CONCEPT Cited by 1 source

Cloaking

Definition

Cloaking is the practice of serving different content to users and search engines for the same URL, typically by branching on the User-Agent header (or source IP / ASN / verified-bot signal) to identify the requester and emit different HTML based on whether the visitor is a human browser or a crawler.

Google's policy: cloaking is prohibited and is an explicit ranking-manipulation violation. "Google prohibits showing different content to users and search engines to manipulate rankings. Avoid code that alters content based on User-Agent." (Source: sources/2024-08-01-vercel-how-google-handles-javascript-throughout-the-indexing-process.)

The rule dates to the earliest days of SEO abuse (keyword-stuffed HTML served only to bots while users see different content) and has remained a canonical search-ranking violation class through every Google algorithm update since.

Mechanism

Classical cloaking takes one of:

• User-Agent branch: if req.headers['user-agent'].includes('Googlebot') { serveBot() } else { serveHuman() }.
• IP / ASN branch: identify Google IP ranges and serve differently.
• Reverse-DNS branch: identify *.googlebot.com hostnames and serve differently.
• Browser-feature probe: probe for navigator.webdriver, window.chrome, or fingerprinting signals and branch.

Recommended posture (per Google)

The Vercel post's framing: "optimize your app's stateless rendering for Google, and implement personalization through stateful methods."

• Build the canonical rendered page content to be served to everyone.
• Apply personalisation on top, using session state that Googlebot's stateless render session won't have.
• Do not feature-detect for bot identity.

This keeps the stateless-rendered page (what Google indexes) aligned with what unauthenticated first-time visitors actually see, which is what cloaking policy requires.

Structural reinforcement from stateless rendering

concepts/stateless-rendering is what makes the cloaking prohibition structurally enforceable: Google's WRS renders each page with no cookies, no session state, no localStorage, and no click interactions. Any personalisation path that requires those signals produces naturally different output for bots vs. users — which is not cloaking (bots don't have the signals) but also means the cloaking policy doesn't forbid building personalisation on session state.

What is not cloaking

• Responsive design serving different CSS / image sizes based on Accept, screen size, or device class. Same HTML content; different presentation.
• Content negotiation via Accept headers (e.g. serving markdown vs HTML to markdown-content- negotiation-aware agents). The markdown and HTML versions are the same semantic content in different formats.
• Geography- or language-based content where the URL and user signals align (e.g. /en/ → English, /fr/ → French). Google handles these via hreflang signals.
• Personalised content above the fold for logged-in users where the canonical content (what Googlebot sees) is the public version.

Seen in

• sources/2024-08-01-vercel-how-google-handles-javascript-throughout-the-indexing-process — canonical wiki instance. Named as one of four post-2018 WRS properties Google enforces: "Cloaking: Google prohibits showing different content to users and search engines to manipulate rankings."

Related

• systems/googlebot — the crawler whose policy prohibits cloaking.
• concepts/stateless-rendering — the structural reason cloaking is hard to implement safely.
• concepts/universal-rendering — every page is rendered, so every page is checkable.
• concepts/declared-crawler — Googlebot's transparency enables enforcement (known IP range + UA → cloaking detection).
• concepts/stealth-crawler — the adversarial sibling (crawler hides to evade detection, rather than origin hiding content from crawler).