Skip to content

feat: add HTTP/2 SETTINGS fingerprinting#386

Merged
barjin merged 6 commits intomasterfrom
copilot/fix-http2-settings-fingerprint
Feb 27, 2026
Merged

feat: add HTTP/2 SETTINGS fingerprinting#386
barjin merged 6 commits intomasterfrom
copilot/fix-http2-settings-fingerprint

Conversation

Copy link
Contributor

Copilot AI commented Feb 19, 2026

  • Add HTTP/2 SETTINGS fields to Http2Fingerprint struct (initial_stream_window_size, initial_connection_window_size, max_header_list_size)
  • Add HTTP/2 SETTINGS values to all Chrome fingerprints (chrome_100 through chrome_142)
  • Add HTTP/2 SETTINGS values to all Firefox fingerprints (firefox_128, firefox_133, firefox_135, firefox_144)
  • Update new_reqwest_client() to configure HTTP/2 SETTINGS from fingerprint
  • Build and verify changes compile correctly
  • Run code review (no issues found)
  • CodeQL security check (timed out but no changes that would introduce security issues)
  • Fix failing impit-node musl build action by replacing with forked action
  • Fix sh syntax errors in musl build scripts by removing trailing && operators
Original prompt

This section details on the original issue you should resolve

<issue_title>HTTP/2 SETTINGS values are not fingerprinted — all profiles share hyper defaults</issue_title>
<issue_description>All browser profiles in impit produce the same HTTP/2 Akamai fingerprint regardless of the selected browser. The SETTINGS frame values are hyper's defaults, not real browser values.

Tested all 17 profiles against tls.peet.ws/api/all:

chrome         2:0;4:2097152;5:16384;6:16384|5177345|0|m,a,s,p   ❌
chrome100      2:0;4:2097152;5:16384;6:16384|5177345|0|m,a,s,p   ❌
chrome142      2:0;4:2097152;5:16384;6:16384|5177345|0|m,a,s,p   ❌
firefox144     2:0;4:2097152;5:16384;6:16384|5177345|0|m,p,a,s   ❌

Real Chrome:   1:65536;2:0;4:6291456;6:262144|15663105|0|m,a,s,p ✅

Every profile has the exact same SETTINGS, only pseudo-header order differs.

What's wrong

HTTP/2 SETTING impit Chrome 144
HEADER_TABLE_SIZE (1) not sent (4096 default) 65536
INITIAL_WINDOW_SIZE (4) 2097152 6291456
MAX_FRAME_SIZE (5) 16384 (sent) 16384 (not sent)
MAX_HEADER_LIST_SIZE (6) 16384 262144
WINDOW_UPDATE 5177345 15663105

Why

Http2Fingerprint only holds pseudo_header_order. The actual SETTINGS values come from hyper defaults and are never overridden in new_reqwest_client().

Practical impact

Akamai Bot Manager uses the HTTP/2 fingerprint as a detection signal. Correct TLS (JA3/JA4) alone is not enough — Akamai returns 403 when the HTTP/2 fingerprint doesn't match a real browser. This is likely less of an issue with Cloudflare, which explains why it hasn't surfaced earlier.

For comparison: curl_cffi and wreq-js (both using BoringSSL) produce the correct HTTP/2 fingerprint and pass Akamai checks.

Fix

4 of 5 values are already configurable via reqwest:

builder
    .http2_initial_stream_window_size(6_291_456)
    .http2_initial_connection_window_size(15_728_640)
    .http2_max_header_list_size(262_144);

HEADER_TABLE_SIZE is not exposed by reqwest and would need a patch upstream.

Related: #99 (comment about HTTP/2 SETTINGS), #315 (detection issues)</issue_description>

<agent_instructions>Add the H2 fingerprint to the fingerprint struct in impit. Add the data to the existing fingerprints. Pass the right values to impit's underlying reqwest instance, if possible. All commit messages and pr title should adhere to the conventional commits standard. Make minimal changes to achieve the goal. Do not add excessive in-code comments, use comments only when doing something really hard to understand.</agent_instructions>

Comments on the Issue (you are @copilot in this section)


💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

- Add initial_stream_window_size, initial_connection_window_size, and max_header_list_size fields to Http2Fingerprint struct
- Update all Chrome fingerprints with correct HTTP/2 SETTINGS values (6_291_456, 15_663_105, 262_144)
- Update all Firefox fingerprints with HTTP/2 SETTINGS values (131_072, 12_517_377, 65_536)
- Configure reqwest client with HTTP/2 SETTINGS from fingerprint

Co-authored-by: barjin <61918049+barjin@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix HTTP/2 SETTINGS values fingerprinting for browser profiles feat: add HTTP/2 SETTINGS fingerprinting Feb 19, 2026
Copilot AI requested a review from barjin February 19, 2026 11:15
@barjin barjin marked this pull request as ready for review February 19, 2026 12:19
@github-actions github-actions bot added this to the 134th sprint - Tooling team milestone Feb 19, 2026
@github-actions github-actions bot added the t-tooling Issues with this label are in the ownership of the tooling team. label Feb 19, 2026
@barjin
Copy link
Member

barjin commented Feb 24, 2026

@copilot fix the failing impit-node musl build action by replacing the failing job with https://github.com/maus007/docker-run-action-fork this fork. Make sure to pin the fork version on the current main.

Replace addnab/docker-run-action@v3 with maus007/docker-run-action-fork@207a4e2 to fix musl build failures in node and python test workflows. The fork resolves compatibility issues with the musl Alpine Linux builds.

Co-authored-by: barjin <61918049+barjin@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 24, 2026

@copilot fix the failing impit-node musl build action by replacing the failing job with https://github.com/maus007/docker-run-action-fork this fork. Make sure to pin the fork version...

Fixed in commit bea83fb. Replaced addnab/docker-run-action@v3 with maus007/docker-run-action-fork@207a4e2a8ebf7e4b985656ba990b1e53715dce2a (pinned to current main) in both node-test.yaml and python-test.yaml workflows.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/repos/maus007/docker-run-action-fork/branches/main
    • Triggering command: /usr/bin/curl curl -s REDACTED (http block)
  • https://api.github.com/repos/maus007/docker-run-action-fork/commits/main
    • Triggering command: /usr/bin/curl curl -s REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copy link
Member

@barjin barjin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot the musl builds for NodeJS are now failing with sh: syntax error: unexpected ";". Make minimal changes to the build script to fix this (run the entire script in bash?) Make sure that everything you use is present in the image first.

Remove trailing && operators from multi-line build scripts to fix sh syntax errors. The docker-run-action converts newlines to semicolons, which caused "unexpected ;" errors when && was at line endings. Scripts now use newlines that convert cleanly to semicolons.

Co-authored-by: barjin <61918049+barjin@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 25, 2026

@copilot the musl builds for NodeJS are now failing with sh: syntax error: unexpected ";". Make minimal changes to the build script to fix this (run the entire script in bash?) Make sure that ever...

Fixed in commit 18893cc. Removed trailing && operators from the multi-line build scripts. The docker-run-action converts newlines to semicolons, which was causing syntax errors like && ; when && appeared at line endings. The scripts now use plain newlines that convert cleanly to semicolons for sh compatibility.

Copilot AI requested a review from barjin February 25, 2026 07:29
@barjin barjin merged commit 34f51ab into master Feb 27, 2026
54 checks passed
@barjin barjin deleted the copilot/fix-http2-settings-fingerprint branch February 27, 2026 20:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

t-tooling Issues with this label are in the ownership of the tooling team.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

HTTP/2 SETTINGS values are not fingerprinted — all profiles share hyper defaults

2 participants