Something really important thats going under the radar is TLS fingerprinting [1].

Multiple servers are using this now, including some requests to subdomains on google.com, googleapis.com, CloudFlare and others. I keep reporting this [2][3], and no one seems to care. If a server blacklists your client, whether its cURL or Go "net/http", you can no longer request to that server using that client. Period. Any HTTP client that wants to be robust, should be thinking about this.

1. https://wikipedia.org/wiki/Device_fingerprint#Sources_of_ide...

2. https://github.com/golang/go/issues/48207

3. https://github.com/curl/curl/issues/8119