What we send to HMRC — and why
Every time our software calls HMRC on your behalf, UK law requires us to send a set of 16 “fraud prevention” headers alongside your request — facts about your browser, your device and ours. Most tax software never tells you this happens. Here is exactly what leaves your browser, exactly what our server adds, why the law requires it, what HMRC does with it, and — right now, live — what your own browser would actually send.
Never a fabricated value.Where we honestly can't collect a header today, we say so and omit it — we never send a placeholder or an invented number just to fill a gap. That policy, and the two headers it currently applies to, are covered below.
Why we have to send these at all
The law itself: “The software supplier must ensure that the program operates so that it (a) collects, and (b) delivers to the Commissioners, the relevant ancillary metadata.” That's us — any software that files Making Tax Digital VAT or Income Tax returns must send this metadata with every call. It is not optional and it is not our choice.
Getting it wrong carries a real penalty: up to £3,000 per program, at most once every 12 months, with the same appeal rights as any other HMRC penalty. The exact list of 16 headers below has the force of law under the Commissioners' Directions, which “have effect from 16 October 2023”.
Sources: SI 2019/360, Commissioners' Directions.
The 16 headers, one by one
The “what it contains” column is HMRC's specification, cited — click the ⓘ to see it. The “why HMRC wants it” column is our plain-words reading of what such data can be used for — HMRC doesn't publish per-header rationale, so that column isn't cited. Rows tagged cannot collect yet are explained fully in the section right after this table.
| Header | What it contains | Why HMRC wants it |
|---|---|---|
| Gov-Client-Connection-Method | Always the fixed value WEB_APP_VIA_SERVER — it says your request travelled from your browser through our servers, not straight from your device. | Tells HMRC which connection pattern to expect, since different patterns imply different header sets and different fraud checks. |
| Gov-Client-Browser-JS-User-Agent | Your browser's own user-agent string, read straight from navigator.userAgent — the same string most websites can already see. | Cross-checked against the connection method and other signals, to catch requests that claim to be a browser but aren't. |
| Gov-Client-Device-ID | A random ID with no name attached, held in a cookie our server manages. It persists across your visits so the same device can be recognised again. | Lets HMRC's fraud systems link activity back to a consistent device over time, without needing to know who you are. |
| Gov-Client-Multi-Factor | One entry per authentication factor you cleared when signing in — its type, the time you passed it, and a hashed reference to the factor, never the raw code, secret or phone number. Sent when you signed in with a passkey this session: the time you last passed the passkey prompt and a hashed reference to which passkey — never the key itself. Omitted for anonymous use — we don't invent it. | Signals how strongly your sign-in to our software was verified. |
| Gov-Client-Public-IP | The public internet address your device is browsing from, right now. | A core fraud signal — flags patterns like one account filing from wildly different places within minutes. |
| Gov-Client-Public-IP-Timestamp | The exact moment, to the millisecond, that we captured your public IP address. | IP addresses change; pinning the exact capture time lets HMRC line it up against everything else about that same instant. |
| Gov-Client-Public-Portcannot collect yet | The specific network port your own browser used to send this request — never a server port such as 443. | Another device-fingerprinting signal, used the same way as Public-IP. |
| Gov-Client-Screens | Your screen's width, height, scaling factor and colour depth. | A device fingerprint — genuine devices report consistent, plausible screen data; automated or spoofed requests often don't. |
| Gov-Client-Timezone | Your device's timezone offset from UTC, formatted as UTC±hh:mm. | Cross-checked against where your IP address appears to be, for consistency. |
| Gov-Client-User-IDs | The identifier you're signed in with inside our software — your account's ID once you're signed in, otherwise the anonymous session ID. Never your real name or your HMRC login. | Links this request to one account inside our software, so HMRC can build a picture across every API call from the same user. |
| Gov-Client-Window-Size | The pixel width and height of your actual browser window — not your whole screen. | Another fingerprint signal, cross-checked against Screens. |
| Gov-Vendor-Forwarded | The chain of servers, by IP address, that carried your request from us onward to HMRC. | Lets HMRC check that the IP addresses named in every other header line up honestly with each other. |
| Gov-Vendor-License-IDscannot collect yet | Hashed licence keys for any licensed software installed on your device. | Flags fraud patterns HMRC has seen tied to licensed software elsewhere. |
| Gov-Vendor-Product-Name | Our product's own name — always TaxSorted. | Identifies which piece of software actually sent the request. |
| Gov-Vendor-Public-IP | Our own server's public IP address. | Identifies us as the vendor, and is cross-checked against Vendor-Forwarded. |
| Gov-Vendor-Version | Version numbers for both our frontend and our server. | Lets HMRC correlate a fraud pattern with a specific software release, in case an issue turns out to be version-specific. |
Two headers we honestly can't send yet
HMRC's own rules allow this: “If you are unable to submit a header, you must contact us to explain why … After discussing a missing header with us, you can omit the header or submit it with an empty value. You must not include a placeholder value, for example null or undefined.” We follow that route for two headers today — each will be raised with HMRC's [email protected] before we apply for production access (the drafts are written, not yet sent), and none is ever guessed at or filled in with a fake number.
