[Blog](https://scrapfly.io/blog)   /  [blocking](https://scrapfly.io/blog/tag/blocking)   /  [TCP/IP Stack Fingerprinting and Proxy Bypass](https://scrapfly.io/blog/posts/tcp-ip-stack-fingerprinting-proxy-bypass)   # TCP/IP Stack Fingerprinting and Proxy Bypass

 by [Hisham Medhat](https://scrapfly.io/blog/author/hisham) Jun 19, 2026 16 min read [\#blocking](https://scrapfly.io/blog/tag/blocking) [\#proxies](https://scrapfly.io/blog/tag/proxies) [\#scrapeguide](https://scrapfly.io/blog/tag/scrapeguide) 

 [  ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fscrapfly.io%2Fblog%2Fposts%2Ftcp-ip-stack-fingerprinting-proxy-bypass "Share on LinkedIn")    

 

 

         

Your scraper can look perfect at the HTTP layer and still get flagged before any HTML loads. Anti-bot systems score more than headers and cookies. As our guide on how sites [detect and block scrapers](https://scrapfly.io/blog/posts/how-to-bypass-anti-bot-protection-when-web-scraping) shows, detection starts at the TCP handshake.

In this guide, we'll cover how passive TCP/IP fingerprinting works and which SYN fields reveal your real OS. We'll see why standard proxies still leak a Linux signature, then compare curl-impersonate with managed bypass.

[How Browser Fingerprinting Works and How to Defend Against ItLearn how browser fingerprinting works, from canvas to WebGPU, and discover developer-focused techniques to bypass detection in your web scrapers.](https://scrapfly.io/blog/posts/how-browser-fingerprinting-works)



## Key Takeaways

- **TCP options order is the strongest OS clue.** It stays stable and varies by OS.
- **Standard proxies don't hide you.** The target sees the proxy's TCP stack, not yours.
- **MSS reveals path overhead.** VPNs and tunnels leak through smaller segment sizes.
- **curl-impersonate fixes TLS, not TCP.** It can't rewrite the SYN packet your kernel sends.
- **Managed bypass keeps layers coherent.** It matches IP, OS, headers, and browser at once.
- **Test the OS a target sees.** Don't assume the OS your scraper claims to present.

**Get web scraping tips in your inbox**Trusted by 100K+ developers and 30K+ enterprises. Unsubscribe anytime.







## What Is TCP/IP Stack Fingerprinting?

TCP/IP stack fingerprinting is a technique websites use to detect proxies, VPNs, and scrapers from packet signatures. It reads fields like TTL, window size, and TCP options to identify the true underlying OS.

For scrapers, detection can happen before the HTTP response starts, before your parser sees a line of HTML. If your script claims Windows Chrome but the SYN packet looks like Linux, anti-bot logic flags the session in milliseconds.

You can see that mismatch directly with Scrapfly's device fingerprint tool. The page exposes TCP/IP classification, JA4T, and Satori-style output for the connection the server receives.

### Active vs. Passive Fingerprinting

Active fingerprinting works like Nmap. The target sends crafted probes and studies the replies to guess the remote OS. That approach is obvious in logs and useful for scanners or auditors.

Passive fingerprinting is what anti-bot systems use. The server reads the SYN packet from a normal connection and extracts the fields your OS kernel already chose. It needs no extra probes, so the scraper never sees a challenge at this stage.

### The Key TCP/IP Fields That Reveal Your OS

The most useful fields for passive classification are:

- **TTL**: the initial hop limit set by the OS. Windows commonly starts at `128`, while Linux, macOS, iOS, and Android commonly start at `64`.
- **Window Size**: the amount of data the sender is ready to receive before an ACK. Different kernels use different defaults, so the opening window is a strong clue.
- **MSS**: the Maximum Segment Size announced in the SYN packet. Clean Ethernet paths often produce `1460`, while VPN or tunnel overhead pushes the value lower.
- **TCP Options and their order**: the exact presence and ordering of MSS, SACK, timestamps, NOP padding, and window scale values is the most distinctive OS signal in passive datasets.

That last field matters most. Zardaxt's README calls TCP options the most important source of entropy for distinguishing operating systems. Its scoring code gives an exact TCP options match `4` points, window size `2`, and MSS `1.5`.

Those fields are the raw material. The next step is understanding what the common operating-system baselines look like in practice.



