npm - @fanboynz/network-scanner - Versions diffs - 3.1.0 → 3.1.2 - Mend

@fanboynz/network-scanner 3.1.0 → 3.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,59 @@
 All notable changes to the Network Scanner (nwss.js) project.
+## [3.1.1] - 2026-05-30
+### Changed
+- **Fingerprint identity pinned to Stable Chrome 148**, not whatever Chrome-for-Testing puppeteer bundles (currently 149, ahead of Stable). The spoof must blend with the real-world population; claiming an unreleased build is itself a tell. The Chrome major + build (`CHROME_BUILD`) + GREASE brand (`CHROME_GREASE_BRAND`) are now single constants — see `lib/fingerprint.md`.
+- **UA Client Hints made fully consistent and matched to real Chrome 148** (verified field-for-field against a live desktop): brand-list order + GREASE string (`Not/A)Brand`), and the full-version build (`148.0.7778.217`) sourced from one place so JS `getHighEntropyValues` and the HTTP `Sec-CH-UA-Full-Version*` headers can't drift. Added `wow64`, `model`, `formFactors`, `uaFullVersion`, and `Sec-CH-UA-WoW64`/`-Model`/`-Form-Factors` headers; Windows `platformVersion` → `19.0.0`.
+- **`navigator.deviceMemory` and `Sec-CH-Device-Memory` both pinned to `8`** (consistent JS↔HTTP), hiding the host's real RAM; `hardwareConcurrency` reports 4–8 (hides datacenter core count).
+- **Dependencies**: puppeteer / puppeteer-core 25.1.0, lru-cache 11.5.1.
+### Fixed
+- **Timezone is now spoofed via CDP `emulateTimezone`** instead of JS overrides, so `Date`, `Intl`, and `getTimezoneOffset` are all consistent and DST-correct. The old JS patching left the real `Date` in the host zone — an 8-hour `Date`-vs-`Intl` contradiction and a leaked host timezone.
+- **Closed several headless tells**: Battery now reports the plugged-in default (`charging:true, level:1`); `navigator.bluetooth`, `navigator.share`/`canShare` stubs added (present in real Chrome, absent in headless); `speechSynthesis.getVoices()` returns the claimed-OS voice set (`instanceof`-correct).
+- **proxy**: a string `proxy_bypass`/`socks5_bypass` (instead of an array) no longer throws `bypass.join is not a function` in the browser-launch path.
+- **socks-relay**: a client that disconnects during the upstream-connect await is now handled, so a tunnel isn't opened for a gone client and the watchdog clears immediately.
+- **smart-cache**: the memory-check and auto-save `setInterval`s are now `unref`'d, so an error path that skips `destroy()` can no longer hang the process.
+### Removed
+- Dead code: `browserhealth` `testNetworkCapability` + `purgeStaleTrackers` (zero callers), and a redundant 2-voice `speechSynthesis` block superseded by the full voice set.
+### Added
+- **`lib/fingerprint.md`** — fingerprint spoofing coverage tables (surfaces, mitigations, gating flags) and known limitations.
+## [3.1.0] - 2026-05-29
+### Added
+- **`realistic_click`** site flag — denser mouse approach, hold tremor, and mouseup drift for sites that score click realism.
+- **`interact_click_count`** site override for popunder-discovery click volume (default content-click count also raised 2 → 3).
+- **`clear_sitedata_full_on_reload`** site flag — full storage clear between reloads; quick mode now also clears localStorage/sessionStorage.
+- **regex-tool rewritten** as a real `filterRegex` builder/tester: literal↔standard↔JSON conversion, multi-pattern + `regex_and`, and testing against real request URLs (matching mirrors the scanner exactly).
+- **Fingerprint coverage**: per-domain-seeded Battery / `navigator.connection` values, `AudioBuffer` fingerprint defeat, `PerformanceNavigationTiming` jitter, `userActivation`; UA strings bumped to Chrome 148 / Firefox 151 / Safari 19.5.
+### Changed
+- **`userAgent` now defaults to `"chrome"`** when a site doesn't set one — previously sites without it leaked the bundled `HeadlessChrome` UA.
+- **`Sec-CH-UA` headers and the curl content-fetch UA derive from the single UA source**, so Client Hints can't drift from `navigator.userAgent`.
+- **VPN configs force scan concurrency to 1** — the shared system routing table isn't concurrency-safe.
+- **Interaction time ceiling scales with the work envelope** (click count / `realistic_click`) instead of a flat 15s.
+### Fixed
+- **Per-URL timeout scales** with site timeout/delay/reload (+8s recovery grace) instead of a flat 75s that discarded partial-match recovery on multi-URL scans.
+- **Interaction hard cap is now actually enforced** (was cooperative, overshooting to 20s+ under concurrency).
+- **WireGuard** inline temp-config leaked the private key on failed connect and broke retries; temp dir is now per-PID so concurrent processes can't wipe each other's config.
+- **nettools**: fixed a dig dedup race (concurrent same-domain double lookups); whois no longer discards valid records over non-fatal stderr.
+- **Orphan resource leaks** on `Promise.race` timeout (cdp.js, clear_sitedata.js, browserhealth.js) and several un-`unref`'d `setTimeout` handles.
+- **Config keys validated at startup** with boolean-like coercion, preventing silent misconfiguration.
+### Security
+- **OpenVPN** `pkill`/`ping`/`curl` calls moved from shell-interpolated `execSync` to `spawnSync` arg arrays (command-injection).
+- **WireGuard/OpenVPN interface & connection names validated** against a strict charset before use in paths/commands.
+### Performance
+- **adblock**: O(1) exact-domain lookup for `$third-party` / `$first-party` rules.
+- Parallelized site-data clearing and window-cleanup checks.
+- Removed dead code across cdp, domain-cache, searchstring, compress, adblock-rust, and nettools.
 ## [3.0.3] - 2026-05-26
 ### Improved

