What is the HTTP_X_CLIENT_DATA in the $_SERVER array?

Question

I see an element in the $_SERVER array called HTTP_X_CLIENT_DATA - $_SERVER['HTTP_X_CLIENT_DATA'], and its value looks like some kind of base64-encoded string. What is this element used for?

Here is an example value, which I tried decoding but seems to be also encrypted?

CJa2yQEIprbJAQjBtskBCPqcygEIqZ3KAQ==

Answer 1

Google Chrome passes the X-Client-Data request header to randomly assign field trials of various features to users, as documented here.

It looks like it used to be called X-Chrome-Variations - see this nice answer which gives a broad overview.

To prevent Chrome sending the header when fetching your page, open your page in an Incognito Window instead.

I think the value is a base64 encoded protobuf - paste the value into the second textarea on this page and click the base64 button to decode.

For current list of Google owned domains it is sent to, see https://cs.chromium.org/chromium/src/components/google/core/common/google_util.cc?q=IsGoogleAssociatedDomainUrl

Answer 2

It's a header with a unique identifier which signifies your specific chrome profile on your specific chrome installation. Google says they use it for simple A/B testing but it seems to be a rather unique identifier if all they need is a few feature flags.

This is really just another way that Google is tracking individuals activity (spying) across a wide spectrum of their products.