# QUIC/HTTP3 Fingerprint Test how QUIC/HTTP3 fingerprinting identifies your browser through JA4 hash, QUIC protocol parameters, TLS 1.3 over QUIC handshake, and HTTP/3 SETTINGS frames. Learn how modern protocols are used for browser identification. ### Programmatic Access Curl Command (requires HTTP/3 support) curl --http3-only 'https://quic.tools.scrapfly.io/api/fp/quic' Generating QUIC Fingerprint... ### HTTP/3 Not Available Your browser or network does not support QUIC/HTTP3. #### Why HTTP/3 Might Not Work: - **Browser Support:** Chrome 91+, Firefox 88+, Safari 16.4+, Edge 91+ required - **Network Restrictions:** Some corporate firewalls block UDP traffic (QUIC uses UDP port 443) - **VPN/Proxy:** Many VPNs don't support UDP forwarding, falling back to TCP - **ISP Blocking:** Some ISPs throttle or block QUIC traffic #### How to Enable HTTP/3: - **Chrome:** Navigate to `chrome://flags/#enable-quic` and enable QUIC protocol - **Firefox:** Go to `about:config` and set `network.http.http3.enabled` to `true` - **Disable VPN:** Try connecting without VPN to allow UDP traffic ### User Agent Loading... ### JA4 QUIC Fingerprint JA4 is the successor to JA3, designed to fingerprint QUIC and HTTP/3 connections. The 'q' prefix indicates QUIC protocol (vs 't' for TCP/TLS). [JA4+ Specification](https://github.com/FoxIO-LLC/ja4) JA4 Fingerprint (Full) Generating... JA4 Hash (Short) Generating... JA4_r (Raw String) Generating... ##### JA4 FINGERPRINT BREAKDOWN PART A (METADATA) -- `q` =QUIC, `t` =TCP | TLS version | SNI | cipher count | extension count | ALPN PART B (CIPHERS) -- Truncated SHA256 of sorted cipher suites (first 12 hex chars) PART C (EXTENSIONS + SIGALGS) -- Truncated SHA256 of sorted extensions + signature algorithms ### HTTP/3 Fingerprint (H3) HTTP/3 fingerprint based on SETTINGS frame parameters. Different browsers send different SETTINGS values, creating unique fingerprints. H3 Fingerprint Hash (MD5) Generating... H3 Fingerprint Text Generating... ### Compare My Fingerprint See how your HTTP/3 + QUIC fingerprint matches against known browser profiles from our database. Analyzing fingerprint... ##### Unlock Real Fingerprint Analysis Sign up for free to see how your actual HTTP/3 fingerprint compares against our database of real browser profiles. [ Sign Up Free ](https://scrapfly.io/register)Already have an account? [Log in](https://scrapfly.io/login) ### QUIC Connection Info QUIC connection identifiers and parameters. Connection IDs enable connection migration when your IP changes. [RFC 9000](https://datatracker.ietf.org/doc/html/rfc9000) QUIC Version -- 0-RTT -- Connection Time -- Destination Connection ID (DCID) -- Source Connection ID (SCID) -- #### QUIC Transport Parameters Transport parameters define connection limits and capabilities. These values are exchanged during the handshake and used for fingerprinting. [RFC 9000 Section 18.2](https://datatracker.ietf.org/doc/html/rfc9000#section-18.2) | Parameter | Value | |---|---| | Loading... | ### TLS 1.3 over QUIC QUIC uses TLS 1.3 for encryption, integrated directly into the transport layer for faster handshakes (0-RTT or 1-RTT). [RFC 9001](https://datatracker.ietf.org/doc/html/rfc9001) TLS Version -- Selected Cipher Suite -- Cipher Suite ID -- #### TLS Random 32-byte random value from the ClientHello, used for key derivation. -- #### Cipher Suites Offered cipher suites in order of preference. QUIC/TLS 1.3 only supports AEAD ciphers. Click any cipher to learn more about it. Loading... #### TLS Extensions TLS extensions from the ClientHello. Extension order and values contribute to fingerprinting. [RFC 8446 Section 4.2](https://datatracker.ietf.org/doc/html/rfc8446#section-4.2) Loading... #### Supported Groups (Elliptic Curves) Supported groups for key exchange. Groups marked "Key Share" have key material included in the ClientHello for 1-RTT handshake. Loading... ### HTTP/3 Protocol Details HTTP/3 frames captured from your connection. The SETTINGS frame reveals client capabilities used for fingerprinting. [RFC 9114 Section 7.2.4](https://datatracker.ietf.org/doc/html/rfc9114#section-7.2.4) Loading HTTP/3 frames... ### Raw JSON Response Complete fingerprint data in JSON format. Click on keys to