UA claims a modern browser but Accept-Encoding omits Brotli (scripted client)

net.accept_encoding_vs_ua  ·  convicts

network, browserlayer
coherencecategory
9evaders caught

What it catches

HTTP compression fingerprint; browsers advertise br/zstd over HTTPS, httpx/requests do not. Gated on isModernBrowserUA (a legit non-browser client with no browser UA never fires — only a UA-FAKING scripted client does). Known edge case (emitter audit 2026-06-20): a real browser behind an enterprise TLS-inspection proxy that re-originates the request and normalises Accept-Encoding to gzip,deflate strips Brotli → fires — the SAME enterprise-proxy re-origination confound as net.tcp_os_vs_ua (and the TLS/h2 re-origination FPs); such a proxy re-writes ALL the network layers, so the corporate user trips several net.* tells at once, indistinguishable from a TLS-forging bot. Niche; convicting is the conservative choice. See the docs/evasion-catalog.md frontier 'TLS-inspection-proxy / enterprise re-origination false-positive'.

Signals it reads

network.accept_encoding_no_brotli

How it fires

present

Evaders it caught 9

Bypassed by 10

Frontier evaders that reach the detector uncaught (scored only suspicious, defeating every convicting tell) — this check is not one that stops them. The red-team frontier this detection still has to convict.

← all detections