Accept-Language HTTP Header and Privacy Concerns

When we browse the internet, our web browsers send various types of information to the websites we visit as HTTP Headers like User-Agent, Accept-Language etc. These HTTP Headers are important because they help websites to provide us a better and personalized browsing experience. For example, the Accept-Language header allows websites to display content in our preferred language.

HTTP headers can improve website usability, but they can also pose privacy issues. Some headers, such as the User-Agent header, can be used to track our browsing activities. Websites can use these headers, along with other tracking technologies, to build a profile of their visitors. This is known as browser fingerprinting, which can be a serious privacy concern.

What is the Accept-Language header?

The Accept-Language header is a HTTP header that is sent by our web browsers to the websites we visit. It contains information about the language preferences we have set in our browser. This header is sent automatically by our browser and can be viewed by websites in the HTTP request headers. Browsers often set this header according to the language preferences set on our device or in the browser itself, our geographical location, or even the device’s time zone.

Here is an example of Accept-Language header, which is automatically send by Google Chrome browser to every website I visit:

Accept-Language: en-US,en-IN;q=0.9,en;q=0.8

It includes en-IN, which is the language code for English (India). This is because I have set English (India) as my preferred language in Chrome settings. You can also set your preferred language(s) in your browser’s settings, and websites will show content in your preferred languages when possible.

Chrome Preferred Languages Setting
Chrome Preferred Languages Settings

Privacy Concerns with Accept-Language

Although the Accept-Language header is useful for websites to display content in our preferred language, it can also be used to track our browsing activities and uniquely identify users. Websites can use this information to guess our location or to build a profile of our browsing habits. Moreover, even if you are using a VPN or proxy, your Accept-Language HTTP header could still hint at your geographical location as most VPNs don’t change this setting.

For example, consider this case. I want to browse a website that is only accessible in Japan. However, since I am in India, the website would block me. Therefore, I would use a VPN service to tunnel through its server in Japan and avoid this geofencing. If the VPN service fails to modify the Accept-Language HTTP header, the website would be able to see my real Accept-Language header containing “en-IN”. Now, they can easily guess that I am from India using a VPN, or at least that I am an Indian currently in Japan.

How to protect your privacy

Browser vendors are working on a proposal to fix the privacy issues with Accept-Language headers. Refer this link for more information on this.

Using our Simple Privacy Settings browser extension, you can easily set the Accept-Language HTTP header to the generic value of en-US, which corresponds to English (US).

1 thought on “Accept-Language HTTP Header and Privacy Concerns”

Leave a Comment