package/lib/browserhealth.js CHANGED Viewed

@@ -607,16 +607,6 @@ function untrackPage(page) {
   pageUsageTracker.delete(page);
 }
-/**
- * No-op since the trackers were migrated to WeakMap — GC reclaims dead-page
- * entries automatically when Puppeteer drops its internal references. Kept
- * exported so the ~7 callers in nwss.js continue to compile; safe to delete
- * entirely once those callsites are scrubbed.
- */
-function purgeStaleTrackers() {
-  // intentionally empty
-}
 /**
  * Quick browser responsiveness test for use during page setup
  * Designed to catch browser degradation between operations
@@ -637,82 +627,6 @@ async function isQuicklyResponsive(browserInstance, timeout = 3000) {
   }
 }
-/**
- * Tests if browser can handle network operations (like Network.enable)
- * Creates a test page and attempts basic network setup
- * @param {import('puppeteer').Browser} browserInstance - Puppeteer browser instance
- * @param {number} timeout - Timeout in milliseconds (default: 10000)
- * @returns {Promise<object>} Network capability test result
- */
-async function testNetworkCapability(browserInstance, timeout = 10000) {
-  const result = {
-    capable: false,
-    error: null,
-    responseTime: 0
-  };
-  const startTime = Date.now();
-  let testPage = null;
-  // Hoisted so the catch can attach an orphan-close chain. Promise.race
-  // cannot cancel browser.newPage() — if the race times out, the underlying
-  // call may still resolve to a real Page tab nothing references. Same
-  // pattern as cdp.js (commit 0772ccd) and clear_sitedata.js (commit 780b443).
-  let testPagePromise = null;
-  try {
-    // Create test page
-    testPagePromise = browserInstance.newPage();
-    testPage = await raceWithTimeout(
-      testPagePromise,
-      timeout,
-      'Test page creation timeout'
-    );
-    // Test network operations (the critical operation that's failing)
-    await raceWithTimeout(
-      testPage.setRequestInterception(true),
-      timeout,
-      'Network.enable test timeout'
-    );
-    // Turn off interception. Symmetric to the enable above — Network.disable
-    // can hang for the same CDP reasons, so it needs the same watchdog.
-    await raceWithTimeout(
-      testPage.setRequestInterception(false),
-      timeout,
-      'Network.disable test timeout'
-    );
-    result.capable = true;
-    result.responseTime = Date.now() - startTime;
-  } catch (error) {
-    // Orphan cleanup: if testPage is null but newPage() was started, the
-    // race timed out before assignment. Close the orphan when it arrives.
-    if (!testPage && testPagePromise) {
-      testPagePromise.then(p => p.close().catch(() => {})).catch(() => {});
-    }
-    result.error = error.message;
-    result.responseTime = Date.now() - startTime;
-    // Classify the error type
-    if (error.message.includes('Network.enable') ||
-        error.message.includes('timed out') ||
-        error.message.includes('Protocol error')) {
-      result.error = `Network capability test failed: ${error.message}`;
-    }
-  } finally {
-    if (testPage && !testPage.isClosed()) {
-      try {
-        await testPage.close();
-      } catch (closeErr) {
-        /* ignore cleanup errors */
-      }
-    }
-  }
-  return result;
-}
 /**
  * Checks if browser instance is still responsive
  * @param {import('puppeteer').Browser} browserInstance - Puppeteer browser instance
@@ -758,8 +672,8 @@ async function checkBrowserHealth(browserInstance, timeout = 8000) {
     // Test 4: Create a single test page to verify both browser functionality AND network capability
     let testPage = null;
-    // Same orphan-cleanup pattern as testNetworkCapability above + cdp.js +
-    // clear_sitedata.js. Promise.race can't cancel newPage() — if the race
+    // Same orphan-cleanup pattern as cdp.js + clear_sitedata.js.
+    // Promise.race can't cancel newPage() — if the race
     // times out the underlying call may still produce a Page tab nothing
     // references → leaked tab.
     let testPagePromise = null;
@@ -1282,7 +1196,6 @@ module.exports = {
   performGroupWindowCleanup,
   performRealtimeWindowCleanup,
   trackPageForRealtime,
-  testNetworkCapability,
   isQuicklyResponsive,
   performHealthAssessment,
   monitorBrowserHealth,
@@ -1290,6 +1203,5 @@ module.exports = {
   isCriticalProtocolError,
   updatePageUsage,
   untrackPage,
-  cleanupPageBeforeReload,
-  purgeStaleTrackers
+  cleanupPageBeforeReload
 };

