httpcloak

package module
v1.0.10 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 7, 2026 License: MIT Imports: 7 Imported by: 1

README

httpcloak

A Go HTTP client library with browser-identical TLS/HTTP fingerprinting. Makes HTTP requests indistinguishable from real browsers, bypassing bot detection systems that fingerprint TLS handshakes, HTTP/2 settings, and header patterns.

Bindings available for: Go (native) | Python | Node.js

Why This Library?

Modern bot detection doesn't just check headers or cookies - it analyzes the cryptographic fingerprint of your connection:

  1. TLS Fingerprint (JA3/JA4): Cipher suites, extensions, and elliptic curves in the TLS handshake
  2. HTTP/2 Fingerprint: SETTINGS frame values, WINDOW_UPDATE, PRIORITY frames
  3. HTTP/3 Fingerprint: QUIC transport parameters and settings
  4. Header Order: The exact order and format of HTTP headers

Go's standard net/http has a recognizable fingerprint that bot detection systems (Cloudflare, Akamai, PerimeterX) identify instantly.

Fingerprint Comparison
┌─────────────────────────────────────────────────────────────────────────────────┐
│                    FINGERPRINT COMPARISON (from tls.peet.ws)                    │
├─────────────────────────────────────────────────────────────────────────────────┤
│                                                                                 │
│  METRIC                    │ GO STDLIB         │ HTTPCLOAK         │ CHROME 143 │
│  ──────────────────────────┼───────────────────┼───────────────────┼─────────── │
│  Cipher Suites             │ 13                │ 16                │ 16         │
│  TLS Extensions            │ 12                │ 18                │ 18         │
│  GREASE Values             │ None              │ Yes (random)      │ Yes        │
│  Post-Quantum (X25519MLKEM)│ No                │ Yes               │ Yes        │
│  ECH Support               │ No                │ Yes               │ Yes        │
│                                                                                 │
│  HTTP/2 SETTINGS                                                                │
│  ──────────────────────────┼───────────────────┼───────────────────┼────────────│
│  HEADER_TABLE_SIZE         │ 4,096             │ 65,536            │ 65,536     │
│  ENABLE_PUSH               │ 1                 │ 0                 │ 0          │
│  INITIAL_WINDOW_SIZE       │ 65,535 (64KB)     │ 6,291,456 (6MB)   │ 6,291,456  │
│  MAX_HEADER_LIST_SIZE      │ 10,485,760        │ 262,144           │ 262,144    │
│                                                                                 │
│  FINGERPRINT HASHES                                                             │
│  ──────────────────────────┼───────────────────┼───────────────────┼────────────│
│  JA4                       │ t13d1312h2_...    │ t13d1516h2_8daaf6...    MATCH  │
│  Akamai HTTP/2             │ cbcbfae223...     │ 52d84b11737d...         MATCH  │
│  peetprint                 │ (different)       │ 1d4ffe9b0e34...         MATCH  │
│                                                                                 │
│  RESULT                    │ BLOCKED           │ PASSED            │ PASSED     │
└─────────────────────────────────────────────────────────────────────────────────┘
Cloudflare CDN Trace

The /cdn-cgi/trace endpoint reveals connection details. Here's what httpcloak achieves:

fl=283f39
h=www.cloudflare.com
ip=2401:4900:8899:xxxx:xxxx:xxxx:xxxx:xxxx
ts=1767716387.683
visit_scheme=https
uag=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
colo=CCU
sliver=none
http=http/3          <-- HTTP/3 (QUIC) connection
loc=IN
tls=TLSv1.3          <-- TLS 1.3
sni=plaintext
warp=off
gateway=off
rbi=off
kex=X25519MLKEM768   <-- Post-quantum key exchange (Chrome 143)

Key fields:

  • http=http/3 - Using HTTP/3 over QUIC (fastest, most modern protocol)
  • tls=TLSv1.3 - TLS 1.3 encryption
  • kex=X25519MLKEM768 - Post-quantum hybrid key exchange (only Chrome 131+ supports this)
  • uag - User-Agent matching Chrome 143

The kex=X25519MLKEM768 is critical - it's Chrome's post-quantum cryptography that Go's stdlib doesn't support. Bot detection systems check for this.

