[FEATURE] Enhance TLS/HTTP fingerprinting for Chrome 127-143 (#36)

* feat: Enhance TLS/HTTP fingerprinting for Chrome 127-143

- Added support for multiple Chrome profiles (127-143) with exact JA4 fingerprint matches.
- Implemented Brotli and zlib decompression for the compress_certificate extension.
- Updated SSL_CTX configuration to prevent redundant setups for browser profiles.
- Improved session creation logic to initialize cookie jars and connection pools.
- Enhanced tests to validate Chrome 143 fingerprint accuracy, including user-agent checks and TLS version support.
- Updated browser profile aliases to default to Chrome 143.

* updated pyproject.toml

* fix: Add brotli CI dependencies and bump version to 0.2.8

- Add brotli dependencies to Linux CI (brotli-devel/libbrotli-dev)
- Add brotli to macOS CI (brew install brotli)
- Add brotli:x64-windows to Windows CI (vcpkg)
- Update setup.py with Windows brotli path detection and linking
- Fix flaky test_simple_get to use local httpbin_server fixture

* fix: Build brotli from source on macOS for correct deployment target

Homebrew brotli has MACOSX_DEPLOYMENT_TARGET=15.0 which causes
delocate-wheel to fail when building wheels targeting macOS 11.0.

- Add brotli build to scripts/darwin/setup_vendors.sh
- Build with CMAKE_OSX_DEPLOYMENT_TARGET=11.0 for wheel compatibility
- Update setup.py to prefer vendor brotli over Homebrew on macOS
- Remove brotli from brew install in CI (built from source instead)

* fix: Use correct brotli library names (without -static suffix)

CMake builds brotli as libbrotlidec.a and libbrotlicommon.a,
not libbrotlidec-static.a and libbrotlicommon-static.a.

* feat: Enable HTTP/2 by default for Session class

Chrome browsers use HTTP/2 by default, so httpmorph should too.
This ensures correct JA4 fingerprint (h2 instead of h1) and
Akamai HTTP/2 fingerprint matching out of the box.

* feat: Perfect Chrome 143 fingerprint matching with documentation sync

- Add Chrome-like HTTP/2 priority (weight=256, exclusive=1) in http2_logic.c
- Remove zlib from certificate compression, use Brotli only (per Chrome behavior)
- Add Chrome default headers to Session (sec-ch-ua, sec-fetch-*, priority)
- Update all documentation to reflect Chrome 143 as default profile
- Sync README and ReadTheDocs with actual code behavior:
  - Client and Session both default to http2=True
  - Certificate compression is Brotli only
  - Updated fingerprint characteristics (JA4, JA3N, Peetprint, Akamai)
- Fix test names to match http2=True default behavior

* fix: Restore zlib certificate decompression for server compatibility

Chrome 143 advertises brotli in the compress_certificate extension,
but some servers still send zlib-compressed certificates. Keep both
decompression handlers registered for compatibility.

Fixes TLS handshake failures with CERT_DECOMPRESSION_FAILED error
on servers using zlib certificate compression.

* fix: Match Chrome 143 TLS fingerprint exactly

Changes to match Chrome 143's actual TLS fingerprint:

1. Certificate compression (compress_certificate extension 27):
   - Only advertise brotli (2), not zlib (1)
   - Chrome only supports brotli certificate compression
   - Servers compliant with RFC 8879 will only send brotli

2. Application settings (ALPS extension 17613):
   - Only advertise "h2" protocol, not "http/1.1"
   - Chrome only includes h2 in application_settings

3. Extension permutation:
   - Enable SSL_CTX_set_permute_extensions() to randomize extension order
   - Chrome randomizes extension order in each ClientHello
   - JA4 sorts extensions alphabetically so order doesn't affect JA4

Matching fingerprints:
- Cipher hash (JA4 part 2): 8daaf6152771 ✓
- Akamai HTTP/2: 1:65536;2:0;4:6291456;6:262144|15663105|0|m,a,s,p ✓
- compress_certificate: brotli only ✓
- application_settings: h2 only ✓

Note: Chrome fingerprint shows 17 extensions vs httpmorph's 16 because
Chrome capture was from a resumed session with pre_shared_key (41).
Fresh connections don't include pre_shared_key, which is expected behavior.