package/lib/fingerprint.js CHANGED Viewed

@@ -26,12 +26,43 @@ function seededRandom(seed) {
 const _fingerprintCache = new Map();
 const FINGERPRINT_CACHE_MAX = 500;
+// The build portion of the Chrome full version (major.0.BUILD). The reduced
+// UA string deliberately hides this (Chrome/148.0.0.0), but the full-version
+// Client Hints — Sec-CH-UA-Full-Version, -Full-Version-List, and
+// userAgentData.getHighEntropyValues(['fullVersionList','uaFullVersion']) —
+// expose the REAL build. Single source of truth so the HTTP headers (set in
+// nwss.js, which imports this) and the JS high-entropy spoof can't disagree;
+// a server cross-checking the two would catch a mismatch. The major comes
+// from the UA string at each call site, so on a Chrome bump update BOTH the
+// USER_AGENT_COLLECTIONS major AND this build.
+//
+// We deliberately spoof the current STABLE Chrome (148), NOT whatever build
+// puppeteer happens to bundle (currently 149, ahead of Stable) — the spoof
+// must blend with the real-world population, and almost nobody runs 149 yet.
+// 7778.217 is a real 148 Stable build (verified against a live Chrome 148
+// desktop). The bundled 149 binary still works; only the claimed identity is
+// pinned to Stable.
+const CHROME_BUILD = '7778.217';
+// Chrome's UA-CH GREASE brand. Despite the name, GREASE is NOT random per
+// request — Chromium derives the greasy brand string AND the brand-list order
+// deterministically from the major version, so every real Chrome 148 emits the
+// exact same Sec-CH-UA. Anti-bot detectors exploit this: a spoofer that uses a
+// stale/wrong grease ("Not:A-Brand" instead of 148's "Not/A)Brand") or the
+// wrong order is instantly flagged. Real Chrome 148 order is Chromium, Google
+// Chrome, <grease>. Both the string AND the order are version-coupled — update
+// alongside the major when bumping (verify against a real Chrome of that major).
+const CHROME_GREASE_BRAND = 'Not/A)Brand';
 // User agent collections with latest versions
 const USER_AGENT_COLLECTIONS = Object.freeze(new Map([
   // Chrome version uses the reduced 'X.0.0.0' privacy-preserving form (per
-  // Chrome's UA reduction since v101). The full build (148.0.7778.179) is
+  // Chrome's UA reduction since v101). The full build (148.0.7778.217) is
   // not exposed via UA in modern Chrome — UA-Client-Hints carries that
-  // separately. User confirmed Chrome 148 stable as of late May 2026.
+  // separately (see CHROME_BUILD). Pinned to the current STABLE major (148),
+  // which is what the real-world population runs — NOT the newer build
+  // puppeteer bundles; we want to blend in, not advertise an ahead-of-Stable
+  // version. Bump when Stable advances, alongside CHROME_BUILD.
   ['chrome', "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36"],
   ['chrome_mac', "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36"],
   ['chrome_linux', "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36"],
@@ -177,7 +208,7 @@ function generateRealisticFingerprint(userAgent, domain = '') {
   // Generate OS-appropriate hardware specs
   const profiles = {
     windows: {
-      deviceMemory: [8, 16], // Common Windows configurations
+      deviceMemory: [8], // caps at 8 (navigator.deviceMemory max); matches HTTP Sec-CH-Device-Memory on >=8GB hosts
       hardwareConcurrency: [4, 6, 8], // Typical consumer CPUs
       platform: 'Win32',
       timezone: 'America/New_York',
@@ -189,7 +220,7 @@ function generateRealisticFingerprint(userAgent, domain = '') {
       ]
     },
     mac: {
-      deviceMemory: [8, 16], // MacBook/iMac typical configs
+      deviceMemory: [8], // caps at 8 (see Windows profile note)
       hardwareConcurrency: [8, 10], // Apple Silicon M1/M2 cores
       platform: 'MacIntel',
       timezone: 'America/Los_Angeles',
@@ -201,7 +232,7 @@ function generateRealisticFingerprint(userAgent, domain = '') {
       ]
     },
     linux: {
-      deviceMemory: [8, 16],
+      deviceMemory: [8],
       hardwareConcurrency: [4, 8, 12], // Wide variety on Linux
       platform: 'Linux x86_64',
       timezone: 'America/New_York',
@@ -331,7 +362,7 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
       // same value regardless of which evaluate runs first.
       const realistic = generateRealisticFingerprint(ua, siteDomain);
-      await page.evaluateOnNewDocument((userAgent, debugEnabled, gpuConfig, seededCores) => {
+      await page.evaluateOnNewDocument((userAgent, debugEnabled, gpuConfig, seededCores, chromeBuild, chromeGrease) => {
         // Apply inline error suppression first
         (function() {
@@ -879,13 +910,22 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           if (!userAgent.includes('Chrome/')) return; // Only for Chrome UAs
           const chromeMatch = userAgent.match(/Chrome\/(\d+)/);
-          const majorVersion = chromeMatch ? chromeMatch[1] : '145';
+          const majorVersion = chromeMatch ? chromeMatch[1] : '148';
           let platform = 'Windows';
-          let platformVersion = '15.0.0';
+          // 19.0.0 = current Windows 11 mapping (verified against a real
+          // Chrome 148 desktop; the old 15.0.0 was an older Win11 build).
+          // MUST match nwss.js's Sec-CH-UA-Platform-Version header.
+          let platformVersion = '19.0.0';
           let architecture = 'x86';
           let model = '';
           let bitness = '64';
+          // wow64 is true only for a 32-bit Chrome on 64-bit Windows. Our
+          // spoofed configs are all 64-bit (bitness '64'), so it's false on
+          // every platform — but the value must be PRESENT: the server's
+          // accept-ch requests sec-ch-ua-wow64 and trackers call
+          // getHighEntropyValues(['wow64']); an undefined return is a tell.
+          const wow64 = false;
           if (userAgent.includes('Macintosh') || userAgent.includes('Mac OS X')) {
             platform = 'macOS';
             platformVersion = '13.5.0';
@@ -896,10 +936,12 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             architecture = 'x86';
           }
+          // Order + grease must match real Chrome of this major exactly
+          // (deterministic GREASE): Chromium, Google Chrome, <grease>.
           const brands = [
-            { brand: 'Not:A-Brand', version: '99' },
+            { brand: 'Chromium', version: majorVersion },
             { brand: 'Google Chrome', version: majorVersion },
-            { brand: 'Chromium', version: majorVersion }
+            { brand: chromeGrease, version: '99' }
           ];
           const uaData = {
@@ -914,18 +956,20 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
                 architecture: architecture,
                 bitness: bitness,
                 model: model,
+                wow64: wow64,
+                // Real Chrome (128+) always exposes this for desktop. Omitting
+                // it returned undefined to any site requesting form-factors.
+                formFactors: ['Desktop'],
                 platformVersion: platformVersion,
+                // uaFullVersion (deprecated but still requested via
+                // sec-ch-ua-full-version) and fullVersionList both carry the
+                // real build, sourced from CHROME_BUILD (passed in as
+                // chromeBuild) so HTTP headers and JS can't drift apart.
+                uaFullVersion: majorVersion + '.0.' + chromeBuild,
                 fullVersionList: [
-                  { brand: 'Not:A-Brand', version: '99.0.0.0' },
-                  // Build number 7778.179 matches real Chrome 148 stable
-                  // (per user-confirmed installed version as of late May 2026).
-                  // Prior 7632.160 was Chrome 145's build — outdated for 148.
-                  // If Chrome major bumps in future, update this build number
-                  // too — fullVersionList being inconsistent with the major
-                  // version is a fingerprint-detection signal (a real Chrome
-                  // 148 install would never report a 7632.x build).
-                  { brand: 'Google Chrome', version: majorVersion + '.0.7778.179' },
-                  { brand: 'Chromium', version: majorVersion + '.0.7778.179' }
+                  { brand: 'Chromium', version: majorVersion + '.0.' + chromeBuild },