## The OS Fingerprint Reference Table

Each operating system ships with a slightly different TCP stack. Passive fingerprinting tools use those defaults to cluster traffic by Windows, Apple-like, and Linux-like signatures.

The table below summarizes the common clean-path signatures in Zardaxt's public dataset, plus the Linux baseline used in passive fingerprinting examples. MSS shifts most when a VPN or proxy adds overhead, so treat these as representative defaults:

| OS | Initial TTL | TCP Window Size | Typical MSS | DF Bit | TCP Options Order |
|---|---|---|---|---|---|
| Windows 10/11 | 128 | 64240-65535 | 1460 | Usually set | M,N,W,N,N,S |
| macOS | 64 | 65535 | 1460 | Usually set | M,N,W,N,N,T,S,E,E |
| Linux (Ubuntu) | 64 | 29200 | 1460 on a clean path, often 1412 behind a tunnel | Usually set | M,S,T,N,W |
| iOS | 64 | 65535 | 1460 on a clean path, often 1412 on mobile paths | Often clear | M,N,W,N,N,T,S,E,E |
| Android | 64 | 65535 | 1460 on a clean path, often 1412 on mobile paths | Often clear | M,S,T,N,W |

Two details matter more than the raw table:

- Anti-bot systems score several fields together. A single mismatch is noisy, but a Linux-style TCP options order plus a Windows-only User-Agent plus a residential-mobile claim creates a much stronger signal.
- TCP options ordering carries the most weight. For example, an exact TCP options match scores `4`, an ordered-only match scores `2.5`, window size scores `2`, and MSS scores `1.5`.

So the table is more than reference material. It is the baseline anti-bot systems compare your connection against when your scraper first arrives.



## How Your Scraper Gets Caught

The practical problem is not that websites know TCP exists. The practical problem is that your application controls HTTP, but your operating system controls the SYN packet. That split creates easy-to-spot inconsistencies.

### The User-Agent vs. TCP Stack Mismatch Problem

A common failure mode looks like this:

1. Your scraper sends `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)` and tries to look like Windows Chrome.
2. The SYN packet reaches the target with `TTL=64`, a Linux-style TCP options order, and a Linux-like window size.
3. The anti-bot stack records the OS mismatch before it even parses the HTTP headers.
4. The request might still receive a `200`, but the session is now flagged and more likely to get challenged or blocked later.

You can visualize that mismatch with a simple comparison table:

| Signal | Claimed Browser | Observed Network Stack | Why It Flags |
|---|---|---|---|
| User-Agent | Windows Chrome | Linux VPS | Browser claim and kernel claim disagree |
| Initial TTL | 128 expected | 64 observed | Suggests Linux or Apple-like sender |
| TCP Options | Windows-style `M,N,W,N,N,S` expected | Linux-style `M,S,T,N,W` observed | The options order does not match the claimed OS |
| MSS | 1460 expected on clean desktop path | 1412 observed | Suggests tunnel, VPN, or altered path MTU |

That is why TCP/IP fingerprinting feels invisible from the scraper side. Nothing breaks right away. The request quietly accumulates risk before any HTML, cookies, or JavaScript checks begin.

[Bypass Proxy Detection with Browser Fingerprint ImpersonationStop proxy blocks with browser fingerprint impersonation using this guide for Playwright, Selenium, curl-impersonate & Scrapfly](https://scrapfly.io/blog/posts/bypass-proxy-detection-with-browser-fingerprint-impersonation)

### Why Standard Proxies Don't Hide Your Fingerprint

Proxies alone fail against fingerprint-aware detection because of connection termination. A forward proxy does not forward your original SYN packet. It accepts your TCP connection, then opens a new one to the target from its own machine.

That creates three distinct proxy cases:

- **Datacenter proxies**: the target usually sees a Linux server fingerprint from a cloud ASN. That is the most common scraper setup and the easiest one to score.
- **Residential proxies**: the target often sees the stack of the real residential exit device or gateway. That produces more believable OS diversity, but it also costs more and adds latency.
- **Mobile proxies**: the target sees more Android and iOS-like paths, which improves realism for mobile traffic. The tradeoff is price and operational complexity at scale.

For a refresher, see our [proxy types](https://scrapfly.io/blog/posts/introduction-to-proxies-in-web-scraping) guide. Remember one rule: the target only sees the TCP stack of whichever system dials the final connection.

