Overview
HTTP headers transmitted with every request reveal significant information about the client. These are the most straightforward signals to spoof at the proxy level.
Headers Used for Fingerprinting
User-Agent
Most well-known signal. Contains OS, browser, version, architecture.
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Client Hints (Sec-CH-UA)
Modern replacement for User-Agent granularity:
| Header | Example |
|---|---|
Sec-CH-UA |
"Google Chrome";v="120", "Chromium";v="120", "Not?A_Brand";v="99" |
Sec-CH-UA-Platform |
"Windows" |
Sec-CH-UA-Platform-Version |
"15.0.0" |
Sec-CH-UA-Model |
"Pixel 7" (mobile) |
Sec-CH-UA-Mobile |
?0 |
Sec-CH-UA-Arch |
"x86" |
Sec-CH-UA-Bitness |
"64" |
Sec-CH-UA-Full-Version-List |
"Google Chrome";v="120.0.6099.109" |
Other Headers
| Header | Leaked Info |
|---|---|
Accept |
Browser capabilities |
Accept-Language |
User language preferences |
Accept-Encoding |
Compression support |
DNT |
Do Not Track preference |
Upgrade-Insecure-Requests |
Browser capability |
Referer |
Previous page (behavioral) |
Spoofing Strategy at Proxy
Headers can be fully replaced at the proxy since they are plaintext in HTTP and accessible in HTTPS MITM:
proxy_set_header User-Agent "Mozilla/5.0 ..."
proxy_set_header Sec-CH-UA "..."
proxy_set_header Sec-CH-UA-Platform "Windows"
proxy_set_header Accept-Language "en-US,en;q=0.9"
Consistency Requirements
All headers must be consistent with the chosen profile:
- If profile says "Chrome 120 on Windows 11", then:
User-Agentmust reflect Chrome 120 / Windows 11Sec-CH-UAmust list Chrome 120 / Chromium 120Sec-CH-UA-Platformmust be"Windows"Acceptmust match Chrome's typical Accept header- TLS fingerprint (JA3) must match Chrome 120 on Windows
Inconsistency is itself a fingerprint (e.g., Chrome User-Agent with a Firefox TLS handshake).
Conclusions
- HTTP header spoofing is the easiest and most reliable mitigation
- Headers are fully controllable at the proxy
- Critical requirement: internal consistency across all headers
- Profile system must ensure all header values match a real browser/OS combination
- Without this, the whole system breaks