+                  { brand: 'Google Chrome', version: majorVersion + '.0.' + chromeBuild },
+                  { brand: chromeGrease, version: '99.0.0.0' }
                 ]
               };
               // Only return requested hints
@@ -1575,25 +1619,11 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           }
         }, 'pdfViewerEnabled spoofing');
-        // speechSynthesis — headless returns empty voices array
-        safeExecute(() => {
-          if (window.speechSynthesis) {
-            const origGetVoices = speechSynthesis.getVoices.bind(speechSynthesis);
-            speechSynthesis.getVoices = function() {
-              const voices = origGetVoices();
-              if (voices.length === 0) {
-                return [{
-                  default: true, lang: 'en-US', localService: true,
-                  name: 'Microsoft David - English (United States)', voiceURI: 'Microsoft David - English (United States)'
-                }, {
-                  default: false, lang: 'en-US', localService: true,
-                  name: 'Microsoft Zira - English (United States)', voiceURI: 'Microsoft Zira - English (United States)'
-                }];
-              }
-              return voices;
-            };
-          }
-        }, 'speechSynthesis spoofing');
+        // (speechSynthesis voices are spoofed in a single, fuller block later
+        // in this evaluate — "speechSynthesis voices spoofing" — which installs
+        // the complete claimed-OS voice set with instanceof-correct objects. An
+        // earlier 2-voice fallback override lived here and was redundant: the
+        // later block replaced it unconditionally on every injection. Removed.)
         // AudioContext fingerprint spoofing — intercept the actual READ
         // surface fingerprinters care about.
@@ -2230,36 +2260,27 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
         // Battery API spoofing
         //
-        // Previously: `Math.random()` for every field, fired on every
-        // evaluateOnNewDocument injection (i.e. every page load). Battery
-        // 'level' jumping from 0.42 to 0.87 to 0.31 across navigations on
-        // the same site is anomalous -- real battery state changes slowly
-        // (minutes, not seconds). Detector noting battery delta across
-        // reloads catches us.
+        // Report the plugged-in / fully-charged default: charging=true,
+        // level=1, chargingTime=0, dischargingTime=Infinity. This is what a
+        // real Chrome desktop reports (verified against a live reference) AND
+        // what the largest slice of the population shows (desktops + plugged-in
+        // laptops), so it blends with the majority.
         //
-        // Now: FNV-1a hash of window.location.hostname seeds all four
-        // fields. Stable per-domain across navigations; varies across
-        // sites (so cross-publisher correlation isn't trivial via this
-        // signal). Also corrects two real-Chrome invariants the old
-        // spoof violated:
-        //   - charging=true  -> chargingTime finite, dischargingTime = Infinity
-        //   - charging=false -> chargingTime = Infinity, dischargingTime finite
-        // The old spoof could produce 'both finite' which never happens
-        // in real Chrome.
+        // Battery is a known fingerprinting vector. The prior approach
+        // per-domain-randomized a partial level (0.25..0.94) and the charging
+        // state — but a partial battery level is MORE identifying than the
+        // common plugged-in state, and "Desktop" form-factor + a discharging
+        // battery is mildly contradictory. The fixed plugged-in default is
+        // both the least-surprising value and carries zero cross-domain entropy.
+        // (Earlier history: an even-older spoof used Math.random() per field,
+        // which made level jump between reloads — also anomalous.)
         safeExecute(() => {
           if (navigator.getBattery) {
-            // FNV-1a 32-bit hash of the hostname -- cheap, deterministic.
-            let h = 0x811c9dc5;
-            const domain = (window.location && window.location.hostname) || '';
-            for (let i = 0; i < domain.length; i++) {
-              h = ((h ^ domain.charCodeAt(i)) * 0x01000193) >>> 0;
-            }
-            const charging = (h & 1) === 1;
             const batteryState = {
-              charging,
-              chargingTime: charging ? (((h >>> 4) % 3540) + 60) : Infinity,        // 60..3600s when charging
-              dischargingTime: charging ? Infinity : (((h >>> 8) % 6600) + 600),    // 600..7200s when on battery
-              level: Math.round((((h >>> 16) % 70) + 25)) / 100,                    // 0.25..0.94, 2-decimal precision
+              charging: true,
+              chargingTime: 0,
+              dischargingTime: Infinity,
+              level: 1,
               addEventListener: () => {},
               removeEventListener: () => {},
               dispatchEvent: () => true
@@ -2270,6 +2291,105 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           }
         }, 'battery API spoofing');
+        // navigator.bluetooth (Web Bluetooth). Real Chrome ALWAYS exposes the
+        // Bluetooth object — even with no adapter, where getAvailability()
+        // resolves false. Headless Chrome omits it entirely, so `'bluetooth'
+        // in navigator` returning false is a headless tell. Provide a minimal
+        // stub (only when missing) so the presence check passes; report no
+        // adapter (false) — honest for a server, common for a real desktop,
+        // and avoids claiming hardware a requestDevice() probe couldn't back.
+        safeExecute(() => {
+          if (!navigator.bluetooth) {
+            const bt = {
+              getAvailability: () => Promise.resolve(false),
+              getDevices: () => Promise.resolve([]),
+              requestDevice: () => Promise.reject(
+                new DOMException('User cancelled the requestDevice() chooser.', 'NotFoundError')),
+              addEventListener: () => {},
+              removeEventListener: () => {},
+              dispatchEvent: () => true
+            };
+            if (typeof maskAsNative === 'function') {
+              maskAsNative(bt.getAvailability, 'getAvailability');
+              maskAsNative(bt.requestDevice, 'requestDevice');
+              maskAsNative(bt.getDevices, 'getDevices');
+            }
+            Object.defineProperty(navigator, 'bluetooth', { get: () => bt, configurable: true });
+          }
+        }, 'bluetooth API spoofing');
+        // SpeechSynthesis voices. Real Chrome ships an OS-dependent voice set;
+        // a non-Windows headless host can't have the Microsoft SAPI voices a
+        // Windows UA implies, so the short native list (2 voices here) reading
+        // back contradicts the claimed OS. Provide the canonical set for the
+        // claimed OS (verified vs a live Windows Chrome reference). Voice
+        // objects are built on SpeechSynthesisVoice.prototype with OWN data
+        // properties, so `voice instanceof SpeechSynthesisVoice` passes AND
+        // name/lang/localService read back the spoofed values (own props shadow
+        // the prototype getters). getVoices() returns a fresh array per call,
+        // like real Chrome.
+        safeExecute(() => {
+          if (!window.speechSynthesis) return;
+          const SSV = window.SpeechSynthesisVoice;
+          const isWin = /Windows/.test(userAgent);
+          const mk = (name, lang, local) => {
+            const data = { voiceURI: name, name, lang, localService: local, default: false };
+            if (SSV && SSV.prototype) {
+              const v = Object.create(SSV.prototype);
+              for (const k in data) {
+                Object.defineProperty(v, k, { value: data[k], enumerable: true, configurable: true, writable: k === 'default' });
+              }
+              return v;
+            }
+            return data;
+          };
+          // Microsoft SAPI voices are Windows-only; the Google network voices
+          // are the same set across platforms.
+          const ms = isWin ? [
+            mk('Microsoft David - English (United States)', 'en-US', true),
