← Back to Scraping Central
Practice target. A fake marketplace built for scraping practice, no real businesses, people, or prices. View the matching lesson at Scraping Central / Learn.

Catalog108 / challenges / antibot/tls-fingerprint

TLS / JA3 fingerprint (conceptual)

intermediate Matching curriculum →

What this challenge teaches

Teaches: Real anti-bots fingerprint the TLS ClientHello (JA3 hash). Python requests has a stable JA3 hash; Chrome has different.

Expected output: Use curl-cffi or tls-client; they replicate Chrome's TLS handshake. PHP cannot demonstrate this server-side, so this is conceptual.

Submit your scraper's JSON output to /challenges/antibot/tls-fingerprint/grade (grader endpoint is part of a later phase; URL is reserved now).

TLS fingerprinting can't be demonstrated server-side from PHP, the inspection happens at the load-balancer / CDN layer. This challenge is conceptual.

What it looks like in practice

Python requests with default ciphers has a stable JA3 hash. Chrome's JA3 is different. Servers running tools like salesforce/ja3 compare the incoming hash against an allow-list.

How to defeat it

# Python: curl-cffi mirrors Chrome's TLS handshake
from curl_cffi import requests
r = requests.get(url, impersonate="chrome120")