# HTTP/2 Fingerprint Test your browser's HTTP/2 fingerprint based on SETTINGS frames, WINDOW\_UPDATE, priority, and pseudo-header order. Learn how HTTP/2 configuration is used to detect bots and block web scrapers. ### HTTP/2 Fingerprint Fingerprint Hash (MD5) Generating... Raw Fingerprint String Generating... Curl Command curl 'https://tools.scrapfly.io/api/fp/akamai' Format: `[SETTINGS]|WINDOW_UPDATE|PRIORITY|Pseudo-Header-Order|HEADERS_FRAME|WINDOW_UPDATE` Generating HTTP/2 Fingerprint... ### Compare My Fingerprint See how your HTTP/2 fingerprint matches against known browser profiles from our database. Analyzing fingerprint... ##### Unlock Real Fingerprint Analysis Sign up for free to see how your actual HTTP/2 fingerprint compares against our database of real browser profiles. [ Sign Up Free ](https://scrapfly.io/register)Already have an account? [Log in](https://scrapfly.io/login) ### HTTP/2 Frame Timeline SETTINGS Frame 1 WINDOW_UPDATE Frame 2 HEADERS Frame 3 ``` Loading... ``` ### SETTINGS Frame Parameters HTTP/2 SETTINGS frame defines connection parameters that are unique to each browser implementation. ### WINDOW\_UPDATE Frame Window Size Increment -- ### Stream Priority Stream Dependency -- Weight -- Exclusive -- ### Pseudo-Header Order The order of HTTP/2 pseudo-headers (:method, :authority, :scheme, :path) varies by browser and is part of the fingerprint. HTTP/2 fingerprinting analyzes the configuration and behavior of HTTP/2 connections to identify the browser or HTTP client being used. Unlike HTTP/1.1, HTTP/2 introduces new frames and parameters that vary across implementations. #### Key Fingerprinting Components - **SETTINGS Frame:** Parameters like header table size, max concurrent streams, initial window size - **WINDOW\_UPDATE:** Flow control window size increments - **PRIORITY:** Stream dependency, weight, and exclusive flag - **Pseudo-Header Order:** Order of :method, :authority, :scheme, :path headers - **Frame Timing:** Sequence and timing of frame transmission #### AKAMAI HTTP/2 Fingerprint Format AKAMAI (a major CDN provider) uses this format for HTTP/2 fingerprinting: `[SETTINGS params]|WINDOW_UPDATE|PRIORITY|Pseudo-Header-Order|...` This captures the most distinctive aspects of an HTTP/2 connection in a compact string that can be hashed and compared. #### Why HTTP/2? HTTP/2 provides more fingerprinting data points than HTTP/1.1 because: - Binary framing protocol with configurable parameters - Multiple streams over single connection (multiplexing) - Flow control mechanisms with browser-specific defaults - Server push and priority handling varies by implementation Websites and CDNs use HTTP/2 fingerprints to identify automated tools and scrapers: #### Detection Techniques - **Blacklist Known Clients:** Block fingerprints from curl, Python requests, Go http client, etc. - **Inconsistency Detection:** Compare HTTP/2 fingerprint with User-Agent and TLS fingerprint - **Default Detection:** Flag connections using library defaults that differ from browsers - **Temporal Analysis:** Browsers update HTTP/2 configs with new versions - outdated configs are suspicious #### Common Scraper Signatures - `curl` - Uses nghttp2 library with distinctive SETTINGS parameters - `Python httpx` - HTTP/2 support with h2 library defaults - `Go net/http` - golang.org/x/net/http2 implementation fingerprint - `Node.js http2` - Uses Node's built-in http2 module with specific defaults #### Why It's Effective HTTP/2 fingerprinting is particularly effective because: - Most HTTP libraries don't allow fine-grained HTTP/2 parameter control - Default SETTINGS values are hard-coded and rarely