+            mk('Microsoft Mark - English (United States)', 'en-US', true),
+            mk('Microsoft Zira - English (United States)', 'en-US', true)
+          ] : [];
+          const google = [
+            ['Google Deutsch', 'de-DE'], ['Google US English', 'en-US'],
+            ['Google UK English Female', 'en-GB'], ['Google UK English Male', 'en-GB'],
+            ['Google español', 'es-ES'], ['Google español de Estados Unidos', 'es-US'],
+            ['Google français', 'fr-FR'], ['Google हिन्दी', 'hi-IN'],
+            ['Google Bahasa Indonesia', 'id-ID'], ['Google italiano', 'it-IT'],
+            ['Google 日本語', 'ja-JP'], ['Google 한국의', 'ko-KR'],
+            ['Google Nederlands', 'nl-NL'], ['Google polski', 'pl-PL'],
+            ['Google português do Brasil', 'pt-BR'], ['Google русский', 'ru-RU'],
+            ['Google 普通话（中国大陆）', 'zh-CN'], ['Google 粤語（香港）', 'zh-HK'],
+            ['Google 國語（臺灣）', 'zh-TW']
+          ].map(([n, l]) => mk(n, l, false));
+          const voices = ms.concat(google);
+          if (voices[0]) voices[0].default = true;
+          window.speechSynthesis.getVoices = function getVoices() { return voices.slice(); };
+          if (typeof maskAsNative === 'function') maskAsNative(window.speechSynthesis.getVoices, 'getVoices');
+        }, 'speechSynthesis voices spoofing');
+        // Web Share API (navigator.share / canShare). Present on real DESKTOP
+        // Chrome (since 89) but absent in headless, so `'share' in navigator`
+        // returning false contradicts a desktop UA. Provide stubs only when
+        // missing. canShare() mirrors Chrome's "is there shareable data?"
+        // result; share() requires transient user activation, which automation
+        // never has, so real Chrome rejects with NotAllowedError — match that.
+        safeExecute(() => {
+          if (typeof navigator.canShare !== 'function') {
+            const canShare = function canShare(data) {
+              if (!data) return false;
+              return !!(data.url || data.text || data.title || (data.files && data.files.length));
+            };
+            const share = function share() {
+              return Promise.reject(new DOMException(
+                'Must be handling a user gesture to perform a share request.', 'NotAllowedError'));
+            };
+            if (typeof maskAsNative === 'function') { maskAsNative(canShare, 'canShare'); maskAsNative(share, 'share'); }
+            Object.defineProperty(navigator, 'canShare', { value: canShare, configurable: true, writable: true });
+            Object.defineProperty(navigator, 'share', { value: share, configurable: true, writable: true });
+          }
+        }, 'web share API spoofing');
         // Enhanced Mouse/Pointer Spoofing
         //
         safeExecute(() => {
@@ -2435,7 +2555,9 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             [HTMLCanvasElement.prototype, ['getContext', 'toDataURL', 'toBlob']],
             [CanvasRenderingContext2D.prototype, ['getImageData', 'fillText', 'strokeText', 'measureText']],
             [EventTarget.prototype, ['addEventListener', 'removeEventListener']],
-            [Date.prototype, ['getTimezoneOffset']],
+            // Date.prototype.getTimezoneOffset is no longer overridden (timezone
+            // is done via CDP emulateTimezone), so the native function needs no
+            // masking — masking a native fn is at best a no-op, at worst a wrap.
           ];
           if (typeof WebGL2RenderingContext !== 'undefined') {
             protoMasks.push([WebGL2RenderingContext.prototype, ['getParameter', 'getExtension']]);
@@ -2516,7 +2638,7 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           }
         }, 'interaction-gated script trigger');
-      }, ua, forceDebug, selectedGpu, realistic.hardwareConcurrency);
+      }, ua, forceDebug, selectedGpu, realistic.hardwareConcurrency, CHROME_BUILD, CHROME_GREASE_BRAND);
     } catch (stealthErr) {
       if (isSessionClosedError(stealthErr)) {
         if (forceDebug) console.log(formatLogMessage('debug', `Page closed during stealth injection: ${currentUrl}`));
@@ -2704,36 +2826,14 @@ async function applyFingerprintProtection(page, siteConfig, forceDebug, currentU
       };
       spoofNavigatorProperties(navigator, languageSpoofProps);
-      // Timezone spoofing
-      if (spoof.timezone && window.Intl?.DateTimeFormat) {
-        const OriginalDateTimeFormat = window.Intl.DateTimeFormat;
-        window.Intl.DateTimeFormat = function(...args) {
-          const instance = new OriginalDateTimeFormat(...args);
-          const originalResolvedOptions = instance.resolvedOptions;
-          instance.resolvedOptions = function() {
-            const opts = originalResolvedOptions.call(this);
-            opts.timeZone = spoof.timezone;
-            return opts;
-          };
-          return instance;
-        };
-        Object.setPrototypeOf(window.Intl.DateTimeFormat, OriginalDateTimeFormat);
-        // Timezone offset spoofing
-        const timezoneOffsets = {
-          'America/New_York': 300,
-          'America/Los_Angeles': 480,
-          'Europe/London': 0,
-          'America/Chicago': 360
-        };
-        const originalGetTimezoneOffset = Date.prototype.getTimezoneOffset;
-        Date.prototype.getTimezoneOffset = function() {
-          return timezoneOffsets[spoof.timezone] || originalGetTimezoneOffset.call(this);
-        };
-      }
+      // Timezone is handled at the CDP level via page.emulateTimezone() (set
+      // in applyFingerprintProtection, Node side) — NOT here. JS-patching
+      // Intl.resolvedOptions + Date.getTimezoneOffset was actively harmful: it
+      // left the real Date object in the host's true zone, so the formatted
+      // time / getHours() / Date.toString() contradicted the claimed zone, and
+      // the hardcoded offsets ignored DST. emulateTimezone makes every Date and
+      // Intl read consistent, so no JS override is needed (or wanted) here.
       // Cookie and DNT spoofing
       if (spoof.cookieEnabled !== undefined) {
         safeDefinePropertyLocal(navigator, 'cookieEnabled', { get: () => spoof.cookieEnabled });
@@ -2743,6 +2843,22 @@ async function applyFingerprintProtection(page, siteConfig, forceDebug, currentU
       }
     }, { spoof, debugEnabled: forceDebug });
+    // Timezone: use CDP-level emulation (Emulation.setTimezoneOverride) instead
+    // of JS patching. The old JS overrides (Intl.resolvedOptions + Date.proto
+    // getTimezoneOffset) left the REAL Date object in the host's true zone, so
+    // Date.toString(), getHours(), and an Intl format of the same instant all
+    // contradicted the claimed zone (verified: claimed America/New_York while
+    // Date reported the host zone — an 8-hour hour gap, a textbook tell).
+    // emulateTimezone changes the browser's ACTUAL timezone, so Date, Intl, and
+    // getTimezoneOffset are all consistent (and DST-correct).
+    if (spoof.timezone) {
+      try {
+        await page.emulateTimezone(spoof.timezone);
+      } catch (tzErr) {
+        if (forceDebug) console.log(formatLogMessage('debug', `emulateTimezone(${spoof.timezone}) failed for ${currentUrl}: ${tzErr.message}`));
+      }
+    }
   } catch (err) {
     if (isSessionClosedError(err)) {
       if (forceDebug) console.log(formatLogMessage('debug', `Page closed during fingerprint injection: ${currentUrl}`));
@@ -2920,6 +3036,13 @@ async function applyAllFingerprintSpoofing(page, siteConfig, forceDebug, current
 // module.exports only if a new external consumer appears.
 module.exports = {
   applyAllFingerprintSpoofing,
+  // Build portion of the Chrome full version — nwss.js uses it to keep the
+  // Sec-CH-UA-Full-Version* HTTP headers consistent with the JS high-entropy
+  // spoof. Single source of truth for the build that the reduced UA hides.
+  CHROME_BUILD,
+  // GREASE brand string — nwss.js uses it for the Sec-CH-UA / -Full-Version-List
+  // headers so the HTTP brand list matches the JS brands (and real Chrome).
+  CHROME_GREASE_BRAND,
   // Exposed for scripts/test-stealth.js so the harness can validate --ua=
   // against the canonical UA list (instead of duplicating the keys here).
   // The Map itself is frozen; consumers cannot mutate the spoof source.

