What is browser fingerprinting?
Websites identify browsers by combining TLS, HTTP/2, header order, canvas, WebGL, and runtime signals. Scrapers that only change the User-Agent are often blocked because the on-the-wire fingerprint still looks like Node.js or automation.
Below: test sites, libraries, and research we use alongside the Piloterr fingerprinting toolbox.
Test sites
Capture baselines and compare against your scraper setup:
- tls.peet.ws, TLS + HTTP/2 capture (paste JSON into our TLS Capture Analyzer)
- tls3.peet.ws, HTTP/3 API
- AmIUnique
- PixelScan
- BrowserLeaks
- bot-detector, CDP / automation leaks (pairs with Headless Signals Checker)
- DeviceAndBrowserInfo
Piloterr toolbox
Browser-only tools to decode and inspect captures, they complement the sites above:
- TLS Capture Analyzer, parse tls.peet.ws
/api/allJSON - JA4 Decoder
- HTTP/2 Akamai Decoder
- Chrome Request Headers Builder
- Headless Signals Checker
- Browser Fingerprint Report, local canvas/WebGL signals (educational; not equivalent to FingerprintJS)
TLS impersonation libraries
Open-source clients that emulate browser TLS handshakes:
Browser fingerprinting libraries
Reference implementations and research projects:
- FingerprintJS
- CreepJS
- salesforce/ja3, JA3 TLS fingerprinting
- FingerprintJS BotD
Key research
- JA4+ network fingerprinting (FoxIO)
- Salesforce: TLS fingerprinting with JA3
- Understanding HTTP/2 fingerprinting
- Detecting headless browsers (Antoine Vastel)
Piloterr guides
Articles on HTTP clients we use in scraping workflows:
- hellojs vs undici, Node.js TLS/JA4
- Wreq, related to reqwest-impersonate (same author)
- RNet, Python bindings for the wreq engine
Piloterr products
- Anti-Bot Bypass, managed TLS and browser emulation for scrapers
- WAF Bypass, bypass Cloudflare, Akamai, and similar WAFs
- Headless Browser, rendered pages with realistic fingerprints