match browsers - Pseudo-header ordering is implementation-specific and hard to spoof - Combining with TLS fingerprinting creates very unique signatures For example, Chrome sends SETTINGS with specific values for `HEADER_TABLE_SIZE=65536` and `MAX_CONCURRENT_STREAMS=1000`, while curl uses different defaults that immediately reveal it's not a browser. Bypassing HTTP/2 fingerprinting requires matching the exact HTTP/2 configuration of a real browser: #### Best Solutions - **Browser Automation:** Puppeteer, Playwright, Selenium - real browsers have perfect HTTP/2 fingerprints - **curl-impersonate:** Modified curl that mimics Chrome/Firefox HTTP/2 behavior - **curl\_cffi (Python):** Python wrapper around curl-impersonate with HTTP/2 support - **Scrapfly API:** Automatically handles HTTP/2 fingerprinting with ASP (Anti-Scraping Protection) #### Manual Configuration (Advanced) Some HTTP/2 libraries allow manual configuration, but it's complex: - Set SETTINGS frame parameters to match target browser exactly - Configure WINDOW\_UPDATE increment values - Set stream priority parameters (dependency, weight, exclusive) - Order pseudo-headers correctly (:method, :authority, :scheme, :path) - Match frame transmission timing and sequence #### Example: Matching Chrome's HTTP/2 Config ``` SETTINGS: HEADER_TABLE_SIZE: 65536 ENABLE_PUSH: 1 MAX_CONCURRENT_STREAMS: 1000 INITIAL_WINDOW_SIZE: 6291456 MAX_FRAME_SIZE: 16384 MAX_HEADER_LIST_SIZE: 262144 WINDOW_UPDATE: 15663105 PRIORITY: stream_dep=0, weight=255, exclusive=true PSEUDO_HEADERS: :method, :authority, :scheme, :path ``` **Note:** Manual HTTP/2 configuration is extremely fragile and breaks with browser updates. Use browser automation or specialized tools for reliable results. Learn more about HTTP/2 fingerprinting and bypassing: [ Scrapfly Blog - Web Scraping Blocking Techniques ](https://scrapfly.io/blog/tags/blocking/) You can access your HTTP/2 fingerprint programmatically via our API: #### API Endpoint ``` GET https://tools.scrapfly.io/api/fp/akamai ``` #### Response Format (JSON) ``` { "http2_fingerprint": "[SETTINGS]|...", "http2_digest": "abc123...", "http2_frames": [ { "name": "SETTINGS", "settings": { "SETTINGS_HEADER_TABLE_SIZE": 65536, "SETTINGS_MAX_CONCURRENT_STREAMS": 1000, ... } }, { "name": "WINDOW_UPDATE", "window_size_increment": 15663105 }, { "name": "HEADERS", "pseudo_header_order": [":method", ":authority", ":scheme", ":path"], "stream_dependency": 0, "weight": 255, "exclusive": true } ] } ``` #### JavaScript Example ``` fetch('https://tools.scrapfly.io/api/fp/akamai') .then(r => r.json()) .then(data => { console.log('HTTP/2 Hash:', data.http2_digest); console.log('Settings:', data.http2_frames[0].settings); }); ``` The fingerprint data is also available in the browser console via `window.fingerprint`. ## How to bypass web scraping bot detection [ Tutorial on how to avoid web scraper blocking. What is javascript and TLS (JA3) fingerprinting and what role request headers play in blocking. ](https://scrapfly.io/blog/posts/how-to-scrape-without-getting-blocked-tutorial/ "How to Scrape Without Getting Blocked Tutorial") [ Introduction to web scraping headers - what do they mean, how to configure them in web scrapers and how to avoid being blocked. ](https://scrapfly.io/blog/posts/how-to-avoid-web-scraping-blocking-headers/ "How to Avoid Web Scraping Blocking: Headers Guide") [ Introduction to how javascript is used to detect web scrapers. What's in javascript fingerprint and how to correctly spoof it for web scraping. ](https://scrapfly.io/blog/posts/how-to-avoid-web-scraping-blocking-javascript/ "How to Avoid Web Scraping Blocking")