HTTP/2 fingerprinting

Definition

HTTP/2 fingerprinting is a detection technique that identifies automated traffic by the specific structure of HTTP/2 frames a client sends during connection setup. HTTP/2's framing layer exposes many parameters (SETTINGS values, WINDOW_UPDATE sizes, priority trees, header ordering) that browsers implement consistently but that libraries and bots often implement differently — producing fingerprints that distinguish real browsers from automation.

The canonical reference is Akamai's "HTTP/2 fingerprinting" research (published ~2020-2022). Most modern anti-bot systems include HTTP/2 fingerprint checks alongside TLS JA3.

Why it matters for AI scraping

Scrapers that send realistic-looking HTTP/1.1 headers may still be trivially identifiable on HTTP/2 because the framing layer signature differs from a real Chrome or Firefox. Sites using Cloudflare, Akamai, DataDome, or PerimeterX commonly classify HTTP/2 fingerprint as part of their bot-score computation.

For AI data collection, this means:

• curl with HTTP/2 enabled has a distinct fingerprint from Chrome
• httpx with HTTP/2 has its own fingerprint
• requests doesn't support HTTP/2 natively (so the fingerprint problem is different — falls back to HTTP/1.1, which has its own fingerprint issues)

How to handle it

Two working approaches:

1. Use a headless browser for high-stakes targets — real Chrome via Playwright produces a real Chrome HTTP/2 fingerprint.
2. Use a fingerprint-impersonating client like curl-cffi or tls-client that explicitly replicates Chrome's HTTP/2 signature.

The proxy layer doesn't fix this. The proxy layer provides network origin; the HTTP/2 fingerprint comes from your client.

Related

• TLS fingerprinting (JA3) glossary entry
• Proxies for AI browser agents
• Residential proxy class