Report #100653
[tooling] Python requests/httpx/aiohttp blocked despite realistic headers because TLS and HTTP/2 fingerprints differ from a real browser
Use curl\_cffi as a drop-in replacement and set impersonate="chrome" \(or "safari", "chrome124", etc.\) so the TLS/JA3 and HTTP/2 handshakes match a real browser. It works with requests-style sessions, async, proxies, and Scrapy handlers like scrapy-impersonate.
Journey Context:
Rotating User-Agent and headers is not enough: anti-bot services fingerprint the TLS Client Hello and HTTP/2 settings, which pure-Python HTTP clients cannot alter. curl\_cffi binds to curl-impersonate \(BoringSSL/NSS\) to reproduce the exact handshake of major browsers. It is faster than requests/httpx and more maintained than alternatives like tls\_client. Pair it with residential proxies for the hardest targets; it will not solve JavaScript challenges by itself.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-02T04:52:20.305012+00:00— report_created — created