* fix: Prevent heap corruption in HTTP/2 response body buffer cleanup on Windows

The HTTP/2 code was replacing the response body buffer (originally from
the buffer pool) with a newly malloc'd buffer, but not properly handling
the cleanup:

1. The original buffer from the pool was never returned to the pool
2. _buffer_pool was still pointing to the pool
3. _body_actual_size wasn't updated for the new buffer

When httpmorph_response_destroy() was later called, it tried to return
the malloc'd buffer to the buffer pool using the stale _body_actual_size,
causing heap corruption (especially visible on Windows with error code
0xc0000374).

Fix: Before assigning the new malloc'd buffer to response->body:
- Return the original buffer to the pool (if from pool) or free it
- Clear _buffer_pool since the new buffer is not from the pool
- Set _body_actual_size to track the actual allocation size

Fixes Windows CI heap corruption crash in Session.__del__

Author: arman-bd

.github/workflows/_test.yml

@@ -57,7 +57,7 @@ jobs:
       if: runner.os == 'Linux'
       run: |
         sudo apt-get update
-        sudo apt-get install -y cmake ninja-build libssl-dev pkg-config autoconf automake libtool libnghttp2-dev
+        sudo apt-get install -y cmake ninja-build libssl-dev pkg-config autoconf automake libtool libnghttp2-dev libbrotli-dev
 
     - name: Cache Homebrew packages (macOS)
       if: runner.os == 'macOS'
@@ -131,9 +131,9 @@ jobs:
         path: |
           C:/vcpkg/installed
           C:/vcpkg/packages
-        key: vcpkg-nghttp2-zlib-${{ runner.os }}-v3
+        key: vcpkg-nghttp2-zlib-brotli-${{ runner.os }}-v4
         restore-keys: |
-          vcpkg-nghttp2-zlib-${{ runner.os }}-
+          vcpkg-nghttp2-zlib-brotli-${{ runner.os }}-
 
     - name: Setup vcpkg (Windows)
       if: runner.os == 'Windows' && steps.cache-vcpkg-restore.outputs.cache-hit != 'true'
@@ -158,7 +158,7 @@ jobs:
       run: |
         export VCPKG_ROOT="C:/vcpkg"
         export PATH="$VCPKG_ROOT:$PATH"
-        vcpkg install nghttp2:x64-windows zlib:x64-windows --clean-after-build
+        vcpkg install nghttp2:x64-windows zlib:x64-windows brotli:x64-windows --clean-after-build
       shell: bash
 
     - name: Set vcpkg environment (Windows)
@@ -254,7 +254,7 @@ jobs:
         path: |
           C:/vcpkg/installed
           C:/vcpkg/packages
-        key: vcpkg-nghttp2-zlib-${{ runner.os }}-v3
+        key: vcpkg-nghttp2-zlib-brotli-${{ runner.os }}-v4
 
     - name: Save vendor cache
       if: always() && steps.cache-vendor.outputs.cache-hit != 'true'

README.md

@@ -13,9 +13,10 @@ A Python HTTP client focused on mimicking browser fingerprints.
 - **Requests-compatible API** - Drop-in replacement for most Python `requests` use cases
 - **High Performance** - Native C implementation with BoringSSL for HTTP/HTTPS
 - **HTTP/2 Support** - Full HTTP/2 with ALPN negotiation via nghttp2 (httpx-like API)
-- **Chrome 142 Fingerprint** - Perfect JA3N, JA4, and JA4_R matching
-- **Browser Fingerprinting** - Realistic Chrome 142 browser profile
-- **TLS Fingerprinting** - JA3/JA3N/JA4 fingerprint generation with post-quantum crypto
+- **Chrome 127-143 Fingerprints** - Perfect JA4 fingerprint matching
+- **Browser Fingerprinting** - Realistic Chrome browser profiles (127-143)
+- **TLS Fingerprinting** - JA3N/JA4/JA4_R fingerprint generation with post-quantum crypto
+- **HTTP/2 Fingerprinting** - Perfect Akamai HTTP/2 fingerprint matching
 - **Connection Pooling** - Automatic connection reuse for better performance
 - **Session Management** - Persistent cookies and headers across requests
 
