The WhatsApp/2 user agent

Signal identifies itself as WhatsApp/2, a deliberate masquerade to avoid being filtered differently from other major messaging apps. The real WhatsApp client sends a more detailed version string like WhatsApp/2.2119.6 i, so a bare WhatsApp/2 without the version suffix is a reliable Signal indicator in your server logs.

Client-side fetching

Signal is unusual here: previews are fetched from the sender’s device, not a central server. When someone pastes a URL, the Signal app on their phone or desktop makes the HTTP request itself.

You won’t see requests from predictable data center IPs. Signal preview requests come from residential and mobile IPs worldwide, indistinguishable from normal browser traffic except for the user agent.

The privacy proxy

Signal routes all preview requests through a TLS privacy proxy to hide the sender’s IP. The proxy can’t see request or response content (it’s encrypted end-to-end to your server), but your server sees the proxy’s IP, not the sender’s.

IP-based rate limiting or geo-blocking may inadvertently block Signal previews if the proxy’s IP falls outside your allowed ranges.

No JavaScript execution

Signal doesn’t run JavaScript. Your OG tags must be in the initial HTML response. Client-rendered tags produce blank previews.

HTTPS required

Signal only generates previews for HTTPS URLs. HTTP links are ignored entirely, and no request is made. Self-signed certificates also fail silently.

Checking if Signal can reach your page

curl -A "WhatsApp/2" https://example.com/your-page

If your <meta> tags are in the response, Signal can generate a preview. If you see a JavaScript shell or a login redirect, that’s what Signal sees too.