Connection reuse can make the picture even messier. A proxy pool or outbound gateway can change path MTU, reuse sockets aggressively, or add tunnel overhead. Then the announced MSS drifts away from what a normal browser on the claimed OS would expose.

### Common Scraping Tool Fingerprints (Python, Playwright, curl)

Most popular scraping tools share the same blind spot. They can shape headers, cookies, and browser APIs, but they still rely on the host OS to send the TCP SYN packet:

| Tool | Fingerprint on a Linux server | Why |
|---|---|---|
| `requests` / `httpx` | Linux | Python code never crafts the SYN packet; the kernel does |
| Playwright | Linux | Browser automation changes HTTP and JS signals, not the host TCP stack |
| Puppeteer | Linux | Same limitation as Playwright |
| `curl` | Linux | Standard curl uses the host kernel for TCP, even with tuned TLS |
| Node.js `fetch` / `axios` | Linux | Node controls the request body and headers, not the TCP handshake |

That is why [TLS fingerprinting (JA3/JA4)](https://scrapfly.io/blog/posts/how-to-avoid-web-scraping-blocking-tls) and TCP fingerprinting show up together in anti-bot pipelines. Fixing JA3 or HTTP/2 helps, but a clean TLS fingerprint paired with a Linux JA4T still looks wrong for a real Windows browser.

### MTU/MSS Detection: How Targets Spot VPNs and Proxies

MTU is the largest packet size a path can carry without fragmentation. MSS is the largest TCP payload the sender advertises after subtracting IP and TCP overhead.

Extra tunnel overhead pushes MTU down, which pushes MSS down with it. Passive fingerprinting systems do not need a VPN blocklist if the SYN packet already announces a smaller-than-normal MSS for the claimed path.

Typical values look like this:

| VPN Protocol | Typical MTU | Resulting MSS |
|---|---|---|
| No VPN (standard Ethernet path) | 1500 | 1460 |
| PPTP | 1476 | 1436 |
| L2TP | 1460 | 1420 |
| IPsec | 1400 | 1360 |
| WireGuard | 1420 | 1380 |

Those are representative, not universal. Cipher choices, nested tunnels, and provider defaults can shift the exact number. But the pattern is stable: the lower the MSS, the more likely a tunnel or altered path sits between the client and the target.

That is why anti-bot systems do not need perfect OS classification to win. A clean desktop browser claim plus a tunnel-shaped MSS is often enough to raise the score.



## How Anti-Bot Systems Score TCP Fingerprints

When an anti-bot platform receives a connection, TCP fingerprinting feeds into a broader scoring model. The platform reads the SYN packet during connection handling.

The scoring model usually combines:

- TCP fingerprint features such as TTL, window size, MSS, and options order
- TLS fingerprints such as JA3 or JA4
- HTTP/2 settings and header coherence
- JavaScript and browser environment signals
- IP reputation, ASN type, and session behavior

That multi-signal model keeps false positives lower and makes single-layer fixes weak. A Linux TCP stack plus a Windows User-Agent is one clue. Add mismatched browser headers and inconsistent [JavaScript fingerprinting](https://scrapfly.io/blog/posts/how-to-avoid-web-scraping-blocking-javascript), and the case gets much stronger.

In practice, that means you should think in combinations, not checklists. Fixing TLS alone is not enough if TCP still leaks the host OS. Fixing the browser alone is not enough if the exit IP and MSS still look like a datacenter tunnel.



Scrapfly

#### Need to bypass anti-bot protection?

Scrapfly's Anti-Scraping Protection handles Cloudflare, DataDome, and more — automatically.

[Try Free →](https://scrapfly.io/register)## How JA4T Standardized TCP Fingerprinting

FoxIO published `JA4T: TCP Fingerprinting` on April 23, 2024. The update pushed the JA4 family beyond TLS and HTTP into the TCP SYN packet itself.

For scrapers, the takeaway is simple. Teams can now log JA4 and JA4T side by side, so a browser-like TLS handshake no longer hides a non-browser TCP stack.

JA4T encodes the core passive TCP fields into a compact string. For example, the illustrative fingerprint `65535_2-4-8-1-3_1412_8` breaks down like this:

- `65535`: TCP window size
- `2-4-8-1-3`: TCP option numbers in order
- `1412`: MSS
- `8`: window scale factor

FoxIO's write-up also explains why VPN and proxy detection shows up so strongly here. When a tunnel changes the MSS, JA4T changes with it. When a proxy terminates the connection, the proxy's JA4T is what the target sees.