@@ -74,14 +75,14 @@ print(response.http_version)  # '2.0'
 Mimic real browser behavior with pre-configured profiles:
 
 ```python
-# Use Chrome fingerprint (defaults to Chrome 142)
+# Use Chrome fingerprint (defaults to Chrome 143)
 response = httpmorph.get('https://example.com', browser='chrome')
 
-# Use specific Chrome version
-session = httpmorph.Session(browser='chrome142')
+# Use specific Chrome version (127-143 supported)
+session = httpmorph.Session(browser='chrome143')
 response = session.get('https://example.com')
 
-# Available browsers: chrome, chrome142
+# Available browsers: chrome, chrome127-chrome143
 ```
 
 ### OS-Specific User Agents
@@ -111,35 +112,34 @@ session = httpmorph.Session(browser='chrome', os='linux')
 
 The OS parameter only affects the User-Agent string, while all other fingerprinting characteristics (TLS, HTTP/2, JA3/JA4) remain consistent to match the specified browser profile.
 
-### Chrome 142 Fingerprint Matching
+### Chrome Fingerprint Matching
 
-httpmorph accurately mimics **Chrome 142** TLS fingerprints with:
+httpmorph accurately mimics **Chrome 127-143** TLS and HTTP/2 fingerprints with:
 
-- **JA3N** ✅ Perfect match
-- **JA4** ✅ Perfect match
+- **JA4** ✅ Perfect match (`t13d1516h2_8daaf6152771_d8a2da3f94cd`)
 - **JA4_R** ✅ Perfect match
-- **User-Agent**: `Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36`
+- **JA3N** ✅ Perfect match (normalized JA3: `dcefaf3f0e71d260d19dc1d0749c9278`)
+- **HTTP/2 Akamai** ✅ Perfect match (`1:65536;2:0;4:6291456;6:262144|15663105|0|m,a,s,p`)
+- **User-Agent**: Version-specific Chrome user agents
 - **TLS 1.3** with correct cipher suites and extensions
-- **HTTP/2** with Chrome-specific SETTINGS frame
+- **HTTP/2** with Chrome-specific SETTINGS frame and pseudo-header order
 - **Post-quantum cryptography** (X25519MLKEM768)
-- **Certificate compression** (Brotli, Zlib)
+- **Certificate compression** (Brotli)
 
 **Verify your fingerprint:**
 
 ```python
 import httpmorph
 
 # Make a request to fingerprint checker
-response = httpmorph.get('https://suip.biz/?act=ja4', browser='chrome142')
-print(response.text)
+response = httpmorph.get('https://tls.peet.ws/api/all', browser='chrome143')
+data = response.json()
+print(f"JA4: {data['tls']['ja4']}")
 
-# You should see perfect matches for:
-# - JA4 fingerprint ✅
-# - JA3N fingerprint ✅
-# - User-Agent: Chrome/142.0.0.0 ✅
+# Expected: t13d1516h2_8daaf6152771_d8a2da3f94cd ✅
 ```
 
-httpmorph achieves **perfect matches** for all modern fingerprints including JA3N, JA4, and JA4_R when tested against real Chrome 142 browsers.
+All Chrome 127-143 profiles produce **exact JA4 matches** with real Chrome browsers.
 
