Why do we need the Accept header?

[jlcd]

Hi, why do we need the Accept header among the impersonated browser headers?

Also, sec-fetch-* and a few others change depending on how the request is made, so it doesn't make a lot of sense to keep them every requests. Why are they set for all requests?

[lwthiker]

Hi,

The list of default headers is set according to what the browser sends for a default HTTP request upon connecting to a site for the first time. The ideas behind this choice was to simplify the use of curl-impersonate for common scenarios. From my empirical testing across the web this works quite well in circumventing web fingerprinters.

You do have the ability to turn the default headers off - for example, if you use libcurl-impersonate, you can set the env var CURL_IMPERSONATE_HEADERS=no.

I do agree that this list of headers is not always what you want and it might be confusing for new users of curl-impersonate, especially when using the wrapper scripts. If you have a suggestion around this please let me know.