ua-tracer
by Paul Kinlan
ua-tracer
what does a user agent actually fetch, follow & run?
Trace tNmiMVpw
First seen: 2026-07-02 22:10:51.860 UTC
User-Agent: facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)
Bot verification: Not a known bot (no IP-range check applies).
What this user agent did
Directly-referenced assets:
✗ fetched CSS
✓ fetched JS
✗ fetched image
✗ fetched font (HTML)
Document-level link hints:
✗ fetched favicon
✗ fetched apple-touch-icon
✗ fetched web manifest
✗ fetched preload
✗ fetched prefetch
Second-level follows (proves it parsed the linking file):
✗ followed CSS background-image
✗ followed CSS @font-face
✗ followed manifest icon
✗ followed CSS @import
Frames (does it descend into iframes?):
✗ fetched iframe document
✗ descended into iframe (loaded inner image)
Reporting (a report-only CSP is violated by inline styles; reports can arrive via HTTP headers with no JS, or via in-page beacons):
✗ sent a CSP/Reporting report (any path)
✗ delivered via report-uri/Report-To header (no JS)
✗ delivered via in-page beacon (securitypolicyviolation / ReportingObserver)
Social embed (Open Graph / Twitter card images):
✗ fetched og:image
✗ fetched twitter:image
JavaScript execution:
✗ EXECUTED classic JS
✗ EXECUTED ES module
✗ posted client timing
Server-side request waterfall
Every request the server received for this trace, in receive order. +ms is the delta from the
homepage request.
| Received | Δ | Kind | Method | User-Agent |
|---|---|---|---|---|
| 2026-07-02 22:10:51.860 UTC | +0 ms | homepage | GET | facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php) |
request headers (6){
"accept": "*/*",
"host": "uatracer.com",
"traceparent": "00-e022e0fe42194925032ba6aff8036f76-fb7f09760bce6906-01",
"tracestate": "",
"user-agent": "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)",
"via": "HTTP/2 ord.vultr.prod.deno-cluster.net"
}
|
||||
| 2026-07-02 22:10:53.169 UTC | +1309 ms | ES module | GET | facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php) |
request headers (8){
"accept": "*/*",
"host": "uatracer.com",
"traceparent": "00-5ccadb1307845e543331256a33751ee0-f71c6a99de9e9d04-01",
"tracestate": "",
"user-agent": "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)",
"via": "HTTP/2 ord.vultr.prod.deno-cluster.net",
"x-deno-userspace-traceparent": "00-5ccadb1307845e543331256a33751ee0-cb3cfdbe8a219e9a-01",
"x-deno-userspace-tracestate": ""
}
|
||||
| 2026-07-02 22:10:53.299 UTC | +1439 ms | JS | GET | facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php) |
request headers (8){
"accept": "*/*",
"host": "uatracer.com",
"traceparent": "00-415c6e8d87f50d3ccde13808a16410a6-c91ef4d3e483c9e2-01",
"tracestate": "",
"user-agent": "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)",
"via": "HTTP/2 ord.vultr.prod.deno-cluster.net",
"x-deno-userspace-traceparent": "00-415c6e8d87f50d3ccde13808a16410a6-b79761b4ed16817c-01",
"x-deno-userspace-tracestate": ""
}
|
||||