thermoptic is an HTTP stealth proxy for offensive security operations. Its core value is simple: make non-browser clients such as curl indistinguishable from Chrome. Instead of spoofing headers or mimicking TLS handshakes, thermoptic controls a real browser through the Chrome DevTools Protocol and proxies traffic through it. The result is byte-for-byte parity with Chrome across Transmission Control Protocol (TCP), Transport Layer Security (TLS), and Hypertext Transfer Protocol (HTTP) fingerprints. This defeats many modern anti-bot stacks and fingerprinting systems, such as JA3 and JA4+.
Features
- Chrome-driven requests: Outbound traffic originates from an actual Chrome instance, eliminating guesswork in fingerprint spoofing.
- Multi-layer cloaking: Matches Chrome across TCP, TLS, and HTTP/2 characteristics.
- Proxy compatibility: Exposes a local proxy interface so curl and other tools can route requests without code changes.
- Container deployment: Provided Docker Compose for easy setup.
- Certificate management: Automatically generates a root CA for TLS interception; users can install it to avoid insecure flags.
Installation
Clone the repository and launch with Docker Compose:
|
1 2 3 4 5 |
git clone https://github.com/mandatoryprogrammer/thermoptic.git cd thermoptic docker compose up --build |
On the first run, thermoptic generates a certificate authority file under ./ssl/rootCA.crt. Install this certificate to avoid using --insecure with clients.
Usage
thermoptic runs as a local HTTP proxy. The README example demonstrates verifying fingerprints with curl:
|
1 |
<code>curl --proxy http://changeme:[email protected]:1234 --insecure https://ja4db.com/id/ja4h/</code> |
Notes:
- Default credentials are
changeme:changeme; replace them immediately if you expose the proxy beyond localhost. - To avoid
--insecure, trust the root CA generated at./ssl/rootCA.crt. - thermoptic can attach to any Chrome or Chromium instance launched with the
--remote-debugging-portflag.
Attack Scenario
A red team needs to enumerate endpoints on a target site protected by JA4+ fingerprinting. Regular curl requests are blocked, while browsers pass. The operator starts thermoptic via Docker, configures curl to use the proxy, and requests API endpoints. The site sees requests that match Chrome fingerprints across TLS handshakes and HTTP/2 frames. This allows the team to scrape JavaScript resources, identify hidden APIs, and prepare payloads without alerting automated detection systems.
Red Team Relevance
thermoptic directly supports offensive operations that require stealth at the network and application fingerprinting level. It is valuable in:
- Reconnaissance: Scraping sites with aggressive anti-bot protections.
- C2 traffic: Cloaking outbound callbacks to appear as regular browser sessions.
- OPSEC: Reducing fingerprint artefacts when mixing manual and automated traffic.
Unlike header spoofing, which fails against multi-layer detectors, thermoptic leverages Chrome itself, giving operators confidence in fingerprint parity.
Operational Notes
- Resource overhead: Running Chrome incurs additional CPU and memory costs compared to headless clients.
- Context headers: Operators must still set realistic
Referer,Origin, and cookies for complete stealth. - Behavioural detection: Fingerprint parity does not address traffic timing or interaction anomalies. Combine thermoptic with realistic rate limiting and session simulation.
Conclusion
For context and operational synergy, consider combining thermoptic with classic proxy and fingerprinting tools such as mitmproxy and WAFW00F. All three operate in the space of HTTP inspection and evasion. Still, they solve different problems: mitmproxy is an intercepting proxy that lets operators observe and modify traffic for analysis and debugging, WAFW00F identifies and fingerprints web application firewalls so you can understand protective controls, and thermoptic focuses on producing browser-perfect fingerprints so automated defences treat non-browser clients as legitimate Chrome traffic. Used together, mitmproxy can validate and tune request context and headers, WAFW00F can surface protections to avoid or test against, and thermoptic can then be used to execute low-noise collection or C2 fetches that blend into real browser traffic.
thermoptic provides red teams with a practical method to make curl and similar tools look exactly like Chrome across TCP, TLS, and HTTP layers. For engagements where fingerprint evasion is critical, whether scraping, reconnaissance, or cloaking C2 traffic, thermoptic delivers high-value stealth without the brittleness of manual spoofing.
You can read more or download thermoptic here: https://github.com/mandatoryprogrammer/thermoptic