specters 4.2.0

Rust HTTP client with browser-like Chrome and Firefox fingerprints across TLS, HTTP/1.1, HTTP/2, HTTP/3, and WebSockets
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416

//! HPACK header compression with custom pseudo-header ordering.
//!
//! This module provides a custom HPACK implementation with:
//! - Custom pseudo-header ordering (Chrome uses `:method, :scheme, :authority, :path`)
//! - Full control over header encoding for fingerprint accuracy
//! - Complete Huffman encoding support

use crate::headers::Headers;
use crate::transport::h2::hpack_impl::{Decoder, Encoder};
use bytes::Bytes;

fn bytes_eq_ignore_ascii_case(a: &[u8], b: &[u8]) -> bool {
    a.len() == b.len() && a.iter().zip(b).all(|(x, y)| x.eq_ignore_ascii_case(y))
}

/// Pseudo-header ordering for HTTP/2 fingerprinting.
///
/// Different browsers/clients send pseudo-headers in different orders.
/// This order is visible in the Akamai HTTP/2 fingerprint.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Default)]
pub enum PseudoHeaderOrder {
    /// Chrome order: :method, :scheme, :authority, :path (m,s,a,p)
    #[default]
    Chrome,
    /// Firefox order: :method, :path, :authority, :scheme (m,p,a,s)
    Firefox,
    /// Safari order: :method, :scheme, :path, :authority (m,s,p,a)
    Safari,
    /// Legacy order: :method, :authority, :scheme, :path (m,a,s,p)
    Standard,
    /// Custom order specified by indices (0=method, 1=authority, 2=scheme, 3=path)
    Custom([u8; 4]),
}

impl PseudoHeaderOrder {
    /// Get the order as array indices.
    /// Input array is [method(0), authority(1), scheme(2), path(3)].
    /// Returns indices to select in output order.
    fn order(&self) -> [usize; 4] {
        match self {
            // Chrome: m,s,a,p -> method, scheme, authority, path
            Self::Chrome => [0, 2, 1, 3], // m=0, s=2, a=1, p=3
            // Firefox: m,p,a,s
            Self::Firefox => [0, 3, 1, 2], // m=0, p=3, a=1, s=2
            // Safari: m,s,p,a
            Self::Safari => [0, 2, 3, 1], // m=0, s=2, p=3, a=1
            // Legacy: m,a,s,p (old incorrect Chrome assumption)
            Self::Standard => [0, 1, 2, 3], // m=0, a=1, s=2, p=3
            Self::Custom(order) => [
                order[0] as usize,
                order[1] as usize,
                order[2] as usize,
                order[3] as usize,
            ],
        }
    }

    /// Get the Akamai fingerprint string for this order.
    pub fn akamai_string(&self) -> &'static str {
        match self {
            Self::Chrome => "m,s,a,p",
            Self::Firefox => "m,p,a,s",
            Self::Safari => "m,s,p,a",
            Self::Standard => "m,a,s,p",
            Self::Custom(_) => "custom",
        }
    }
}

/// HPACK encoder with custom pseudo-header ordering.
pub struct HpackEncoder {
    encoder: Encoder,
    pseudo_order: PseudoHeaderOrder,
}

impl HpackEncoder {
    /// Create a new encoder with the specified pseudo-header order.
    pub fn new(pseudo_order: PseudoHeaderOrder) -> Self {
        Self {
            encoder: Encoder::new(),
            pseudo_order,
        }
    }

    /// Create encoder with Chrome pseudo-header order (default).
    pub fn chrome() -> Self {
        Self::new(PseudoHeaderOrder::Chrome)
    }

    /// Set the dynamic table size.
    pub fn set_max_table_size(&mut self, size: usize) {
        self.encoder.set_max_table_size(size);
    }

    /// Encode headers for an HTTP/2 request.
    ///
    /// Pseudo-headers are ordered according to the configured order.
    /// Regular headers follow in the order provided.
    pub fn encode_request(
        &mut self,
        method: &str,
        scheme: &str,
        authority: &str,
        path: &str,
        headers: impl Into<Headers>,
    ) -> Bytes {
        let headers = headers.into();
        // Build pseudo-headers in configured order
        let pseudo_headers: [(&[u8], &[u8]); 4] = [
            (b":method", method.as_bytes()),
            (b":authority", authority.as_bytes()),
            (b":scheme", scheme.as_bytes()),
            (b":path", path.as_bytes()),
        ];

        // Collect all headers in the correct order
        let mut all_headers: Vec<(&[u8], &[u8])> = Vec::new();

