Author here: I've been in the bot industry/bot detection field for ~ 10 years. I frequently see strong opinion about bot detection on Reddit and HN, in particular why it doesn't make sense for bot detection companies (I won't name who, but you will guess), to treat you so differently based on your user agent, and why it shouldn't matter when it comes to bot detection.
That's why I wrote a blog post about the role of the user agent in bot detection. Of course, everyone knows that the user agent is fragile, that it is one of the first signals spoofed by attackers to bypass basic detection. However, it's still really useful in a bot detection context. Detection engines should treat it a the identity claimed by the end user (potentially an attacker), not as the real identity. It should be used along with other fingerprinting signals to verify if the identity claimed in the user agent is consistent with the JS APIs observed, the canvas fingerprinting values and any types of proof of work/red pill
That's why I wrote a blog post about the role of the user agent in bot detection. Of course, everyone knows that the user agent is fragile, that it is one of the first signals spoofed by attackers to bypass basic detection. However, it's still really useful in a bot detection context. Detection engines should treat it a the identity claimed by the end user (potentially an attacker), not as the real identity. It should be used along with other fingerprinting signals to verify if the identity claimed in the user agent is consistent with the JS APIs observed, the canvas fingerprinting values and any types of proof of work/red pill