A reference on the network-layer fingerprints DataDome reads: HTTP/2 SETTINGS frames, flow control, pseudo-header order, and how a mismatch between the claimed user agent and the wire profile flags a client.
A reference on Cloudflare's network-layer fingerprinting: how JA3, JA4, and the HTTP/2 frame profile are computed at the edge, what cf.bot_management exposes, and how those signals feed the 1-99 bot score.
A reference for the HTTP/2 client fingerprint: the SETTINGS frame parameters, the WINDOW_UPDATE increment, the priority frames, the pseudo-header order, and the S|WU|P|PS string Akamai popularised in 2017.
Traces how the order of the :method :authority :scheme :path pseudo-headers fingerprints an HTTP/2 client, why each browser and library orders them differently, and why the signal is a clean browser-vs-client tell that survives header spoofing.
Traces HTTP/2 stream prioritization as a fingerprint: how browsers built dependency trees, why RFC 9113 deprecated the original scheme, what RFC 9218 replaced it with, and which part of the priority signal still labels a client.
How a forged TLS handshake plus a generic HTTP/2 library still contradicts itself at the frame level, and how anti-bot systems turn that cross-layer mismatch into a bot verdict.
Traces how HTTP/2's single multiplexed connection replaced HTTP/1.1's pool of short-lived sockets, and how that one architectural change turned per-connection setup frames into a stable, reusable client fingerprint.
Traces how a request-then-RST_STREAM loop in HTTP/2 sidestepped the concurrency limit that was supposed to bound per-connection work, set DDoS records at 398 and 201 million requests per second, and forced a round of server patches.
Traces how HTTP/2-to-HTTP/1.1 downgrading reintroduces request smuggling through H2.CL and H2.TE desync, why a binary length field stops protecting the message the moment an edge rewrites it, and what 2025 research showed is still unfixed.