        // Storage for processed valid headers (lowercased name, value ref)
        // We need this intermediate storage to ensure the Strings live long enough
        // and to avoid borrow checker issues (references into a growing Vec).
        let mut valid_headers: Vec<(Vec<u8>, &[u8])> = Vec::with_capacity(headers.len());

        for (name, value) in headers.iter_bytes() {
            if name.first() == Some(&b':') {
                continue;
            }

            if name.is_empty() {
                continue;
            }
            if name.iter().any(|&b| b < 0x21 || (b > 0x7E && b != 0x7F)) {
                continue;
            }

            let name_lower = if name.iter().all(|b| b.is_ascii_lowercase()) {
                name.to_vec()
            } else {
                name.iter().map(|b| b.to_ascii_lowercase()).collect()
            };

            if name_lower == b"connection"
                || name_lower == b"keep-alive"
                || name_lower == b"proxy-connection"
                || name_lower == b"transfer-encoding"
                || name_lower == b"upgrade"
            {
                continue;
            }

            if name_lower == b"te" && !bytes_eq_ignore_ascii_case(value, b"trailers") {
                continue;
            }

            valid_headers.push((name_lower, value));
        }

        // Add pseudo-headers in the specified order
        let order = self.pseudo_order.order();
        for &idx in &order {
            all_headers.push(pseudo_headers[idx]);
        }

        // Add regular headers from the validated list
        for (n, v) in &valid_headers {
            all_headers.push((n.as_slice(), *v));
        }

        // Encode all headers
        let encoded = self.encoder.encode(&all_headers);
        Bytes::from(encoded)
    }

    /// Encode RFC 8441 Extended CONNECT headers for WebSocket over HTTP/2.
    ///
    /// The pseudo-header order is deterministic and spec-compliant for RFC 8441;
    /// it is not claimed to be Chrome-exact.
    pub fn encode_extended_connect_websocket(
        &mut self,
        authority: &str,
        scheme: &str,
        path: &str,
        headers: impl Into<Headers>,
    ) -> Result<Bytes, String> {
        let headers = headers.into();
        if authority.is_empty() {
            return Err(":authority must not be empty".to_string());
        }
        if scheme.is_empty() {
            return Err(":scheme must not be empty".to_string());
        }
        if path.is_empty() {
            return Err(":path must not be empty".to_string());
        }

        let pseudo_headers: [(&[u8], &[u8]); 5] = [
            (b":method", b"CONNECT"),
            (b":protocol", b"websocket"),
            (b":scheme", scheme.as_bytes()),
            (b":path", path.as_bytes()),
            (b":authority", authority.as_bytes()),
        ];

        let mut valid_headers: Vec<(Vec<u8>, &[u8])> = Vec::with_capacity(headers.len());

        for (name, value) in headers.iter_bytes() {
            if name.first() == Some(&b':') {
                return Err(format!(
                    "RFC 8441 user pseudo-header rejected: {}",
                    String::from_utf8_lossy(name)
                ));
            }

            if name.is_empty() {
                return Err("RFC 8441 header name must not be empty".to_string());
            }
            if name.iter().any(|&b| b < 0x21 || (b > 0x7E && b != 0x7F)) {
                return Err(format!(
                    "RFC 8441 invalid header name rejected: {}",
                    String::from_utf8_lossy(name)
                ));
            }

            let name_lower = if name.iter().all(|b| b.is_ascii_lowercase()) {
                name.to_vec()
            } else {
                name.iter().map(|b| b.to_ascii_lowercase()).collect()
            };
            if matches!(
                name_lower.as_slice(),
                b"connection"
                    | b"upgrade"
                    | b"host"
                    | b"sec-websocket-key"
                    | b"sec-websocket-accept"
                    | b"sec-websocket-extensions"
                    | b"keep-alive"
                    | b"proxy-connection"
                    | b"transfer-encoding"
            ) {
                return Err(format!(
                    "RFC 8441 forbidden header rejected: {}",
                    String::from_utf8_lossy(&name_lower)
                ));
            }

            if name_lower == b"te" && !bytes_eq_ignore_ascii_case(value, b"trailers") {
                return Err("RFC 8441 forbids TE values other than trailers".to_string());
            }

            valid_headers.push((name_lower, value));
        }

        let mut all_headers: Vec<(&[u8], &[u8])> =
            Vec::with_capacity(pseudo_headers.len() + valid_headers.len());
        all_headers.extend_from_slice(&pseudo_headers);
        for (name, value) in &valid_headers {
            all_headers.push((name.as_slice(), *value));
        }

        let encoded = self.encoder.encode(&all_headers);
        Ok(Bytes::from(encoded))
    }

