Log Lines Perils & Pitfalls: Spoofing User-Agent Strings

I still don't feel that I'm even close to understanding all the data that can be mined in web access logs, so in this exercise I simply pulled the last five entries and started asking questions, and one of the entries caught my eye:

108.48.243.160 - - [07/Feb/2026:01:11:09 +0000] "GET / HTTP/1.1" 200 918 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.2 Safari/605.1.15"

Mac OS 10.15.7? Catalina? That OS is going on seven years old, so I asked Claude to see what it thought. It saw my interest, and raised it:

Here's what's genuinely interesting about your particular entry: that User-Agent string claims to be Safari 605.1.15 running on macOS 10.15.7 (Catalina), but declares itself as "Version/26.2"—which would be Safari from approximately 2029 if version numbers continued their current trajectory.

This is almost certainly either:

A crawler/bot masquerading as Safari (poorly)

A penetration testing tool with a malformed User-Agent

Some automated scanner testing your site's responses to different browser versions

So I took a second look, and realized that the IP is my IP address! I'm on a Mac, but I'm using Tahoe, so... what bot is using my IP address?? This was getting interesting. So—off to the races with Claude, looking at various possibilities such as:

The most likely scenario: some device or application on your home network is making requests to your site. Candidates:

Uptime monitoring you configured and forgot about

Browser extension that pre-fetches or validates links

Desktop application (RSS reader, link checker, backup tool) that periodically polls

Mobile app on your phone that's checking the site

Smart home device (yes, really—some do weird things)

Or, maybe someone using a VPN happened to be using my IP address... or maybe it was my cell phone… On and on we went... probably about 10 additional minutes of hypothesizing, running UNIX scripts to see what might be happening in the background. Nothing. Then I took another look at that time, which was the previous night at 20:11 EST. Hmmm... I browsed my website around that time. What version of Safari am I running? Yep—26.2, just like the mystery visitor. But, Catalina???

I popped back over to Safari, navigated to my homepage, and then checked my access log. New entry with the correct time and the same incorrect user-agent string. It was me. The whole time.

So, mystery solved: I was investigating myself the whole time. But here's the deeper lesson: Safari lied to my server by design. That 'Catalina' claim? Deliberate obfuscation. My M4 MacBook Air running macOS Tahoe 26.2 deliberately reports itself as a seven-year-old Intel system to prevent fingerprinting.

Privacy features made me unrecognizable in my own logs. I couldn't identify myself because my browser was protecting me from identification.

This creates a genuine tension for security work: the tools that protect privacy (User-Agent reduction, fingerprinting resistance) make legitimate traffic analysis harder. Every anomaly could be an attack... or just Safari being Safari.

Which raises the question: what else in these logs is misleading? Looks like I've got more learning to do.