That creates a nasty mismatch case for scrapers. A cleaned-up JA4 that looks like desktop Chrome paired with a Linux-style or tunnel-shaped JA4T is not a normal browser session. It is a high-confidence automation clue.

The important point here is that TCP is no longer an obscure signal. It now has a standardized, log-friendly format that anti-bot teams can use at scale.

[How TLS Fingerprint is Used to Block Web Scrapers?TLS fingeprinting is a popular way to identify web scrapers that not many developers are aware of. What is it and how can we fortify our scrapers to avoid being detected?](https://scrapfly.io/blog/posts/how-to-avoid-web-scraping-blocking-tls)



## How to Bypass TCP/IP Fingerprinting

There is no magic header that rewrites the SYN packet after the kernel sends it. Real bypass strategies either reduce the mismatch on adjacent layers or move the request through setup that already looks coherent.

### DIY: curl-impersonate

[curl-impersonate](https://scrapfly.io/blog/posts/curl-impersonate-scrape-chrome-firefox-tls-http2-fingerprint) is the best DIY option when a target mainly checks TLS and HTTP/2. It can reproduce browser-like TLS and HTTP handshakes, which removes one major source of blocking for raw HTTP clients.

But the limitation matters: curl-impersonate does not rewrite the TCP SYN packet your operating system sends. On a Linux server, the TCP fingerprint still looks like Linux unless the network path itself changes.

First, pull the official Docker image that includes the wrapper scripts:

bash```bash
docker pull lwthiker/curl-impersonate:0.6-chrome
```



This downloads the Chrome-impersonating build of curl, which includes patched TLS and HTTP/2 behavior.

Then run the wrapper from Python with `subprocess`:

python```python
import subprocess

target_url = "https" + "://web-scraping.dev/products"

# Run the Chrome 110 wrapper inside Docker.
# This reproduces Chrome's TLS and HTTP/2 handshake
# but does NOT rewrite the TCP SYN packet your OS sends.
result = subprocess.run(
    [
        "docker",
        "run",
        "--rm",  # remove the container after it exits
        "lwthiker/curl-impersonate:0.6-chrome",  # Chrome-impersonating build
        "curl_chrome110",  # wrapper script for Chrome 110 profile
        target_url,
    ],
    capture_output=True,
    text=True,
    check=True,
)

print(result.stdout[:500])
```



Example outputhtml```html
<!doctype html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    ...
    <title>web-scraping.dev product page 1</title>
    ...
  </head>
  ...
</html>
```



This example uses the official `curl_chrome110` wrapper from the project README, so the TLS and HTTP handshake match a real Chrome profile. It is a fast option for static or lightly protected pages, but it still leaves the underlying TCP stack untouched.

If you want to inspect the browser layer too, [browser fingerprinting with CreepJS](https://scrapfly.io/blog/posts/browser-fingerprinting-with-creepjs) is a useful companion test. It helps you separate TCP problems from JavaScript and browser-environment problems.

### Scrapfly Native TCP Fingerprint Matching

Scrapfly's Anti-Scraping Protection (ASP) keeps fingerprints coherent across layers. It sets the User-Agent for Chrome bypasses and matches the OS and headers to the exit proxy hardware. That makes ASP a strong fit for cross-layer mismatch.

The Python SDK entry point is straightforward:

bash```bash
pip install scrapfly-sdk
```



This installs the Scrapfly Python SDK, which provides the `ScrapflyClient` and `ScrapeConfig` classes used below.

python```python
from scrapfly import ScrapeApiResponse, ScrapeConfig, ScrapflyClient

scrapfly = ScrapflyClient(key="YOUR_SCRAPFLY_API_KEY")

api_response: ScrapeApiResponse = scrapfly.scrape(
    ScrapeConfig(
        url="https://web-scraping.dev/products",
        asp=True,  # enable anti-scraping protection bypass
        proxy_pool="public_residential_pool",  # use residential proxies
        country="US",  # route through a US exit node
    )
)

# Check the upstream status code and extract product titles
print(api_response.upstream_status_code)
print(api_response.selector.css("h3 a::text").getall()[:3])
```



Example outputtext```text
200
['Box of Chocolate Candy', 'Dark Red Energy Potion', 'Teal Energy Potion']
```





Scrapfly provides web scraping, screenshot, and extraction APIs for data collection at scale. For TCP/IP fingerprinting, it keeps the network, TLS, and HTTP layers coherent so a target sees a real browser from the first SYN packet.