 ## Advanced Usage
 
@@ -148,19 +148,18 @@ httpmorph achieves **perfect matches** for all modern fingerprints including JA3
 httpmorph supports HTTP/2 with an httpx-like API:
 
 ```python
-# Enable HTTP/2 for a client (default is False)
-client = httpmorph.Client(http2=True)
+# Both Client and Session default to HTTP/2 (http2=True) like Chrome
+client = httpmorph.Client()
 response = client.get('https://www.google.com')
 print(response.http_version)  # '2.0'
 
-# Enable HTTP/2 for a session
-session = httpmorph.Session(browser='chrome', http2=True)
+session = httpmorph.Session(browser='chrome')
 response = session.get('https://www.google.com')
 print(response.http_version)  # '2.0'
 
-# Per-request HTTP/2 override
-client = httpmorph.Client(http2=False)  # Default disabled
-response = client.get('https://www.google.com', http2=True)  # Enable for this request
+# Per-request HTTP/2 override (disable for specific request)
+client = httpmorph.Client()  # Defaults to HTTP/2
+response = client.get('https://example.com', http2=False)  # Disable for this request
 ```
 
 ### Custom Headers
@@ -417,7 +416,7 @@ Please open an issue or pull request on GitHub.
 httpmorph has a comprehensive test suite with 350+ tests covering:
 
 - All HTTP methods and parameters
-- Chrome 142 fingerprint validation (JA3N, JA4, JA4_R)
+- Chrome 127-143 fingerprint validation (JA4, JA4_R)
 - TLS 1.2/1.3 with post-quantum cryptography
 - Certificate compression (Brotli, Zlib)
 - Redirect handling and history
@@ -439,16 +438,16 @@ pytest tests/ -v
 - Built on BoringSSL (Google) with post-quantum cryptography support
 - HTTP/2 support via nghttp2
 - Inspired by Python's requests and httpx libraries
-- Chrome 142 fingerprint matching with perfect JA3N, JA4, and JA4_R matches
-- Certificate compression support for Cloudflare-protected sites
+- Chrome 127-143 fingerprint matching with perfect JA4, JA3N, and HTTP/2 Akamai fingerprints
+- Certificate compression (Brotli) for Cloudflare-protected sites
 
 ## FAQ
 
 **Q: Why another HTTP client?**
 A: httpmorph combines the performance of native C with browser fingerprinting capabilities, making it ideal for applications that need both speed and realistic browser behavior.
 
-**Q: How accurate is the Chrome 142 fingerprint?**
-A: httpmorph achieves perfect matches for modern fingerprints including JA3N, JA4, and JA4_R. This is verified against real Chrome 142 browsers. Test your fingerprint at https://suip.biz/?act=ja4
+**Q: How accurate are the Chrome fingerprints?**
+A: httpmorph achieves perfect JA4 matches for Chrome 127-143. Test your fingerprint at https://tls.peet.ws/api/all
 
 **Q: Is it production-ready?**
 A: No, httpmorph is still in active development and not yet recommended for production use.
@@ -457,7 +456,7 @@ A: No, httpmorph is still in active development and not yet recommended for prod
 A: For most common use cases, yes! We've implemented the most widely-used requests API. Some advanced features may have slight differences.
 
 **Q: Does it work with Cloudflare-protected sites?**
-A: Yes! httpmorph supports certificate compression (Brotli, Zlib) which is required for many Cloudflare-protected sites. We successfully tested with icanhazip.com and postman-echo.com.
+A: Yes! httpmorph supports certificate compression (Brotli) which is required for many Cloudflare-protected sites. We successfully tested with icanhazip.com and postman-echo.com.
 
 **Q: How do I report a bug?**
 A: Please open an issue on GitHub with a minimal reproduction example and your environment details (OS, Python version, httpmorph version).

docs/source/advanced.rst

@@ -9,11 +9,11 @@ TLS Fingerprinting
 Browser-Specific Fingerprints
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-httpmorph generates accurate Chrome 142 TLS fingerprints with perfect JA3N, JA4, and JA4_R matching:
+httpmorph generates accurate Chrome 143 TLS fingerprints with perfect JA3N, JA4, JA4_R, and Akamai matching:
 
 .. code-block:: python
 
-   # Chrome 142 profile (default)
+   # Chrome 143 profile (default)
    session = httpmorph.Session(browser='chrome')
    response = session.get('https://example.com')
 
@@ -23,7 +23,7 @@ httpmorph generates accurate Chrome 142 TLS fingerprints with perfect JA3N, JA4,
    print('HTTP:', response.http_version)
 