package/lib/fingerprint.md ADDED Viewed

@@ -0,0 +1,94 @@
+# `lib/fingerprint.js` — Fingerprint Spoofing Coverage
+Bot-detection evasion for the scanner's headless Chromium. The goal is to make a
+scanned page see a coherent, real-Chrome **Stable** desktop profile rather than a
+headless/automation signature — and, just as important, to keep every spoofed
+value **internally consistent** (JS ↔ HTTP, claimed-value ↔ observable reality)
+so a detector cross-checking two surfaces can't catch a mismatch.
+## How it works
+Spoofing is applied per page, before navigation, by `applyAllFingerprintSpoofing(page, siteConfig, …)`, which runs three stages:
+| Stage | Gate (siteConfig) | What it covers |
+|---|---|---|
+| `applyUserAgentSpoofing` | **`userAgent`** (defaults to `"chrome"`) | Browser identity, automation/headless tells, and the bulk of the navigator/JS-API suite |
+| `applyBraveSpoofing` | Brave-mode only | Brave-specific surfaces |
+| `applyFingerprintProtection` | **`fingerprint_protection`** (`true` \| `"random"`) | Hardware fingerprint *values* (canvas/WebGL/audio noise, screen, memory) + CDP timezone. `"random"` seeds them per-domain (stable per site, varies across sites) |
+HTTP **Client Hints** request headers are set separately in `nwss.js` (gated on a `chrome` userAgent). Identity is pinned to **Stable Chrome** via two constants in `fingerprint.js` (`CHROME_BUILD`, `CHROME_GREASE_BRAND`) + the major in `USER_AGENT_COLLECTIONS` — see `feedback_chrome_spoof_version_bump`.
+**Gate legend:** `UA` = runs with `userAgent` set (on by default) · `FP` = runs with `fingerprint_protection` · `HTTP` = request header set in nwss.js.
+## Browser identity
+| Surface | Mitigation | Gate |
+|---|---|---|
+| `navigator.userAgent` / `appVersion` | Pinned to Stable Chrome 148 desktop UA | UA |
+| `navigator.userAgentData` (brands, platform, mobile) | Spoofed; brand order + GREASE string match real Chrome of the major exactly | UA |
+| `getHighEntropyValues()` | Full set: architecture, bitness, model, **wow64**, platformVersion, **uaFullVersion**, fullVersionList, **formFactors** — build from `CHROME_BUILD`, consistent with HTTP | UA |
+| `navigator.platform` / `vendor` / `productSub` / `vendorSub` | Spoofed UA-consistent (`Win32`, `Google Inc.`, `20030107`, `""`) | UA |
+| `Sec-CH-UA`, `-Platform`, `-Platform-Version`, `-Mobile`, `-Arch`, `-Bitness`, `-WoW64`, `-Model`, `-Full-Version`, `-Full-Version-List`, `-Form-Factors` | Set to match the JS values (same brand order/grease/build) | HTTP |
+## Automation & headless tells
+| Surface | Mitigation | Gate |
+|---|---|---|
+| `navigator.webdriver` | Forced `false` (launch flag + JS) | UA |
+| `cdc_…` / `$cdc_…` / selenium / phantom props | Removed | UA |
+| `window.chrome` + `chrome.runtime` | Provided / simulated | UA |
+| `<html webdriver>` attribute | Stripped | UA |
+| `navigator.plugins` / `mimeTypes` | Native 5-PDF set preserved (matches real Chrome) | UA |
+| `navigator.bluetooth` | Stub added (`getAvailability()→false`) — real Chrome always exposes it | UA |
+| `navigator.share` / `canShare` | Stubs added (Web Share; absent in headless) | UA |
+| `speechSynthesis.getVoices()` | Claimed-OS voice set (Windows → Microsoft + Google, 22 voices) | UA |
+| `Notification.permission` / `permissions.query` | `default` / consistent results | UA |
+| `navigator.userActivation` / `getInstalledRelatedApps` / `document.hasStorageAccess` | Stubs (present in real Chrome) | UA |
+## Hardware & rendering
+| Surface | Mitigation | Gate |
+|---|---|---|
+| WebGL `UNMASKED_VENDOR/RENDERER` | Spoofed GPU from an OS-appropriate pool (per-domain seeded) | UA + FP |
+| Canvas (`toDataURL`/`getImageData`) | Per-canvas noise (WeakMap-cached) | UA + FP |
+| AudioContext / `AudioBuffer` | `getChannelData`/`copyFromChannel` intercepted to defeat audio fingerprint | UA + FP |
+| Fonts (`measureText`/offset probes) | Normalized font metrics | UA |
+| `screen.*` (width/height/avail/colorDepth) | Spoofed (1920×1080, colorDepth 24) | UA + FP |
+| `navigator.hardwareConcurrency` | Spoofed down to 4–8 (hides datacenter core count; no HTTP counterpart) | FP |
+| `navigator.deviceMemory` (JS) + `Sec-CH-Device-Memory` (HTTP) | Both pinned to **8** (hides 32 GB host; JS = HTTP, gated together on FP) | FP / HTTP |
+| `PerformanceNavigationTiming` | Jittered to defeat timing fingerprint | UA |
+## Sensors, locale & network
+| Surface | Mitigation | Gate |
+|---|---|---|
+| Battery Status API | Plugged-in default (`charging:true, level:1, dischargingTime:Infinity`) — blends with the majority | UA |
+| `navigator.connection` (rtt/downlink/effectiveType) | **Native** (left untouched when present) — truthful to the real network so it survives a timing cross-check | — |
+| `navigator.languages` / `language` | `["en-US","en"]` / `en-US` | UA |
+| **Timezone** (`Date`, `Intl`, `getTimezoneOffset`) | CDP `emulateTimezone()` — makes all three consistent + DST-correct (replaced broken JS overrides) | FP |
+| `matchMedia` hover/pointer/color-scheme | Desktop-consistent (`hover`, `fine` pointer) | UA |
+| `maxTouchPoints` | UA-consistent (`0` on desktop) | UA |
+| WebRTC ICE candidates | All candidates stripped → no STUN public-IP leak past the proxy | UA |
+| `mediaDevices.enumerateDevices` | Plausible device set | UA |
+## Anti-introspection
+| Surface | Mitigation | Gate |
+|---|---|---|
+| `Function.prototype.toString` | Every overridden function masked to `function X() { [native code] }` (bulk + per-instance) | UA |
+| `Error.stack` / `prepareStackTrace` | Sanitized so injected frames don't leak | UA |
+| Console error noise from spoofs | Suppressed | UA |
+## Known limitations (not fixable at the browser layer)
+| Vector | Why it's out of scope | Mitigation |
+|---|---|---|
+| **IP reputation** | A datacenter IP is the single biggest tell; no JS/header spoof touches it | Residential **proxy/VPN** (`lib/proxy.js`, `lib/wireguard_vpn.js`, `lib/openvpn_vpn.js`) |
+| **TLS (JA3/JA4) + HTTP/2 fingerprint** | Negotiated below the JS layer | Puppeteer's Chromium already presents a genuine Chrome stack; a MITM proxy can alter it |
+| **Timezone vs exit-IP geolocation** | Timezone is now internally consistent, but the *chosen* zone should match the proxy's country | Per-proxy geo config (not yet wired) |
+| **Behavioural / mouse dynamics** | Statistical, not a property | `interact` / `ghost-cursor` config (`lib/interaction.js`) |
+## Verification
+- **`scripts/test-stealth.js`** — automated smoke test against sannysoft / creepjs / browserleaks. Run before/after a spoof change and diff.
+- **Manual reference diff** — launch with the spoof applied and compare each surface against a real Chrome of the pinned major (the coverage above was validated field-for-field against a live Chrome 148 desktop). The unspoofed deviations are deliberate: `hardwareConcurrency`/`deviceMemory` downscaled to hide the host, and `connection` left native.