HTTP/3 Support

HTTP/3 uses QUIC (UDP-based) instead of TCP, providing:

  • Faster connections: 0-RTT resumption, no TCP handshake
  • Better performance: No head-of-line blocking
  • Unique fingerprint: QUIC transport parameters are also fingerprinted

httpcloak supports HTTP/3 with proper Chrome fingerprinting, automatically falling back to HTTP/2 or HTTP/1.1 when needed.


Installation

Go
go get github.com/sardanioss/httpcloak
Python
pip install httpcloak
Node.js
npm install httpcloak

Usage

Go
package main

import (
    "context"
    "fmt"
    "log"

    "github.com/sardanioss/httpcloak/client"
)

func main() {
    // Create client with Chrome 143 fingerprint
    c := client.NewClient("chrome-143")
    defer c.Close()

    // Simple GET request
    resp, err := c.Get(context.Background(), "https://www.cloudflare.com/cdn-cgi/trace", nil)
    if err != nil {
        log.Fatal(err)
    }

    fmt.Printf("Status: %d\n", resp.StatusCode)
    fmt.Printf("Protocol: %s\n", resp.Protocol) // "h2" or "h3"
    fmt.Println(resp.Text())
}
POST with JSON
c := client.NewClient("chrome-143")
defer c.Close()

body := []byte(`{"username": "test", "password": "secret"}`)
resp, err := c.Do(context.Background(), &client.Request{
    Method:  "POST",
    URL:     "https://api.example.com/login",
    Body:    body,
    Headers: map[string]string{
        "Content-Type": "application/json",
    },
})
Session with Cookies
// Sessions persist cookies between requests
session := client.NewSession("chrome-143")
defer session.Close()

// Login - cookies are saved automatically
session.Post(ctx, "https://example.com/login",
    []byte(`{"user":"test"}`),
    map[string]string{"Content-Type": "application/json"})

// Subsequent requests include cookies
resp, _ := session.Get(ctx, "https://example.com/dashboard", nil)
With Proxy
c := client.NewClient("chrome-143",
    client.WithProxy("http://user:pass@proxy.example.com:8080"),
    client.WithTimeout(30*time.Second),
)
defer c.Close()
With Retry
c := client.NewClient("chrome-143",
    client.WithRetry(3), // Retry up to 3 times on 429, 500, 502, 503, 504
)
Force Protocol
// Force HTTP/2 (skip HTTP/3 attempt)
c := client.NewClient("chrome-143", client.WithForceHTTP2())

// Force HTTP/1.1
c := client.NewClient("chrome-143", client.WithForceHTTP1())
Redirect Control
// Disable redirects
c := client.NewClient("chrome-143", client.WithoutRedirects())

// Custom redirect limit
c := client.NewClient("chrome-143", client.WithRedirects(true, 5))

Python

httpcloak for Python provides a requests-compatible API - drop-in replacement with browser fingerprinting.

import httpcloak

# Simple GET request
r = httpcloak.get("https://www.cloudflare.com/cdn-cgi/trace")
print(r.status_code)
print(r.text)
print(r.protocol)  # "h2" or "h3"
POST with JSON
r = httpcloak.post("https://api.example.com/login", json={
    "username": "test",
    "password": "secret"
})
print(r.json())
Session with Cookies
# Sessions persist cookies and connections
with httpcloak.Session(preset="chrome-143") as session:
    # Login
    session.post("https://example.com/login", json={"user": "test"})

    # Subsequent requests include cookies
    r = session.get("https://example.com/dashboard")
    print(r.json())
File Upload (Multipart)
# Upload a file
with open("image.png", "rb") as f:
    r = httpcloak.post("https://api.example.com/upload", files={
        "file": f
    })

# Upload with custom filename and content type
r = httpcloak.post("https://api.example.com/upload", files={
    "file": ("photo.jpg", image_bytes, "image/jpeg")
})

# Upload with form data
r = httpcloak.post("https://api.example.com/upload",
    data={"description": "My photo"},
    files={"file": open("photo.jpg", "rb")}
)
Configure Defaults
# Configure global defaults
httpcloak.configure(
    preset="chrome-143",
    proxy="http://user:pass@proxy:8080",
    timeout=30,
    verify=True,           # SSL verification
    allow_redirects=True,
    retry=3,               # Retry failed requests
)

