Something really important thats going under the radar is TLS fingerprinting [1].

Multiple servers are using this now, including some requests to subdomains on google.com, googleapis.com, CloudFlare and others. I keep reporting this [2][3], and no one seems to care. If a server blacklists your client, whether its cURL or Go "net/http", you can no longer request to that server using that client. Period. Any HTTP client that wants to be robust, should be thinking about this.