Zero-Dependency HTTP Fingerprinting Library in Go: Bot Detection with JA3

Last month I was building an API for a fintech project. We had rate limiting in place (using kazrl , actually), but bots kept slipping through. They'd rotate IPs, spoof User-Agents, and our simple checks were useless. I needed something smarter. Something that could identify clients by how they make requests, not just what they send. That's when I went down the rabbit hole of HTTP fingerprinting. And after reading papers on JA3, TLS fingerprinting, and header analysis — I realized there was no simple Go library that did all of this without pulling in half the internet as dependencies. So I built reqdna — a zero-dependency HTTP fingerprinting library for Go 1.26+. What is HTTP Fingerprinting? Every HTTP client leaves a unique "fingerprint" based on: TLS handshake — cipher suites, extensions, curves offered Header order — browsers send headers in specific sequences Header presence — real browsers send Accept-Language, bots often don't User-Agent patterns — obvious, but still useful in co