package/lib/proxy.js CHANGED Viewed

@@ -253,8 +253,12 @@ function getProxyArgs(siteConfig, forceDebug = false) {
     console.warn(formatLogMessage('proxy', `proxy_remote_dns ignored: SOCKS4 cannot do proxy-side DNS resolution (use SOCKS5)`));
   }
-  // Bypass list: domains that skip the proxy
-  const bypass = siteConfig.proxy_bypass || siteConfig.socks5_bypass || [];
+  // Bypass list: domains that skip the proxy. Accept either an array (the
+  // documented form) or a single string — a bare "localhost" used to throw
+  // `bypass.join is not a function` here, in the browser-launch path. Same
+  // string-or-array tolerance as the dig/whois siteConfig fields.
+  const rawBypass = siteConfig.proxy_bypass || siteConfig.socks5_bypass || [];
+  const bypass = Array.isArray(rawBypass) ? rawBypass : [rawBypass];
   if (bypass.length > 0) {
     args.push(`--proxy-bypass-list=${bypass.join(';')}`);
   }

package/lib/smart-cache.js CHANGED Viewed

@@ -93,10 +93,16 @@ class SmartCache {
       this._setupAutoSave();
     }
-    // Set up memory monitoring
+    // Set up memory monitoring. unref'd so this always-on housekeeping timer
+    // can never hold the event loop open past scan completion — destroy()
+    // clears it promptly on the normal path, but unref guarantees a clean
+    // exit on any path that skips destroy() (e.g. an unhandled throw before
+    // nwss reaches its cleanup). Matches the unref convention applied to
+    // every other Node-side timer in the codebase.
     this.memoryCheckInterval = setInterval(() => {
       this._checkMemoryPressure();
     }, this.options.memoryCheckInterval);
+    if (typeof this.memoryCheckInterval.unref === 'function') this.memoryCheckInterval.unref();
   }
   /**
@@ -1137,9 +1143,11 @@ class SmartCache {
    * @private
    */
   _setupAutoSave() {
+    // unref'd for the same reason as memoryCheckInterval — never block exit.
     this.autoSaveInterval = setInterval(() => {
       this.savePersistentCache();
     }, this.options.autoSaveInterval);
+    if (typeof this.autoSaveInterval.unref === 'function') this.autoSaveInterval.unref();
   }
   /**

package/lib/socks-relay.js CHANGED Viewed

@@ -227,13 +227,11 @@ function handleClient(client, upstream, forceDebug, relay) {
         upstreamSock = info.socket;
         // Safety net: if cleanup() ran while we were awaiting the upstream
-        // connect (some path other than the handshake watchdog — e.g. a
-        // 'close' event on the client during pause), settled is true and
-        // cleanup's settled guard would short-circuit a future call,
-        // orphaning this freshly-connected upstream socket. Destroy it
-        // here directly. With Fix #1a moving the watchdog clearTimeout to
-        // the 'connecting' transition this is currently unreachable, but
-        // cheap to keep as defense-in-depth against future code paths.
+        // connect, settled is true and cleanup's settled guard would
+        // short-circuit a future call, orphaning this freshly-connected
+        // upstream socket — so destroy it here directly. Reachable when the
+        // client emits 'error' or 'close' during the await (both wired to
+        // cleanup at handler setup), e.g. Chromium disconnects mid-connect.
         if (settled) {
           try { upstreamSock.destroy(); } catch (_) {}
           return;
@@ -250,8 +248,8 @@ function handleClient(client, upstream, forceDebug, relay) {
         try { upstreamSock.setKeepAlive(true, 60000); } catch (_) {}
         upstreamSock.on('error', cleanup);
         upstreamSock.on('close', cleanup);
-        client.on('error', cleanup);
-        client.on('close', cleanup);
+        // client 'error' and 'close' are wired once at handler setup (bottom
+        // of handleClient) and cover all phases — not re-attached here.
         // SOCKS5 success (BND.ADDR 0.0.0.0:0 — Chromium ignores it for CONNECT)
         client.write(Buffer.from([0x05, 0x00, 0x00, 0x01, 0, 0, 0, 0, 0, 0]));
@@ -273,6 +271,13 @@ function handleClient(client, upstream, forceDebug, relay) {
   client.on('data', onData);
   client.on('error', cleanup);
+  // Attach 'close' HERE (not after piping starts) so it covers the whole
+  // lifetime, including the up-to-20s upstream-connect await. A client that
+  // disconnects cleanly mid-connect now sets settled=true, letting the
+  // post-connect `if (settled)` net destroy the freshly-opened upstream
+  // socket instead of piping into a dead client; and a close mid-handshake
+  // clears the watchdog immediately rather than leaving it to fire later.
+  client.on('close', cleanup);
 }
 // SOCKS5 failure reply (valid only before piping starts).