- Gov-Client-Public-Port — We run behind Fly.io's proxy, which exposes the server port your browser connected to, never the ephemeral source port your own browser used. That source port is genuinely unobtainable from where our server sits.
- Gov-Vendor-License-IDs — TaxSorted is free, open-source software. There is no licensed component on your device to hash a licence key for.
What HMRC does with this data
HMRC's own public Data Protection Impact Assessment for this system (“Transaction Monitoring”, TxM) says it “records customer activity across HMRC customer facing services … to detect suspicious behaviours which might indicate fraud or crime”; alerts are reviewed by a human, never a fully automated decision.
HMRC relies on its own public task, not your consent: “TxM are not required to seek consent from customers.” HMRC's lawful basis is “Article 6(1)(e) of the GDPR” — public task — because “the collection and supply of this data is mandated by Statutory Instrument.”
It is kept for “6 years + current year” — HMRC says this follows its own records management and retention and disposal policy — and “may share TxM data with other government departments, the Police and the National Cyber Security Centre for the purposes of prevention and detection of crime.”
What we do notdo: nothing beyond passing this data on to HMRC as the law requires. We don't keep our own separate copy of your fingerprint data beyond what transporting the request itself requires.
Our own legal basis for collecting it
Our collection and onward transmission of this data fits UK GDPR Article 6(1)(c) — legal obligation: “processing is necessary for compliance with a legal obligation to which the controller is subject.” The obligation we point to is SI 2019/360 and the Commissioners' Directions above.
One consequence is worth saying plainly: under this basis, “the individual has no right to erasure, right to data portability, or right to object” for this specific processing. That's the law's own trade-off, not ours — we're telling you rather than burying it.
You can block this — here's what that means
The law itself carves this out: “The program is not required to collect or deliver relevant ancillary metadata to the extent that the person using it … has blocked the collection of, or manipulated, such metadata.” If your browser settings block something we'd normally collect — a script, cookies, a fingerprinting API — that doesn't put us in breach of our legal duty.
The honest caveat: these headers exist specifically to help HMRC's fraud systems build a picture of genuine activity. If you block collection, HMRC's systems have less to go on when they scrutinise your own filings — they may look at your account more closely, not less, precisely because there's less signal to go on. That isn't a threat from us; it's the logical shape of a system built to flag missing or unusual data.
Source: SI 2019/360.
This is what your browser would contribute right now
Built from the exact same code that runs on every real request — not a mock, not a re-typed example. Nothing here is sent anywhere by loading this page; it's a preview, computed locally, of the same four values your browser would hand over the next time we actually call HMRC.
| Header | Your value, right now |
|---|---|
| Gov-Client-Timezone | Reading your browser… |
| Gov-Client-Screens | Reading your browser… |
| Gov-Client-Window-Size | Reading your browser… |
| Gov-Client-Browser-JS-User-Agent | Reading your browser… |
These four are the only ones your own browser computes — reading straight from window.screen, window.innerWidth/innerHeight, navigator.userAgentand your device's clock, the same values any website could already read. Nine of the other twelve headers are added by our server when it actually calls HMRC — a device/session cookie, your IP address as our server sees it, and our own vendor details — and the remaining three are the ones we honestly can't collect (see the section above). None of the server side is something this page, running in your browser, can see or verify. We show you what we can genuinely show you, and describe the rest rather than guess at it.