Skip to content
ScrapeNest
All posts
·4 min read·by ScrapeNest Engineering

TLS fingerprints are the new User-Agent

Spoofing the User-Agent header stopped working years ago. Here's why your HTTP client gets blocked before it sends a single byte of HTTP, and what to do about it.

anti-bothttptls

There's a rite of passage for anyone who writes their first scraper. You hit a site, get a 403, and someone tells you to "set a real User-Agent." You copy the string out of your own browser, paste it into your requests call, and — sometimes — it works. So you internalize the lesson: blocking is about headers.

It isn't. Not anymore. On a site with any serious bot defense, you're being classified before the server has read a single HTTP header. The decision happens during the TLS handshake.

What the handshake gives away

When a client opens a TLS connection, the very first thing it sends is a ClientHello. That message advertises, in a specific order, the things the client supports: cipher suites, extensions, elliptic curves, signature algorithms, the ALPN protocols it speaks. None of this is secret, and none of it is configurable from the HTTP layer. It's baked into whatever TLS library your runtime links against.

The catch is that the exact contents and ordering are a fingerprint. Chrome's ClientHello looks like Chrome's. OpenSSL-as-driven-by-Python looks like OpenSSL. They are not the same, and the difference is trivial to hash. The popular summary of that hash is called JA3 (and its successor JA4).

So when your scraper sends a header that says Mozilla/5.0 … Chrome/124, but the handshake underneath says "I am Python's urllib3 talking to OpenSSL 3.0," you've announced a contradiction. A real Chrome would never produce that handshake. The mismatch is the tell, and it's a much stronger signal than any header, because the attacker (you) can't easily fake the bytes that a different TLS stack would emit.

Why "just set headers" feels like it works

Two reasons people stay confused about this for a long time:

  1. Most sites don't check. Fingerprinting requires terminating TLS somewhere that can inspect the ClientHello and act on it — a CDN feature, a WAF, a reverse proxy with the right module. Plenty of targets have none of that, so header spoofing is genuinely enough. You get a skewed sample of "it works" and over-generalize.
  2. The failure is silent and early. When the block happens at the handshake, you don't get a polite 403 with a CAPTCHA. You get a connection reset, a timeout, or a generic challenge page that looks like a server error. It's easy to misattribute to rate limiting or a flaky target.

Matching the fingerprint, not faking the header

The fix is not a better User-Agent. It's to make your handshake actually look like the browser you're claiming to be. That means using a TLS stack that can reproduce a real browser's ClientHello — the cipher list, the extension order, the GREASE values, all of it.

This is the entire point of tools like curl_cffi, which binds to a build of curl patched to impersonate browser TLS profiles. You pick a profile — say, a recent Chrome — and the library emits a handshake that hashes to the same JA3 as the real thing. Now the header and the handshake agree, because both come from the same impersonation profile.

On ScrapeNest this is exactly what the HTTP engine does. It's not "requests with extra headers." It's a curl-based client that aligns its TLS fingerprint with the browser profile you're presenting, which is why it gets through targets that instantly reset a vanilla Python client — at a fraction of the cost of spinning up a real browser.

When fingerprint matching isn't enough

Be honest with yourself about the ceiling here. TLS fingerprinting defeats lazy scrapers. It does not defeat behavioral analysis. If a site is profiling mouse movement, checking whether JavaScript executed, or correlating request timing across a session, a perfect JA3 won't save you — there's no JavaScript engine behind an HTTP client, and that absence is detectable in its own right.

That's the actual decision tree:

  • Target checks TLS but not JS execution? The HTTP engine with a matched fingerprint is your cheapest reliable option. Use it.
  • Target requires a rendered DOM or runs client-side challenges? You need a real browser. Reach for a headless Chromium engine, and if the defenses are serious, a hardened stealth profile on top.

The mistake is reaching for a full browser by reflex when a fingerprint-matched HTTP client would have sailed through for a tenth of the compute. The other mistake is hammering a behavioral defense with an HTTP client and concluding the site is "unscrapeable" when you simply brought the wrong tool.

Know which wall you're hitting. The handshake is the first one, and most people never realize they're standing in front of it.