    # Output example:
-   # JA3: 8e19337e7524d2573be54efb2b0784c9 (Chrome 142 normalized)
+   # JA3: dcefaf3f0e71d260d19dc1d0749c9278 (Chrome 143 normalized)
    # TLS: TLSv1.3
    # Cipher: TLS_AES_128_GCM_SHA256
    # HTTP: 2.0
@@ -53,7 +53,7 @@ Customize the User-Agent for different operating systems:
 GREASE Values
 ~~~~~~~~~~~~~
 
-Chrome 142 uses GREASE (Generate Random Extensions And Sustain Extensibility) values that are randomized per request to maintain TLS ecosystem extensibility:
+Chrome 143 uses GREASE (Generate Random Extensions And Sustain Extensibility) values that are randomized per request to maintain TLS ecosystem extensibility:
 
 .. code-block:: python
 

docs/source/api.rst

@@ -90,13 +90,13 @@ Client Class
 
 .. code-block:: python
 
-   client = httpmorph.Client(http2=False)
+   client = httpmorph.Client(http2=True)
 
-HTTP client for making requests.
+HTTP client for making requests. Defaults to HTTP/2 to match Chrome behavior.
 
 **Constructor Parameters:**
 
-* ``http2`` (bool) - Enable HTTP/2. Default: ``False``
+* ``http2`` (bool) - Enable HTTP/2. Default: ``True``
 
 **Methods:**
 
@@ -127,15 +127,15 @@ Session Class
 
 .. code-block:: python
 
-   session = httpmorph.Session(browser='chrome', os='macos', http2=False)
+   session = httpmorph.Session(browser='chrome', os='macos', http2=True)
 
-HTTP session with persistent cookies and headers.
+HTTP session with persistent cookies and headers. Sessions default to HTTP/2 to match Chrome browser behavior.
 
 **Constructor Parameters:**
 
-* ``browser`` (str) - Browser profile to mimic. Options: ``'chrome'``, ``'chrome142'``, ``'random'``. Default: ``'chrome'``
+* ``browser`` (str) - Browser profile to mimic. Options: ``'chrome'``, ``'chrome127'``-``'chrome143'``, ``'random'``. Default: ``'chrome'`` (Chrome 143)
 * ``os`` (str) - Operating system for User-Agent. Options: ``'macos'``, ``'windows'``, ``'linux'``. Default: ``'macos'``
-* ``http2`` (bool) - Enable HTTP/2. Default: ``False``
+* ``http2`` (bool) - Enable HTTP/2. Default: ``True`` (matches Chrome behavior)
 
 **Attributes:**
 
@@ -423,42 +423,55 @@ Browser Profiles
 
 Available browser profiles for ``Session(browser=...)``:
 
-Chrome 142
-~~~~~~~~~~
+Chrome 143 (Default)
+~~~~~~~~~~~~~~~~~~~~
 
-The default and most accurate browser profile, mimicking Chrome 142:
+The default and most accurate browser profile, mimicking Chrome 143:
 
 **Fingerprint Characteristics:**
 
-* **JA3N**: ``8e19337e7524d2573be54efb2b0784c9`` (perfect match)
-* **JA4**: ``t13d1516h2_8daaf6152771_d8a2da3f94cd`` (perfect match)
-* **JA4_R**: ``t13d1516h2_002f,0035,009c,...`` (perfect match)
+* **JA4**: ``t13d1516h2_8daaf6152771_e5627efa2ab1`` (perfect match)
+* **JA3N**: ``dcefaf3f0e71d260d19dc1d0749c9278`` (perfect match)
+* **Peetprint**: ``1d4ffe9b0e34acac0bd883fa7f79d7b5`` (perfect match)
+* **Akamai HTTP/2**: ``1:65536;2:0;4:6291456;6:262144|15663105|0|m,a,s,p`` (perfect match)
 * **TLS 1.3** with 15 cipher suites
 * **Post-quantum cryptography**: X25519MLKEM768 (curve 4588)
-* **Certificate compression**: Brotli, Zlib
+* **Certificate compression**: Brotli (zlib fallback for compatibility)
 * **GREASE**: Randomized per request
-* **HTTP/2**: Chrome-specific SETTINGS frame
+* **HTTP/2**: Chrome-specific SETTINGS frame, priority (weight=256, exclusive=1)
+* **Default headers**: sec-ch-ua, sec-fetch-*, accept-language, priority
 
 **User-Agent Variants:**
 
-* **macOS**: ``Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36``
-* **Windows**: ``Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36``
-* **Linux**: ``Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36``
+* **macOS**: ``Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36``
+* **Windows**: ``Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36``
+* **Linux**: ``Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36``
 
 **Usage:**
 
 .. code-block:: python
 
-   # Use Chrome 142 profile (default)
+   # Use Chrome 143 profile (default)
    session = httpmorph.Session(browser='chrome')
 
-   # Explicitly use Chrome 142
-   session = httpmorph.Session(browser='chrome142')
+   # Explicitly use Chrome 143
+   session = httpmorph.Session(browser='chrome143')
 
    # With specific OS
    session = httpmorph.Session(browser='chrome', os='windows')
 
+Chrome 127-142
+~~~~~~~~~~~~~~
+
+Older Chrome profiles are also available for compatibility testing:
+
+.. code-block:: python
+
+   session = httpmorph.Session(browser='chrome127')
+   session = httpmorph.Session(browser='chrome135')
+   # etc.
+
 Random
 ~~~~~~
 
