Your Python Scraper Has a Tell. Curl-Cffi Is How You Hide It
Python scrapers can be identified by their unique TLS fingerprint, which is sent before any HTTPS data is transmitted. This fingerprint can be used by websites to block scrapers, even if they are using rotating User-Agents and residential proxies. The curl-cffi library can be used to mimic the TLS and HTTP/2 fingerprints of real browsers, making it harder for websites to detect scrapers.
- ▪The TLS ClientHello message is sent by the TLS client before any HTTPS data is transmitted and can be used to identify the client.
- ▪The JA3 fingerprint is a hash of the TLS ClientHello message and can be used to identify the client.
- ▪The curl-cffi library can be used to rewrite the TLS ClientHello message to match that of a real browser.
Opening excerpt (first ~120 words) tap to expand
Your Python Scraper Has a Tell. curl-cffi Is How You Hide It.The invisible fingerprint every requests call leaves behind — and here’s how you can fix it.Farbod Khorramvatan8 min read·May 25, 2026--ListenShareYou spent three hours crafting the perfect request. Rotating User-Agents. Real browser headers copied straight from DevTools. Residential proxies on top.And the site still hands you a 403. Or worse — a 200 with a Cloudflare challenge page that your code happily parses as "success."So you do what most scrapers eventually do. You reach for Selenium. You spin up a headless browser. You watch your memory climb past a gigabyte to fetch a JSON endpoint that should have taken 200 milliseconds.Here’s the uncomfortable truth I had to swallow: the site wasn’t blocking my headers.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Medium.