    /// Split an encoded header block into chunks if it exceeds max_frame_size.
    /// Returns (first_chunk, remaining_chunks).
    ///
    /// This is used when header blocks exceed MAX_FRAME_SIZE and must be
    /// split across HEADERS + CONTINUATION frames per RFC 9113 Section 6.10.
    ///
    /// Use this after calling encode_request() to chunk the result if needed.
    pub fn chunk_encoded(encoded: Bytes, max_frame_size: usize) -> (Bytes, Vec<Bytes>) {
        if encoded.len() <= max_frame_size {
            // Fits in single frame
            return (encoded, Vec::new());
        }

        // Split into chunks
        let mut chunks: Vec<Bytes> = encoded
            .chunks(max_frame_size)
            .map(Bytes::copy_from_slice)
            .collect();

        let first = chunks.remove(0);
        (first, chunks)
    }
}

/// HPACK decoder.
pub struct HpackDecoder {
    decoder: Decoder,
}

impl HpackDecoder {
    /// Create a new decoder.
    pub fn new() -> Self {
        Self {
            decoder: Decoder::new(),
        }
    }

    /// Set the maximum dynamic table size.
    pub fn set_max_table_size(&mut self, size: usize) {
        self.decoder.set_max_table_size(size);
    }

    /// Decode a header block into a list of headers.
    pub fn decode(&mut self, data: &[u8]) -> Result<Vec<(String, String)>, String> {
        let mut headers = Vec::new();

        self.decoder
            .decode_with_cb(data, |name, value| {
                let name_str = String::from_utf8_lossy(name).into_owned();
                let value_str = String::from_utf8_lossy(value).into_owned();
                headers.push((name_str, value_str));
            })
            .map_err(|e| format!("HPACK decode error: {:?}", e))?;

        Ok(headers)
    }
}

impl Default for HpackDecoder {
    fn default() -> Self {
        Self::new()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_pseudo_order_chrome() {
        let order = PseudoHeaderOrder::Chrome;
        assert_eq!(order.akamai_string(), "m,s,a,p");
    }

    #[test]
    fn test_pseudo_order_standard() {
        let order = PseudoHeaderOrder::Standard;
        assert_eq!(order.akamai_string(), "m,a,s,p");
    }

    #[test]
    fn test_encoder_creates_valid_block() {
        let mut encoder = HpackEncoder::chrome();
        let block = encoder.encode_request(
            "GET",
            "https",
            "example.com",
            "/",
            &Headers::from(vec![("user-agent".to_string(), "test".to_string())]),
        );

        // Block should be non-empty
        assert!(!block.is_empty());

        // Decode and verify
        let mut decoder = HpackDecoder::new();
        let headers = decoder.decode(&block).unwrap();

        // Should have 5 headers (4 pseudo + 1 regular)
        assert_eq!(headers.len(), 5);

        // Verify Chrome order: m,s,a,p
        assert_eq!(headers[0].0, ":method");
        assert_eq!(headers[0].1, "GET");
        assert_eq!(headers[1].0, ":scheme");
        assert_eq!(headers[1].1, "https");
        assert_eq!(headers[2].0, ":authority");
        assert_eq!(headers[2].1, "example.com");
        assert_eq!(headers[3].0, ":path");
        assert_eq!(headers[3].1, "/");
        assert_eq!(headers[4].0, "user-agent");
        assert_eq!(headers[4].1, "test");
    }

    #[test]
    fn test_encoder_standard_order() {
        let mut encoder = HpackEncoder::new(PseudoHeaderOrder::Standard);
        let block = encoder.encode_request("GET", "https", "example.com", "/", &Headers::new());

        let mut decoder = HpackDecoder::new();
        let headers = decoder.decode(&block).unwrap();

        // Verify Standard/legacy order: m,a,s,p
        assert_eq!(headers[0].0, ":method");
        assert_eq!(headers[1].0, ":authority");
        assert_eq!(headers[2].0, ":scheme");
        assert_eq!(headers[3].0, ":path");
    }

    #[test]
    fn test_encoder_filters_connection_headers() {
        let mut encoder = HpackEncoder::chrome();
        let block = encoder.encode_request(
            "GET",
            "https",
            "example.com",
            "/",
            &Headers::from(vec![
                ("connection".to_string(), "keep-alive".to_string()),
                ("keep-alive".to_string(), "timeout=5".to_string()),
                ("user-agent".to_string(), "test".to_string()),
            ]),
        );

        let mut decoder = HpackDecoder::new();
        let headers = decoder.decode(&block).unwrap();

        // Should only have pseudo-headers + user-agent (connection headers filtered)
        assert_eq!(headers.len(), 5);
        assert_eq!(headers[4].0, "user-agent");
    }
}