Saltar al contenido principal
en/blog/obscura/research/http-header-spoofing/

obscura/research/http-header-spoofing

2 min read

Overview

HTTP headers transmitted with every request reveal significant information about the client. These are the most straightforward signals to spoof at the proxy level.

Headers Used for Fingerprinting

User-Agent

Most well-known signal. Contains OS, browser, version, architecture.

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36

Client Hints (Sec-CH-UA)

Modern replacement for User-Agent granularity:

Header Example
Sec-CH-UA "Google Chrome";v="120", "Chromium";v="120", "Not?A_Brand";v="99"
Sec-CH-UA-Platform "Windows"
Sec-CH-UA-Platform-Version "15.0.0"
Sec-CH-UA-Model "Pixel 7" (mobile)
Sec-CH-UA-Mobile ?0
Sec-CH-UA-Arch "x86"
Sec-CH-UA-Bitness "64"
Sec-CH-UA-Full-Version-List "Google Chrome";v="120.0.6099.109"

Other Headers

Header Leaked Info
Accept Browser capabilities
Accept-Language User language preferences
Accept-Encoding Compression support
DNT Do Not Track preference
Upgrade-Insecure-Requests Browser capability
Referer Previous page (behavioral)

Spoofing Strategy at Proxy

Headers can be fully replaced at the proxy since they are plaintext in HTTP and accessible in HTTPS MITM:

proxy_set_header User-Agent "Mozilla/5.0 ..."
proxy_set_header Sec-CH-UA "..."
proxy_set_header Sec-CH-UA-Platform "Windows"
proxy_set_header Accept-Language "en-US,en;q=0.9"

Consistency Requirements

All headers must be consistent with the chosen profile:

  • If profile says "Chrome 120 on Windows 11", then:
    • User-Agent must reflect Chrome 120 / Windows 11
    • Sec-CH-UA must list Chrome 120 / Chromium 120
    • Sec-CH-UA-Platform must be "Windows"
    • Accept must match Chrome's typical Accept header
    • TLS fingerprint (JA3) must match Chrome 120 on Windows

Inconsistency is itself a fingerprint (e.g., Chrome User-Agent with a Firefox TLS handshake).

Conclusions

  • HTTP header spoofing is the easiest and most reliable mitigation
  • Headers are fully controllable at the proxy
  • Critical requirement: internal consistency across all headers
  • Profile system must ensure all header values match a real browser/OS combination
  • Without this, the whole system breaks