An HTTP/2 fingerprint is derived from the parameters a client sends in the HTTP/2 connection preface — the SETTINGS frame (initial values for HEADER_TABLE_SIZE, ENABLE_PUSH, INITIAL_WINDOW_SIZE, MAX_FRAME_SIZE, and MAX_CONCURRENT_STREAMS), the WINDOW_UPDATE frame size, and the ordering and priority weighting of pseudo-headers like `:method`, `:path`, `:scheme`, and `:authority`.
Different browsers and HTTP libraries send these parameters with different values and in different orders — patterns that are as identifying as TLS cipher suite selection. Chrome, Firefox, Safari, and curl each produce a distinct HTTP/2 fingerprint. Libraries that fall back to HTTP/1.1 or use HTTP/2 with non-browser SETTINGS values are identifiable at the connection level before any application logic processes the request.
HTTP/2 fingerprinting is layered on top of TLS fingerprinting by advanced bot detection systems. A client must match both the TLS handshake profile and the HTTP/2 connection profile of a real browser to pass the network-layer check. AlterLab's request stack matches Chrome's HTTP/2 SETTINGS and header ordering across all tiers.