package/nwss.js CHANGED Viewed

@@ -13,7 +13,7 @@ const dnsPromises = require('node:dns/promises');
 const { createGrepHandler, validateGrepAvailability } = require('./lib/grep');
 const { compressMultipleFiles, formatFileSize } = require('./lib/compress');
 const { parseSearchStrings, createResponseHandler } = require('./lib/searchstring');
-const { applyAllFingerprintSpoofing, USER_AGENT_COLLECTIONS } = require('./lib/fingerprint');
+const { applyAllFingerprintSpoofing, USER_AGENT_COLLECTIONS, CHROME_BUILD, CHROME_GREASE_BRAND } = require('./lib/fingerprint');
 const { formatRules, handleOutput, getFormatDescription } = require('./lib/output');
 // Curl functionality (replace searchstring curl handler)
 const { validateCurlAvailability, createCurlHandler: createCurlModuleHandler } = require('./lib/curl');
@@ -2750,7 +2750,7 @@ function setupFrameHandling(page, forceDebug) {
         if (!useObscura && siteConfig.userAgent && siteConfig.userAgent.toLowerCase().includes('chrome')) {
           const userAgentKey = siteConfig.userAgent.toLowerCase();
           let platform = 'Windows';
-          let platformVersion = '15.0.0';
+          let platformVersion = '19.0.0'; // Win11 — MUST match fingerprint.js's userAgentData platformVersion
           let arch = 'x86';
           if (userAgentKey === 'chrome_mac') {
@@ -2769,21 +2769,46 @@ function setupFrameHandling(page, forceDebug) {
           // never drift out of sync with navigator.userAgent. The version
           // used to be hardcoded ('146') while the UA list moved to 148 —
           // a detector cross-checking UA vs Sec-CH-UA saw the mismatch.
-          // Chrome's UA-reduction means the full version is "<major>.0.0.0".
+          // The full-version hints carry the REAL build (major.0.BUILD) — the
+          // reduced UA hides it, these reveal it. Build comes from
+          // lib/fingerprint's CHROME_BUILD, the same source the JS
+          // getHighEntropyValues spoof uses, so HTTP and JS can't disagree.
           const browserUa = USER_AGENT_COLLECTIONS.get(userAgentKey) || '';
           const chromeMajor = (browserUa.match(/Chrome\/(\d+)/) || [])[1] || '148';
-          const fullVer = `${chromeMajor}.0.0.0`;
+          const fullVer = `${chromeMajor}.0.${CHROME_BUILD}`;
-          await page.setExtraHTTPHeaders({
-            'Sec-CH-UA': `"Not:A-Brand";v="99", "Google Chrome";v="${chromeMajor}", "Chromium";v="${chromeMajor}"`,
+          const chHeaders = {
+            // Brand list order + grease string match real Chrome of this major
+            // exactly (deterministic GREASE): Chromium, Google Chrome, <grease>.
+            // Same order/grease the JS brands spoof uses, so HTTP and JS agree.
+            'Sec-CH-UA': `"Chromium";v="${chromeMajor}", "Google Chrome";v="${chromeMajor}", "${CHROME_GREASE_BRAND}";v="99"`,
             'Sec-CH-UA-Platform': `"${platform}"`,
             'Sec-CH-UA-Platform-Version': `"${platformVersion}"`,
             'Sec-CH-UA-Mobile': '?0',
             'Sec-CH-UA-Arch': `"${arch}"`,
             'Sec-CH-UA-Bitness': '"64"',
+            'Sec-CH-UA-WoW64': '?0',
+            'Sec-CH-UA-Model': '""',
             'Sec-CH-UA-Full-Version': `"${fullVer}"`,
-            'Sec-CH-UA-Full-Version-List': `"Not:A-Brand";v="99.0.0.0", "Google Chrome";v="${fullVer}", "Chromium";v="${fullVer}"`
-          });
+            'Sec-CH-UA-Full-Version-List': `"Chromium";v="${fullVer}", "Google Chrome";v="${fullVer}", "${CHROME_GREASE_BRAND}";v="99.0.0.0"`,
+            // Real Chrome (128+) sends this for desktop; pairs with the
+            // formFactors value in fingerprint.js's getHighEntropyValues spoof.
+            'Sec-CH-UA-Form-Factors': '"Desktop"'
+          };
+          // Sec-CH-Device-Memory must mirror the JS navigator.deviceMemory
+          // override (8) so a server reading BOTH can't cross-check a mismatch.
+          // That JS override lives in applyFingerprintProtection, so it only
+          // runs when fingerprint_protection is set — gate the header the same
+          // way. Without this gate, a userAgent-only site (no fp_protection)
+          // would get JS deviceMemory = the real host RAM (e.g. 32) but HTTP
+          // = 8, a fresh mismatch. With fp off we send neither and both sides
+          // report the native value, which is also consistent. (RAM isn't
+          // server-observable, so spoofing it down hides datacenter specs with
+          // nothing external to contradict — unlike rtt, which we leave native.)
+          if (siteConfig.fingerprint_protection) {
+            chHeaders['Sec-CH-Device-Memory'] = '8';
+          }
+          await page.setExtraHTTPHeaders(chHeaders);
         }
       } catch (fingerprintErr) {
         if (fingerprintErr.message.includes('Session closed') ||

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@fanboynz/network-scanner",
-  "version": "3.1.0",
+  "version": "3.1.2",
   "description": "A Puppeteer-based network scanner for analyzing web traffic, generating adblock filter rules, and identifying third-party requests. Features include fingerprint spoofing, Cloudflare bypass, content analysis with curl/grep, and multiple output formats.",
   "main": "nwss.js",
   "scripts": {