Its [Web Scraping API](https://scrapfly.io/web-scraping-api) hits a 99.99% success rate across 130M+ proxies in 190+ countries.

Key features for staying coherent across layers:

- [Anti-Scraping Protection bypass](https://scrapfly.io/docs/scrape-api/anti-scraping-protection): defeats Cloudflare, DataDome, PerimeterX, Akamai, and 90+ other bot systems with one flag.
- [Proxy rotation](https://scrapfly.io/docs/scrape-api/proxy): residential and datacenter pools with country and ASN level geo-targeting, so the exit hardware matches the OS you present.
- [JavaScript rendering](https://scrapfly.io/docs/scrape-api/javascript-rendering): renders single-page apps through real cloud browsers, so the target sees a full DOM.
- [Session management](https://scrapfly.io/docs/scrape-api/session): keeps cookies, headers, and IPs consistent across multi-step flows.
- [Format conversion](https://scrapfly.io/docs/scrape-api/getting-started#api_param_format): returns pages as HTML, JSON, clean text, or LLM-ready Markdown.

ASP matches the IP type, OS signals, TLS, and headers for you. A Linux server stops leaking a Linux fingerprint behind a Windows browser claim. Scrapfly handles the network layer; your code handles the data.

### Web Scraping API

Scrape any website with our powerful API. Anti-bot bypass, JavaScript rendering, and rotating proxies built-in.



[Try Web Scraping API](https://scrapfly.io/docs/scrape-api/getting-started)





## Test Your Current TCP/IP Fingerprint

If you only remember one step from this guide, make it this one. Test your TCP/IP fingerprint with [Scrapfly's device fingerprint tool](https://scrapfly.io/web-scraping-tools/device-fingerprint) before you debug another header rotation script.

The tool shows the OS class the server sees, your JA4T string, and a Satori-style fingerprint. That gives you the same passive view a target can log at connection time.

Scrapfly's tool page also notes that deeper comparisons against known fingerprints are available. Treat it as both a quick check and a debugging aid.

When you run the test, compare two things:

- Does the detected OS match the operating system in your User-Agent?
- Does the MSS look like a clean path or like a tunneled path?

For a second opinion, BrowserLeaks exposes a TCP/IP fingerprint view at [BrowserLeaks IP and network tests](https://browserleaks.com/ip). Zardaxt remains a good self-hosted option through its public GitHub repository.

The goal is not to chase a perfect score. The goal is to catch obvious impossibilities before the target does.



## FAQ

What is TCP/IP stack fingerprinting?TCP/IP stack fingerprinting is a passive technique that identifies the OS from the SYN packet fields it sends. Anti-bot systems read the TTL, window size, MSS, and options order to spot proxies, VPNs, and scrapers before HTTP parsing starts.







What is remote OS detection using TCP/IP stack fingerprinting?Remote OS detection means inferring the sender's operating system from network packets. Active tools send probes on purpose, while passive systems read the SYN packet that arrives during a normal connection.







How do you test your TCP/IP fingerprint?Use a passive fingerprinting endpoint like Scrapfly's device fingerprint tool and check the OS class, JA4T string, and network fingerprints the server receives. BrowserLeaks and Zardaxt are good follow-up checks.







Does changing the User-Agent change your TCP fingerprint?No, the User-Agent is an HTTP header your application sends, while the TCP fingerprint comes from the OS kernel and network path. Passive detection systems look for exactly that mismatch.









## Summary

TCP/IP stack fingerprinting matters because it shifts detection earlier. The server does not wait for headers, JavaScript, or browser behavior. The first SYN packet can already say "Linux proxy" while the request claims "Windows Chrome."

That does not mean every scraper needs kernel surgery. TCP, TLS, HTTP, browser, and IP signals do not hold separate truths; anti-bot systems score the combination, and mismatches between layers make automation obvious.

Start by testing what the server sees. If the fingerprint is wrong at the network layer, that explains why the rest of the session keeps getting challenged.



