Usabletested 2026-05-24 · public-tough-v1 · proxy: none

curl_cffi

Chrome's TLS handshake without the browser.

curl_cffi wraps curl-impersonate: it sends TLS and HTTP/2 fingerprints that match a real Chrome, while staying a plain HTTP client. We ran 0.15.0 (Session.get with impersonate=chrome) against the 21-site corpus, no proxy.

It passed 5 of 21 — Amazon, Target, Expedia, Rightmove, and Wikipedia — the best result of any pure HTTP client we tested. The comparison against Requests on the same day is the point: Expedia turned a 429 into a 200, Wikipedia turned a 403 into a 200, and Amazon served real results. The fingerprint is not cosmetic; it converts refusals into passes on sites whose first filter is TLS-level.

Where it still fails, the failure mode shifts: instead of bare 403s, Zillow and Indeed served captcha pages — curl_cffi gets past the door and then hits the JavaScript challenge it cannot execute. Yahoo Finance redirected to consent.yahoo.com, a consent-wall geography artifact rather than a block.

Test conditions

21 real public sites (public-tough-v1), 2026-05-24, no proxy, single residential IP, Linux. Deterministic validators: expected status code plus required and forbidden content markers. Pass rates measure the tool and the network position together. Without a proxy, results reflect how each site's protections treat one plain residential connection as much as the tool itself.

What worked

  • +Best pure-HTTP score: 5/21, including Amazon and Expedia.
  • +Directly observable fingerprint wins over Requests/HTTPX: Expedia 429→200, Wikipedia 403→200.
  • +Requests-like API; drop-in effort is minimal.

What failed

  • JS-challenge sites (Zillow, Indeed, AliExpress, Airbnb, CoinMarketCap, Reddit, YouTube) let it further in, then served captchas it cannot solve.
  • Hard 403 walls remained on eBay, Tripadvisor, Yelp, Trustpilot, and Craigslist without a proxy.
  • Yahoo redirected to a consent wall — plan for geography, not just fingerprints.

When to use it

First pick for static-page scraping at scale when you don't want a browser: you get real fingerprint benefits at HTTP-client speed and cost. Add proxies for IP reputation and a browser tier for JS challenges.

The cheapest real upgrade over plain HTTP that we measured.

Run evidence

Every attempt below is backed by saved artifacts: request/response metadata, body content, and (for browsers) screenshots. Raw JSON and artifacts live in the runner data directory.

Run · curl-cffi-common-sites-v1-20260524

5/21 passedversion 0.15.0proxy: none2026-05-24

adapter: curl_cffi.requests.Session.get(impersonate=chrome)

TargetResultDetailLatency
amazon.comamazon_search_laptoppassstatus 20084 ms
walmart.comwalmart_search_laptopfailblock marker: “Blocked”2.6 s
ebay.comebay_search_laptopfailexpected 200, got 403102 ms
aliexpress.comaliexpress_search_laptopfailblock marker: “Robot”1.7 s
target.comtarget_search_laptoppassstatus 200930 ms
booking.combooking_search_parisfailexpected 200, got 202172 ms
airbnb.comairbnb_search_parisfailblock marker: “captcha”1.0 s
tripadvisor.comtripadvisor_restaurants_parisfailexpected 200, got 403155 ms
expedia.comexpedia_hotels_parispassstatus 2001.6 s
zillow.comzillow_homes_for_salefailblock marker: “CAPTCHA”956 ms
realtor.comrealtor_new_yorkfailexpected 200, got 429195 ms
rightmove.co.ukrightmove_londonpassstatus 200818 ms
indeed.comindeed_python_remotefailblock marker: “captcha”932 ms
yelp.comyelp_sf_restaurantsfailexpected 200, got 403137 ms
trustpilot.comtrustpilot_amazonfailexpected 200, got 40330 ms
newyork.craigslist.orgcraigslist_nyc_bikefailexpected 200, got 403397 ms
finance.yahoo.comyahoo_finance_aaplfailredirected to consent.yahoo.com777 ms
coinmarketcap.comcoinmarketcap_homefailblock marker: “captcha”34 ms
reddit.comreddit_webscrapingfailblock marker: “Please wait for verification”170 ms
youtube.comyoutube_search_scrapingfailblock marker: “captcha”766 ms
en.wikipedia.orgwikipedia_web_scrapingpassstatus 200232 ms