HTTP/2 Fingerprint
Test your browser's HTTP/2 fingerprint based on SETTINGS frames, WINDOW_UPDATE, priority, and pseudo-header order. Learn how HTTP/2 configuration is used to detect bots and block web scrapers.
HTTP/2 Fingerprint
Format: [SETTINGS]|WINDOW_UPDATE|PRIORITY|Pseudo-Header-Order|HEADERS_FRAME|WINDOW_UPDATE
HTTP/2 Frame Timeline
Loading...
SETTINGS Frame Parameters
HTTP/2 SETTINGS frame defines connection parameters that are unique to each browser implementation.
WINDOW_UPDATE Frame
Stream Priority
Pseudo-Header Order
The order of HTTP/2 pseudo-headers (:method, :authority, :scheme, :path) varies by browser and is part of the fingerprint.
What is HTTP/2 Fingerprinting?
HTTP/2 fingerprinting analyzes the configuration and behavior of HTTP/2 connections to identify the browser or HTTP client being used. Unlike HTTP/1.1, HTTP/2 introduces new frames and parameters that vary across implementations.
Key Fingerprinting Components
- SETTINGS Frame: Parameters like header table size, max concurrent streams, initial window size
- WINDOW_UPDATE: Flow control window size increments
- PRIORITY: Stream dependency, weight, and exclusive flag
- Pseudo-Header Order: Order of :method, :authority, :scheme, :path headers
- Frame Timing: Sequence and timing of frame transmission
AKAMAI HTTP/2 Fingerprint Format
AKAMAI (a major CDN provider) uses this format for HTTP/2 fingerprinting:
[SETTINGS params]|WINDOW_UPDATE|PRIORITY|Pseudo-Header-Order|...
This captures the most distinctive aspects of an HTTP/2 connection in a compact string that can be hashed and compared.
Why HTTP/2?
HTTP/2 provides more fingerprinting data points than HTTP/1.1 because:
- Binary framing protocol with configurable parameters
- Multiple streams over single connection (multiplexing)
- Flow control mechanisms with browser-specific defaults
- Server push and priority handling varies by implementation
How is HTTP/2 Fingerprinting Used for Bot Detection?
Websites and CDNs use HTTP/2 fingerprints to identify automated tools and scrapers:
Detection Techniques
- Blacklist Known Clients: Block fingerprints from curl, Python requests, Go http client, etc.
- Inconsistency Detection: Compare HTTP/2 fingerprint with User-Agent and TLS fingerprint
- Default Detection: Flag connections using library defaults that differ from browsers
- Temporal Analysis: Browsers update HTTP/2 configs with new versions - outdated configs are suspicious
Common Scraper Signatures
curl- Uses nghttp2 library with distinctive SETTINGS parametersPython httpx- HTTP/2 support with h2 library defaultsGo net/http- golang.org/x/net/http2 implementation fingerprintNode.js http2- Uses Node's built-in http2 module with specific defaults
Why It's Effective
HTTP/2 fingerprinting is particularly effective because:
- Most HTTP libraries don't allow fine-grained HTTP/2 parameter control
- Default SETTINGS values are hard-coded and rarely match browsers
- Pseudo-header ordering is implementation-specific and hard to spoof
- Combining with TLS fingerprinting creates very unique signatures
For example, Chrome sends SETTINGS with specific values for HEADER_TABLE_SIZE=65536
and MAX_CONCURRENT_STREAMS=1000, while curl uses different defaults that immediately
reveal it's not a browser.
How to Avoid HTTP/2 Detection
Bypassing HTTP/2 fingerprinting requires matching the exact HTTP/2 configuration of a real browser:
Best Solutions
- Browser Automation: Puppeteer, Playwright, Selenium - real browsers have perfect HTTP/2 fingerprints
- curl-impersonate: Modified curl that mimics Chrome/Firefox HTTP/2 behavior
- curl_cffi (Python): Python wrapper around curl-impersonate with HTTP/2 support
- Scrapfly API: Automatically handles HTTP/2 fingerprinting with ASP (Anti-Scraping Protection)
Manual Configuration (Advanced)
Some HTTP/2 libraries allow manual configuration, but it's complex:
- Set SETTINGS frame parameters to match target browser exactly
- Configure WINDOW_UPDATE increment values
- Set stream priority parameters (dependency, weight, exclusive)
- Order pseudo-headers correctly (:method, :authority, :scheme, :path)
- Match frame transmission timing and sequence
Example: Matching Chrome's HTTP/2 Config
SETTINGS:
HEADER_TABLE_SIZE: 65536
ENABLE_PUSH: 1
MAX_CONCURRENT_STREAMS: 1000
INITIAL_WINDOW_SIZE: 6291456
MAX_FRAME_SIZE: 16384
MAX_HEADER_LIST_SIZE: 262144
WINDOW_UPDATE: 15663105
PRIORITY: stream_dep=0, weight=255, exclusive=true
PSEUDO_HEADERS: :method, :authority, :scheme, :pathNote: Manual HTTP/2 configuration is extremely fragile and breaks with browser updates. Use browser automation or specialized tools for reliable results.
Learn more about HTTP/2 fingerprinting and bypassing: Scrapfly Blog - Web Scraping Blocking Techniques
Programmatic Access
You can access your HTTP/2 fingerprint programmatically via our API:
API Endpoint
GET https://tools.scrapfly.io/api/fp/akamaiResponse Format (JSON)
{
"http2_fingerprint": "[SETTINGS]|...",
"http2_digest": "abc123...",
"http2_frames": [
{
"name": "SETTINGS",
"settings": {
"SETTINGS_HEADER_TABLE_SIZE": 65536,
"SETTINGS_MAX_CONCURRENT_STREAMS": 1000,
...
}
},
{
"name": "WINDOW_UPDATE",
"window_size_increment": 15663105
},
{
"name": "HEADERS",
"pseudo_header_order": [":method", ":authority", ":scheme", ":path"],
"stream_dependency": 0,
"weight": 255,
"exclusive": true
}
]
}JavaScript Example
fetch('https://tools.scrapfly.io/api/fp/akamai')
.then(r => r.json())
.then(data => {
console.log('HTTP/2 Hash:', data.http2_digest);
console.log('Settings:', data.http2_frames[0].settings);
});
The fingerprint data is also available in the browser console via window.fingerprint.
