UA claims a modern browser but Accept-Encoding omits Brotli (scripted client)
net.accept_encoding_vs_ua · convicts
What it catches
HTTP compression fingerprint; browsers advertise br/zstd over HTTPS, httpx/requests do not. Gated on isModernBrowserUA (a legit non-browser client with no browser UA never fires — only a UA-FAKING scripted client does). Known edge case (emitter audit 2026-06-20): a real browser behind an enterprise TLS-inspection proxy that re-originates the request and normalises Accept-Encoding to gzip,deflate strips Brotli → fires — the SAME enterprise-proxy re-origination confound as net.tcp_os_vs_ua (and the TLS/h2 re-origination FPs); such a proxy re-writes ALL the network layers, so the corporate user trips several net.* tells at once, indistinguishable from a TLS-forging bot. Niche; convicting is the conservative choice. See the docs/evasion-catalog.md frontier 'TLS-inspection-proxy / enterprise re-origination false-positive'.
Signals it reads
network.accept_encoding_no_brotli
How it fires
present
Evaders it caught 9
Bypassed by 10
Frontier evaders that reach the detector uncaught (scored only suspicious, defeating every convicting tell) — this check is not one that stops them. The red-team frontier this detection still has to convict.