# All subsequent requests use these defaults
r = httpcloak.get("https://example.com")
Session Options
session = httpcloak.Session(
    preset="chrome-143",
    proxy="http://proxy:8080",
    timeout=30,
    http_version="auto",      # "auto", "h1", "h2", "h3"
    verify=True,              # SSL certificate verification
    allow_redirects=True,
    max_redirects=10,
    retry=3,
    retry_on_status=[429, 500, 502, 503, 504],
)
Basic Authentication
# Per-request auth
r = httpcloak.get("https://api.example.com/data", auth=("user", "pass"))

# Global auth
httpcloak.configure(auth=("user", "pass"))

Node.js
const httpcloak = require("httpcloak");

// Simple GET request
const r = await httpcloak.get("https://www.cloudflare.com/cdn-cgi/trace");
console.log(r.statusCode);
console.log(r.text);
console.log(r.protocol); // "h2" or "h3"
POST with JSON
const r = await httpcloak.post("https://api.example.com/login", {
  json: { username: "test", password: "secret" }
});
console.log(r.json());
Session with Cookies
const session = new httpcloak.Session({ preset: "chrome-143" });

// Login
await session.post("https://example.com/login", {
  json: { user: "test" }
});

// Subsequent requests include cookies
const r = await session.get("https://example.com/dashboard");
console.log(r.json());

session.close();
Synchronous Requests
const session = new httpcloak.Session({ preset: "chrome-143" });

// Sync methods available
const r = session.getSync("https://example.com");
console.log(r.statusCode);

session.close();
File Upload (Multipart)
const session = new httpcloak.Session({ preset: "chrome-143" });

// Upload a buffer
const r = session.postSync("https://api.example.com/upload", {
  files: {
    file: Buffer.from(fileData)
  }
});

// Upload with filename and content type
const r = session.postSync("https://api.example.com/upload", {
  files: {
    file: {
      filename: "photo.jpg",
      content: imageBuffer,
      contentType: "image/jpeg"
    }
  }
});

// Upload with form data
const r = session.postSync("https://api.example.com/upload", {
  data: { description: "My photo" },
  files: { file: imageBuffer }
});
Configure Defaults
httpcloak.configure({
  preset: "chrome-143",
  proxy: "http://user:pass@proxy:8080",
  timeout: 30,
  verify: true,
  allowRedirects: true,
  retry: 3,
});

const r = await httpcloak.get("https://example.com");
Session Options
const session = new httpcloak.Session({
  preset: "chrome-143",
  proxy: "http://proxy:8080",
  timeout: 30,
  httpVersion: "auto",     // "auto", "h1", "h2", "h3"
  verify: true,
  allowRedirects: true,
  maxRedirects: 10,
  retry: 3,
  retryOnStatus: [429, 500, 502, 503, 504],
});

Available Presets

Preset Browser Post-Quantum HTTP/2 HTTP/3
chrome-143 Chrome 143 X25519MLKEM768 Yes Yes
chrome-143-windows Chrome 143 (Windows) X25519MLKEM768 Yes Yes
chrome-143-linux Chrome 143 (Linux) X25519MLKEM768 Yes Yes
chrome-143-macos Chrome 143 (macOS) X25519MLKEM768 Yes Yes
chrome-131 Chrome 131 X25519MLKEM768 Yes Yes
firefox-133 Firefox 133 X25519 Yes No
safari-18 Safari 18 X25519 Yes No

Recommended: Use chrome-143 - it's the latest with full HTTP/3 and post-quantum support.