copy paths, click on values to copy values. Use the toolbar to search, expand/collapse all, or copy the full JSON. Loading JSON data... QUIC (Quick UDP Internet Connections) is a modern transport layer protocol developed by Google and standardized by the IETF. It powers HTTP/3, the latest version of the HTTP protocol. #### Key Features of QUIC - **Built on UDP:** Unlike TCP, QUIC uses UDP to avoid head-of-line blocking - **Integrated TLS 1.3:** Encryption is built into the protocol, not layered on top - **0-RTT Resumption:** Previously visited sites can resume instantly without handshake - **Connection Migration:** Connections survive IP address changes (e.g., WiFi to cellular) - **Multiplexed Streams:** Multiple streams without head-of-line blocking #### QUIC vs TCP | Feature | TCP + TLS | QUIC | |---|---|---| | Handshake Round Trips | 2-3 RTT (TCP + TLS) | 1 RTT (or 0 with 0-RTT) | | Head-of-Line Blocking | Yes (per connection) | No (per stream only) | | Connection Migration | No | Yes | | Encryption | Optional (TLS layer) | Mandatory (built-in) | JA4 is the successor to JA3, designed to fingerprint TLS connections including QUIC and HTTP/3. While JA3 uses a 't' prefix for TCP TLS connections, JA4 for QUIC uses a 'q' prefix. #### JA4 Format JA4 fingerprints follow the format: `a_b_c` - **a (Protocol Info):** Protocol type (q=QUIC, t=TCP), TLS version, SNI mode, cipher count, extension count, ALPN - **b (Cipher Hash):** Truncated SHA256 hash of sorted cipher suites (12 chars) - **c (Extension Hash):** Truncated SHA256 hash of extensions and signature algorithms (12 chars) #### JA4 Example Breakdown ``` q13d0313h3_0f2cb44170f4_e3b0c44298fc │││││││││ │ │ │││││││││ │ └─ Extension hash (12 chars) │││││││││ └────────────── Cipher hash (12 chars) ││││││││└─────────────── ALPN (h3 = HTTP/3) │││││││└──────────────── Extension count (13) ││││││└───────────────── Cipher count (03) │││││└────────────────── SNI present (d) ││││└─────────────────── TLS version (13 = TLS 1.3) │││└──────────────────── Protocol (q = QUIC) ``` #### JA4 vs JA3 | Feature | JA3 | JA4 | |---|---|---| | Hash Algorithm | MD5 (full) | SHA256 (truncated) | | Protocol Support | TCP/TLS only | TCP/TLS and QUIC | | Readable Format | No (just hash) | Yes (includes metadata) | | ALPN Included | No | Yes | JA4 provides stronger fingerprinting than JA3 because QUIC connections expose additional protocol parameters like transport settings, 0-RTT support, and datagram capabilities. Encrypted Client Hello (ECH) is a TLS extension that encrypts the ClientHello message, hiding sensitive information like the Server Name Indication (SNI) from network observers. #### Why ECH Matters - **Privacy:** Network observers cannot see which domain you're connecting to - **Censorship Resistance:** Makes it harder to block specific websites - **Fingerprinting Impact:** Outer SNI shows a generic domain, hiding the real destination #### How ECH Works 1. DNS returns an ECH configuration (via HTTPS record) 2. Client encrypts the real ClientHello with the server's public key 3. An "outer" ClientHello with a different SNI is visible to observers 4. Server decrypts and processes the real "inner" ClientHello ###### ECH and Fingerprinting When ECH is active, the fingerprint is derived from the encrypted inner ClientHello. The outer SNI (shown in the UI) is typically a generic Cloudflare domain, while your actual destination remains private. As websites migrate to HTTP/3, anti-bot systems are adding QUIC fingerprinting to their detection arsenal: #### Detection Methods - **JA4 Blacklisting:** Block known automation tool QUIC fingerprints - **Protocol Consistency:** Verify browser claims match QUIC capabilities - **Transport Parameters:** Check QUIC transport settings match expected browser values - **0-RTT Behavior:** Real browsers use 0-RTT for repeat visits; bots often don't - **HTTP/3 SETTINGS:** QPACK parameters and datagram support vary by browser #### Fingerprinting Vectors in QUIC | Vector | What It Reveals | Uniqueness | |---|---|---| | JA4 Hash | TLS configuration (ciphers, extensions) | High | | Transport Parameters | QUIC flow control settings | Medium | | HTTP/3 SETTINGS | QPACK, datagram support | Medium | | Connection ID Length | Implementation-specific | Low | #### Challenges for Web Scrapers - **curl:** Only supports HTTP/3 with experimental builds (--http3-only flag) - **Python requests:** No native QUIC support - **Go:** quic-go library available but fingerprint differs from browsers - **Browser Automation:** Puppeteer/Playwright use real browsers with correct fingerprints #### Current Options ###### 1. Browser Automation (Recommended) Puppeteer, Playwright, and Selenium use real browser engines that support HTTP/3 with correct QUIC fingerprints. ```javascript const browser = await puppeteer.launch(); const page = await browser.newPage(); // Browser automatically uses HTTP/3 when available await page.goto('https://http3-site.com'); ``` ###### 2. Fallback to HTTP/2 Most sites still support HTTP/2 fallback. If QUIC fingerprinting blocks you, use TCP-based connections with proper JA3 fingerprinting. ###### 3. Scrapfly ASP Scrapfly's Anti-Scraping Protection automatically handles protocol negotiation and uses real browser fingerprints for both HTTP/2 and HTTP/3. ```python from scrapfly import ScrapflyClient, ScrapeConfig client = ScrapflyClient(key='YOUR_API_KEY') result = client.scrape(ScrapeConfig( url='https://http3-site.com', asp=True # Handles QUIC fingerprinting automatically )) ``` ###### Pro Tip Most anti-bot systems prioritize HTTP/2 + JA3 fingerprinting over QUIC/JA4. Focus on getting JA3 right first, and QUIC fingerprinting will follow naturally when using browser automation or services like Scrapfly. You can access your QUIC fingerprint programmatically via our API (requires HTTP/3 support): #### API Endpoint ``` GET https://quic.tools.scrapfly.io/api/fp/quic ``` #### Response Format (JSON) ``` { "user_agent": "Mozilla/5.0 ...", "ja4": "q13d0313h3_0f2cb44170f4_e3b0c44298fc", "ja4_r": "q13d0313h3_1301_", "ja4_hash": "b8f0b1ffca70", "h3_hash": "3ea2ceb1247f05496538d350915beeb6", "h3_text": "1:65536;7:100;51:1;39484089984:2235535436", "quic": { "dcid": "55fd4caf46c83010", "dcid_length": 8, "scid": "961d09d6", "scid_length": 4, "0-rtt": false, "version": { "id": 1, "name": "QUICv1" }, "transport_parameters": { "initial_max_data": 15728640, "initial_max_streams_bidi": 100, "max_idle_timeout_ms": 30000 } }, "tls": { "ech": { "ech_success": true, "outer_sni": "example.com" }, "cipher_suite": { "id": 4865, "name": "TLS_AES_128_GCM_SHA256" }, "cipher_suites": [...], "extensions": [...], "selected_version": { "id": 772, "name": "TLS 1.3" } }, "http3": [ { "id": 4, "name": "SETTINGS", "stream_id": 2, "settings": [ { "id": 1, "name": "SETTINGS_QPACK_MAX_TABLE_CAPACITY", "value": 65536 } ] } ] } ``` #### curl Example (requires HTTP/3 build) ``` # Requires curl compiled with HTTP/3 support (nghttp3 + ngtcp2 or quiche) curl --http3-only 'https://quic.tools.scrapfly.io/api/fp/quic' # Check if your curl supports HTTP/3: curl --version | grep HTTP3 ``` #### JavaScript Example ``` // Browser will automatically use HTTP/3 if supported fetch('https://quic.tools.scrapfly.io/api/fp/quic') .then(r => r.json()) .then(data => { console.log('JA4:', data.ja4); console.log('JA4 Hash:', data.ja4_hash); console.log('H3 Hash:', data.h3_hash); console.log('ECH Active:', data.tls?.ech?.ech_success); console.log('QUIC Version:', data.quic?.version?.name); }); ``` The fingerprint data is also available in the browser console via `window.fingerprint`. ## How to bypass web scraping bot detection [ Tutorial on how to avoid web scraper blocking. What is javascript and TLS (JA3) fingerprinting and what role request headers play in blocking. ](https://scrapfly.io/blog/posts/how-to-scrape-without-getting-blocked-tutorial/ "How to Scrape Without Getting Blocked Tutorial") [ Introduction to web scraping headers - what do they mean, how to configure them in web scrapers and how to avoid being blocked. ](https://scrapfly.io/blog/posts/how-to-avoid-web-scraping-blocking-headers/ "How to Avoid Web Scraping Blocking: Headers Guide") [ Introduction to how javascript is used to detect web scrapers. What's in javascript fingerprint and how to correctly spoof it for web scraping. ](https://scrapfly.io/blog/posts/how-to-avoid-web-scraping-blocking-javascript/ "How to Avoid Web Scraping Blocking")