
b. Using navigator.brave
Brave exposes a navigator.brave object. For more certainty, you can call its .isBrave() method:
const isBrave = typeof navigator.brave !== 'undefined' && await navigator.brave.isBrave();
This is currently one of the most reliable programmatic checks for Brave.
Note: Client hints headers and JavaScript variables can be spoofed or modified by browser extensions (e.g., ModHeader) or by automated tools. In a security context, they should be treated as one signal among many, not as ground truth.
Summary
To detect Brave:
- HTTP headers: Look for
"Brave"in thesec-ch-uavalue. - JavaScript: Use
navigator.userAgentData.brandsor checknavigator.brave.isBrave().
While these techniques are accurate today, it's important to remember that client-side signals, headers and JavaScript variables, can be spoofed. This is especially relevant for privacy-focused browsers like Brave, which aim to reduce fingerprintability and often trigger false positives in detection systems.
Still, detection systems shouldn’t automatically treat Brave as suspicious or, conversely, exempt it entirely. Overcorrecting in either direction can introduce new blind spots. Instead, Brave detection should be used as one signal in a broader context, helping reduce noise or identify anomalies, not as a standalone verdict.
