Client Hints治理与隐私收敛（Accept-CH/高熵禁用）最佳实践

背景与价值Client Hints可提供设备与浏览器特征。需最小化启用范围并禁用高熵字段，降低指纹风险。统一规范Accept-CH白名单：仅允许 `Width/DPR/Viewport-Width` 等低熵信息。高熵禁用：默认不请求 `UA-Platform/Model/Arch/Bitness/Full-Version`。缓存一致性：下发 `Vary` 与一致性策略。核心实现头设置与校验type Res = { setHeader: (k: string, v: string) => void } function setClientHints(res: Res, enable = ['DPR','Width','Viewport-Width']) { res.setHeader('Accept-CH', enable.join(', ')) res.setHeader('Vary', 'Accept-CH') } function disallowHighEntropy(reqHeaders: Record<string, string | undefined>): boolean { const h = String(reqHeaders['sec-ch-ua-platform'] || reqHeaders['sec-ch-ua-model'] || reqHeaders['sec-ch-ua-arch'] || reqHeaders['sec-ch-ua-bitness'] || reqHeaders['sec-ch-ua-full-version'] || '') return h.length === 0 } 落地建议仅在必要页面启用低熵Client Hints，禁止请求高熵UA-CH；配置`Vary`。验证清单是否下发限制后的Accept-CH；是否拒绝或不请求高熵UA-CH字段。