Features

Browser Fingerprinting
  • TLS Fingerprinting: JA3/JA4 hashes match real Chrome
  • HTTP/2 Fingerprinting: SETTINGS, WINDOW_UPDATE, PRIORITY frames
  • HTTP/3 Fingerprinting: QUIC transport parameters
  • Header Order: Browser-accurate header ordering
  • Client Hints: Sec-Ch-Ua-* headers matching the preset
Protocol Support
  • HTTP/3: QUIC with Chrome fingerprinting
  • HTTP/2: Multiplexed connections with proper framing
  • HTTP/1.1: Keep-alive connection pooling
  • Auto Fallback: H3 -> H2 -> H1 with protocol learning
HTTP Features
  • Connection Pooling: Efficient connection reuse
  • Session Management: Cookie persistence
  • Automatic Decompression: gzip, brotli, zstd
  • Redirect Following: Configurable with history
  • Retry with Backoff: Exponential backoff with jitter
  • Proxy Support: HTTP, HTTPS, SOCKS5

Proxy Support

All languages support HTTP and SOCKS5 proxies:

http://host:port
http://user:pass@host:port
socks5://host:port
socks5://user:pass@host:port

Response Object

Go
resp.StatusCode    // int
resp.Headers       // map[string]string
resp.Body          // []byte
resp.Text()        // string
resp.FinalURL      // string (after redirects)
resp.Protocol      // "h1", "h2", or "h3"
Python
r.status_code      # int
r.headers          # dict
r.content          # bytes
r.text             # str
r.json()           # parsed JSON
r.url              # final URL after redirects
r.protocol         # "h1", "h2", or "h3"
r.ok               # True if status < 400
r.raise_for_status()  # raises on 4xx/5xx
Node.js
r.statusCode       // number
r.headers          // object
r.content          // Buffer
r.text             // string
r.json()           // parsed JSON
r.url              // final URL after redirects
r.protocol         // "h1", "h2", or "h3"
r.ok               // true if status < 400
r.raiseForStatus() // throws on 4xx/5xx

Examples

See the examples/ directory:

# Go examples
go run examples/go-examples/basic/main.go
go run examples/go-examples/session/main.go
go run examples/go-examples/cloudflare/main.go

# Python examples
python examples/python-examples/01_simple_requests.py
python examples/python-examples/02_sessions.py

# Node.js examples
node examples/js-examples/01_simple_requests.js
node examples/js-examples/02_sessions.js

License

MIT


Dependencies

Uses custom forks for browser-accurate fingerprinting:

Library Fork Purpose
uTLS sardanioss/utls Chrome 143 TLS presets
quic-go sardanioss/quic-go HTTP/3 with Chrome fingerprinting
net sardanioss/net HTTP/2 frame fingerprinting

Credits

Documentation

Overview

Package httpcloak provides an HTTP client with perfect browser TLS/HTTP fingerprinting.

httpcloak allows you to make HTTP requests that are indistinguishable from real browsers, bypassing TLS fingerprinting, HTTP/2 fingerprinting, and header-based bot detection.

Basic usage:

client := httpcloak.New("chrome-131")
defer client.Close()

resp, err := client.Get(ctx, "https://example.com")
if err != nil {
    log.Fatal(err)
}
fmt.Println(string(resp.Body))

With options:

client := httpcloak.New("chrome-131",
    httpcloak.WithTimeout(30*time.Second),
    httpcloak.WithProxy("http://user:pass@proxy:8080"),
)

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Presets

func Presets() []string

Presets returns available fingerprint presets

Types

type Client

type Client struct {
	// contains filtered or unexported fields
}

Client is an HTTP client with browser fingerprint spoofing

func New

func New(preset string, opts ...Option) *Client

New creates a new HTTP client with the specified browser fingerprint.

Available presets:

  • "chrome-131" (recommended)
  • "chrome-131-windows"
  • "chrome-131-macos"
  • "chrome-133"
  • "chrome-133-windows"

Example:

client := httpcloak.New("chrome-131")
defer client.Close()

func (*Client) Close

func (c *Client) Close()

Close releases all resources held by the client

func (*Client) Do

func (c *Client) Do(ctx context.Context, req *Request) (*Response, error)

Do executes an HTTP request

func (*Client) Get

func (c *Client) Get(ctx context.Context, url string) (*Response, error)

Get performs a GET request

func (*Client) GetWithHeaders

func (c *Client) GetWithHeaders(ctx context.Context, url string, headers map[string]string) (*Response, error)

GetWithHeaders performs a GET request with custom headers

func (*Client) Post

func (c *Client) Post(ctx context.Context, url string, body []byte, contentType string) (*Response, error)

