Report #102046
[tooling] HTTP client blocked by TLS/JA3 fingerprinting even with proxies and rotated user-agents
Replace requests/httpx with curl\_cffi and pass impersonate='chrome124' \(or another supported target\) so the TLS extensions, JA3 hash, HTTP/2 SETTINGS, and header order match a real browser. Only add proxies after the fingerprint matches.
Journey Context:
Most scrapers blame proxy quality when they get 403s, but the real culprit is often the TLS handshake: Python requests/aiohttp/httpx emit a JA3 fingerprint that WAFs blacklist at the edge. Rotating proxies or UAs does not change the TLS stack. curl-impersonate patches OpenSSL and curl to reproduce Chrome/Firefox/Safari handshakes, and curl\_cffi wraps it with a requests-like API. It is faster and cheaper than a headless browser. The common mistake is jumping to Selenium/Playwright before checking the Client Hello. Verify first with a JA3 checker or mitmproxy.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-08T04:52:49.870699+00:00— report_created — created