Legal Disclaimer and PrecautionsThis tutorial covers popular web scraping techniques for education. Interacting with public servers requires diligence and respect:

- Do not scrape at rates that could damage the website.
- Do not scrape data that's not available publicly.
- Do not store PII of EU citizens protected by GDPR.
- Do not repurpose *entire* public datasets which can be illegal in some countries.

Scrapfly does not offer legal advice but these are good general rules to follow. For more you should consult a lawyer.

 

   Table of Contents















 

  Table of Contents- [Key Takeaways](#key-takeaways)
- [What Is TCP/IP Stack Fingerprinting?](#what-is-tcp-ip-stack-fingerprinting)
- [The OS Fingerprint Reference Table](#the-os-fingerprint-reference-table)
- [How Your Scraper Gets Caught](#how-your-scraper-gets-caught)
- [The User-Agent vs. TCP Stack Mismatch Problem](#the-user-agent-vs-tcp-stack-mismatch-problem)
- [Why Standard Proxies Don't Hide Your Fingerprint](#why-standard-proxies-don-t-hide-your-fingerprint)
- [How Anti-Bot Systems Score TCP Fingerprints](#how-anti-bot-systems-score-tcp-fingerprints)
- [How JA4T Standardized TCP Fingerprinting](#how-ja4t-standardized-tcp-fingerprinting)
- [How to Bypass TCP/IP Fingerprinting](#how-to-bypass-tcp-ip-fingerprinting)
- [Web Scraping API](#web-scraping-api)
- [Test Your Current TCP/IP Fingerprint](#test-your-current-tcp-ip-fingerprint)
- [FAQ](#faq)
- [Summary](#summary)
 
    Join the Newsletter  Get monthly web scraping insights 

 

  



Scale Your Web Scraping

Anti-bot bypass, browser rendering, and rotating proxies, all in one API. Start with 1,000 free credits.

  No credit card required  1,000 free API credits  Anti-bot bypass included 

 [Start Free](https://scrapfly.io/register) [View Docs](https://scrapfly.io/docs/onboarding) 

 Not ready? Get our newsletter instead. 

 

## Explore this Article with AI

 [ ChatGPT ](https://chat.openai.com/?q=Summarize%20this%20page%3A%20https%3A%2F%2Fscrapfly.io%2Fblog%2Fposts%2Ftcp-ip-stack-fingerprinting-proxy-bypass) [ Gemini ](https://www.google.com/search?udm=50&aep=11&q=Summarize%20this%20page%3A%20https%3A%2F%2Fscrapfly.io%2Fblog%2Fposts%2Ftcp-ip-stack-fingerprinting-proxy-bypass) [ Grok ](https://x.com/i/grok?text=Summarize%20this%20page%3A%20https%3A%2F%2Fscrapfly.io%2Fblog%2Fposts%2Ftcp-ip-stack-fingerprinting-proxy-bypass) [ Perplexity ](https://www.perplexity.ai/search/new?q=Summarize%20this%20page%3A%20https%3A%2F%2Fscrapfly.io%2Fblog%2Fposts%2Ftcp-ip-stack-fingerprinting-proxy-bypass) [ Claude ](https://claude.ai/new?q=Summarize%20this%20page%3A%20https%3A%2F%2Fscrapfly.io%2Fblog%2Fposts%2Ftcp-ip-stack-fingerprinting-proxy-bypass) 



 ## Related Articles

 [  

 blocking 

### What is CreepJS Browser Fingerprint and How to Bypass It

In this article, we will explore the inner workings of CreepJS, one of the prominent browser fingerprinting tools and ho...

 

 ](https://scrapfly.io/blog/posts/browser-fingerprinting-with-creepjs) [  

 proxies 

### Proxy vs VPN: In-Depth Comparison

Explore the proxy vs vpn debate with insights on key differences, benefits, limitations and alternatives. Discover when ...

 

 ](https://scrapfly.io/blog/posts/proxy-vs-vpn) [     

 http blocking 

### Post-Quantum TLS: Why Scraping Tools Are Now Exposed

Post-quantum TLS is now a live bot detection signal. Modern browsers send X25519MLKEM768 key shares by default, and scra...

 

 ](https://scrapfly.io/blog/posts/post-quantum-tls-bot-detection) 

  



   



 Bypass anti-bot protection automatically, **1,000 free credits** [Start Free](https://scrapfly.io/register)