Post performs a POST request

func (*Client) PostForm

func (c *Client) PostForm(ctx context.Context, url string, body []byte) (*Response, error)

PostForm performs a POST request with form data

func (*Client) PostJSON

func (c *Client) PostJSON(ctx context.Context, url string, body []byte) (*Response, error)

PostJSON performs a POST request with JSON body

type Option

type Option func(*clientConfig)

Option configures the Client

func WithProxy

func WithProxy(proxyURL string) Option

WithProxy sets an HTTP/HTTPS/SOCKS5 proxy

func WithTimeout

func WithTimeout(d time.Duration) Option

WithTimeout sets the request timeout

type Request

type Request struct {
	Method  string
	URL     string
	Headers map[string]string
	Body    []byte
	Timeout time.Duration
}

Request represents an HTTP request

type Response

type Response struct {
	StatusCode int
	Headers    map[string]string
	Body       []byte
	FinalURL   string
	Protocol   string
}

Response represents an HTTP response

type Session

type Session struct {
	// contains filtered or unexported fields
}

Session represents a persistent HTTP session with cookie management

func NewSession

func NewSession(preset string, opts ...SessionOption) *Session

NewSession creates a new persistent session with cookie management

func (*Session) Close

func (s *Session) Close()

Close closes the session and releases resources

func (*Session) Do

func (s *Session) Do(ctx context.Context, req *Request) (*Response, error)

Do executes a request within the session, maintaining cookies

func (*Session) Get

func (s *Session) Get(ctx context.Context, url string) (*Response, error)

Get performs a GET request within the session

func (*Session) GetCookies

func (s *Session) GetCookies() map[string]string

GetCookies returns all cookies stored in the session

func (*Session) SetCookie

func (s *Session) SetCookie(name, value string)

SetCookie sets a cookie in the session

type SessionOption

type SessionOption func(*sessionConfig)

SessionOption configures a session

func WithForceHTTP1 added in v1.0.1

func WithForceHTTP1() SessionOption

WithForceHTTP1 forces HTTP/1.1 protocol

func WithForceHTTP2 added in v1.0.1

func WithForceHTTP2() SessionOption

WithForceHTTP2 forces HTTP/2 protocol

func WithInsecureSkipVerify added in v1.0.1

func WithInsecureSkipVerify() SessionOption

WithInsecureSkipVerify disables SSL certificate verification

func WithRedirects added in v1.0.1

func WithRedirects(follow bool, maxRedirects int) SessionOption

WithRedirects configures redirect behavior

func WithRetry added in v1.0.1

func WithRetry(count int) SessionOption

WithRetry enables retry with default settings

func WithRetryConfig added in v1.0.1

func WithRetryConfig(count int, waitMin, waitMax time.Duration, retryOnStatus []int) SessionOption

WithRetryConfig configures retry behavior

func WithSessionProxy

func WithSessionProxy(proxyURL string) SessionOption

WithSessionProxy sets a proxy for the session

func WithSessionTimeout

func WithSessionTimeout(d time.Duration) SessionOption

WithSessionTimeout sets the timeout for session requests

func WithoutRedirects added in v1.0.1

func WithoutRedirects() SessionOption

WithoutRedirects disables automatic redirect following

func WithoutRetry added in v1.0.5

func WithoutRetry() SessionOption

WithoutRetry explicitly disables retry

Directories

Path Synopsis
Package client provides an HTTP client with browser TLS/HTTP fingerprint spoofing.
Package client provides an HTTP client with browser TLS/HTTP fingerprint spoofing.
examples
go-examples/basic command
Example: Basic HTTP requests with httpcloak
Example: Basic HTTP requests with httpcloak
go-examples/cloudflare command
Example: Multiple requests to Cloudflare trace endpoint
Example: Multiple requests to Cloudflare trace endpoint
go-examples/session command
Example: Session management with cookies
Example: Session management with cookies
Package protocol defines the IPC message types for communication between the httpcloak daemon and language SDKs (Python, Node.js, etc.)
Package protocol defines the IPC message types for communication between the httpcloak daemon and language SDKs (Python, Node.js, etc.)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL