Curlium
Speaks byte-perfect Chrome. Across TLS, HTTP/2, HTTP/3.
- Byte-perfect Chrome on the wire. JA4, HTTP/2 SETTINGS, QUIC transport params all match the reference Chrome build exactly.
- Proven at scale. Runs behind the Scrapfly Web Scraping API at 5B+ scrapes per month on protected websites.
- 10-50x faster than a browser. No JS engine, no DOM, no rendering. Use Curlium when you can, Scrapium when you must.
4
libraries patched in lockstep
12
QUIC transport fields matched
3 days
max lag tracking Chrome + curl upstream, fully automated
Four Libraries. One Chrome Identity.
Every patch target with its detection fingerprint.
Genuine Windows, macOS, Linux Profiles
Not a one-size-fits-all client. Curlium emits the exact TLS, HTTP/2, and HTTP/3 wire format that Chrome ships on each OS: Windows Chrome's cipher order, macOS Chrome's ALPS extension, Linux Chrome's HPACK defaults. The proxy chain guarantees OS-to-exit-peer alignment: a Windows client always exits through a Windows peer.
Byte-Perfect Chrome
Same JA4. Same HTTP/2 SETTINGS. Same QUIC transport params. Every wire-format match, not an approximation.
Protocol Stack
Each layer bit-for-bit Chrome. No protocol gaps.
| TCP | Kernel TCP flags aligned |
| TLS 1.3 | JA4 hash + GREASE positions |
| HTTP/2 | SETTINGS + HPACK + frame order |
| HTTP/3 | QUIC transport params |
| DNS | DNS-over-HTTPS routing |
| Proxy | TCP fingerprint Chrome-aligned |
10-50x Faster
No JS engine. No DOM. No rendering. Just patched HTTP.
Bypasses Every Major Antibot
HTTP-layer antibot stacks see genuine Chrome fingerprints. Tested against every major vendor.
See full bypass coverageUDP Over Proxy
HTTP/3 tunneled through a standard HTTP proxy. Rare capability; most HTTP clients can't do this at all.
- QUIC-over-HTTP tunnel
- Proxy CONNECT-UDP extension
- 0-RTT resumption preserved
End-To-End Geo Coherence
Proxy IP, Accept-Language, and TLS SNI all agree. Detection systems flag any mismatch across the chain. Curlium aligns every link automatically: proxy exit country decides the Accept-Language header, the client-hints platform string, and the character encoding order.
Localized DNS + Session Cache
Bots re-resolve, re-handshake, re-negotiate on every request. Real Chrome caches aggressively and returns fast on revisit. Curlium mimics both.
Frequently Asked Questions
WHAT IS CURLIUM?
Curlium is Scrapfly's patched HTTP client built on curl, BoringSSL, nghttp3, and ngtcp2. It produces byte-perfect Chrome TLS ClientHello, HTTP/2 SETTINGS, Client Hints, and QUIC transport parameters. Used for HTTP-level scraping where a full browser is not required but protocol-level fingerprint consistency is critical.
IS CURLIUM PROVEN AT SCALE?
Yes. Curlium runs behind the Scrapfly Web Scraping API at 5B+ scrapes per month against protected websites. Every Scrapfly customer hitting a target that does not need JavaScript execution is running through Curlium without configuring it directly. Production workload, production detection vendors, production pass rates.
WHEN SHOULD I USE CURLIUM VS SCRAPIUM?
Curlium is an HTTP client: fast, no JavaScript, no DOM, no rendering. Scrapium is a full browser: required when targets run JS-based fingerprinting, challenge scripts, or need DOM interaction. Scrapfly selects the right tool automatically per target. You can also alternate between the two on the same session without a fingerprint change: JA4, Chrome version, proxy IP, and Accept-Language stay aligned.
HOW DOES CURLIUM STAY CURRENT?
Our engineering team auto-tracks two upstreams: Chrome stable (for fingerprint targets) and official curl (for HTTP client internals). Both roll into Curlium with a maximum 3-day lag from GA, fully automated. No customer config, no version-lag fingerprint signal.
DOES CURLIUM SUPPORT HTTP/3?
Yes. Curlium patches nghttp3 and ngtcp2 so all QUIC transport parameter fields are sent in Chrome's exact order with Chrome's exact values. When a target advertises HTTP/3 via ALPN, Curlium negotiates QUIC automatically. HTTP/3 traffic flows end-to-end through Scrapfly's proxy network: standard HTTP proxies tunnel TCP only via CONNECT, so carrying UDP for QUIC required custom plumbing in our proxy layer. Most HTTP clients cannot do this at all.
DOES CURLIUM HANDLE CLIENT HINTS?
Yes. Curlium emits Chrome's full Client Hints chain: sec-ch-ua, sec-ch-ua-platform, sec-ch-ua-mobile, sec-ch-ua-full-version-list, and all the lesser-known hints. It also handles Chrome's pre-hint Accept-CH negotiation so that a first visit behaves the way a browser does, not the way a bot does. The values stay consistent with the proxy exit country and the TLS profile.
HOW DOES CURLIUM MIMIC BROWSER CACHING?
Detection systems time the sequence of DNS resolution, TLS handshake, and HTTP/2 negotiation. Real browsers on a return visit are fast because DNS is cached and TLS session tickets let 0-RTT resume. Most bots re-resolve and re-handshake every request, which is a tell. Curlium uses localized DNS resolvers geo-aligned to the proxy exit region, caches resolved IPs per session, and replays TLS session tickets when the server allows.
Alternate Curlium and Scrapium without getting caught.
Best of both worlds on the same target session. Start with Curlium for speed, switch to Scrapium when JavaScript or DOM interaction is required, switch back. Same JA4 hash, same Chrome version, same proxy IP, same Accept-Language. Detection systems never see a fingerprint change mid-session.
- Same JA4 hash. Curlium and Scrapium emit identical TLS fingerprint.
- Same Chrome version. Both auto-tracked, never out of sync.
- Auto-routed per target. Scrapfly picks the right tool, you don't configure it.