-Randomly selects a browser profile for each session. Currently only Chrome 142 is available.
+Randomly selects a browser profile for each session from available Chrome profiles.

docs/source/quickstart.rst

@@ -102,12 +102,12 @@ Mimic Chrome browser with realistic fingerprints:
 
 .. code-block:: python
 
-   # Chrome browser profile (defaults to Chrome 142)
+   # Chrome browser profile (defaults to Chrome 143)
    session = httpmorph.Session(browser='chrome')
    response = session.get('https://example.com')
 
-   # Use specific Chrome version
-   session = httpmorph.Session(browser='chrome142')
+   # Use specific Chrome version (127-143 supported)
+   session = httpmorph.Session(browser='chrome143')
    response = session.get('https://example.com')
 
    # Random browser selection
@@ -118,9 +118,10 @@ The Chrome browser profile includes:
 * Chrome-specific User-Agent
 * Chrome-specific TLS cipher suites and extensions
 * Post-quantum cryptography (X25519MLKEM768)
-* Certificate compression (Brotli, Zlib)
-* Chrome-specific HTTP/2 settings
-* Perfect JA3N, JA4, and JA4_R fingerprint matching
+* Certificate compression (Brotli, with zlib fallback)
+* Chrome-specific HTTP/2 settings and priority
+* Perfect JA3N, JA4, JA4_R, and Akamai fingerprint matching
+* Chrome-like default headers (sec-ch-ua, sec-fetch-*, etc.)
 
 OS-Specific User Agents
 ~~~~~~~~~~~~~~~~~~~~~~~~
@@ -344,21 +345,22 @@ Upload files:
 HTTP/2
 ------
 
-Enable HTTP/2 support:
+Both Client and Session default to HTTP/2 to match Chrome behavior:
 
 .. code-block:: python
 
-   # For all requests in a client
-   client = httpmorph.Client(http2=True)
+   # Both Client and Session default to HTTP/2 (http2=True)
+   client = httpmorph.Client()
    response = client.get('https://www.google.com')
+   print(response.http_version)  # '2.0'
 
-   # For all requests in a session
-   session = httpmorph.Session(browser='chrome', http2=True)
+   session = httpmorph.Session(browser='chrome')
    response = session.get('https://www.google.com')
+   print(response.http_version)  # '2.0'
 
-   # Per-request override
-   client = httpmorph.Client(http2=False)
-   response = client.get('https://www.google.com', http2=True)
+   # Per-request override (disable HTTP/2 for specific request)
+   client = httpmorph.Client()  # Defaults to HTTP/2
+   response = client.get('https://example.com', http2=False)
 
 Check HTTP version: