projectdiscovery · Mzack9999 · Mar 22, 2026 · Mar 22, 2026 · Mar 25, 2026 · Mar 25, 2026
diff --git a/README.md b/README.md
@@ -238,7 +238,7 @@ CONFIGURATIONS:
    -ldp, -leave-default-ports       leave default http/https ports in host header (eg. http://host:80 - https://host:443
    -ztls                            use ztls library with autofallback to standard one for tls13
    -no-decode                       avoid decoding body
-   -tlsi, -tls-impersonate          enable experimental client hello (ja3) tls randomization
+   -tlsi, -tls-impersonate string    enable experimental client hello (ja3) tls impersonation (random, chrome, or ja3 full string)
    -no-stdin                        Disable Stdin processing
    -hae, -http-api-endpoint string  experimental http api endpoint
    -sf, -secret-file string         path to secret file for authentication

diff --git a/cmd/functional-test/testcases.txt b/cmd/functional-test/testcases.txt
@@ -19,5 +19,5 @@ scanme.sh {{binary}} -silent -ztls
 scanme.sh {{binary}} -silent -jarm
 https://scanme.sh?a=1*1 {{binary}} -silent
 https://scanme.sh:443 {{binary}} -asn
-scanme.sh {{binary}} -silent -tls-impersonate
+scanme.sh {{binary}} -silent -tls-impersonate random
 example.com {{binary}} -silent -bp -strip
diff --git a/common/httpx/httpx.go b/common/httpx/httpx.go
@@ -16,6 +16,7 @@
 	"github.com/microcosm-cc/bluemonday"
 	"github.com/projectdiscovery/cdncheck"
 	"github.com/projectdiscovery/fastdialer/fastdialer"
+	"github.com/projectdiscovery/fastdialer/fastdialer/ja3"
 	"github.com/projectdiscovery/fastdialer/fastdialer/ja3/impersonate"
 	"github.com/projectdiscovery/httpx/common/httputilz"
 	"github.com/projectdiscovery/networkpolicy"
@@ -139,12 +140,7 @@
 	}
 	transport := &http.Transport{
 		DialContext: httpx.Dialer.Dial,
-		DialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-			if options.TlsImpersonate {
-				return httpx.Dialer.DialTLSWithConfigImpersonate(ctx, network, addr, &tls.Config{InsecureSkipVerify: true, MinVersion: tls.VersionTLS10}, impersonate.Random, nil)
-			}
-			return httpx.Dialer.DialTLS(ctx, network, addr)
-		},
+		DialTLSContext: httpx.buildTLSDialer(options),
 		MaxIdleConnsPerHost: -1,
 		TLSClientConfig: &tls.Config{
 			InsecureSkipVerify: true,
@@ -216,6 +212,36 @@
 	return httpx, nil
 }
 
+func (h *HTTPX) buildTLSDialer(options *Options) func(ctx context.Context, network, addr string) (net.Conn, error) {
+	if options.TlsImpersonate == "" {
+		return func(ctx context.Context, network, addr string) (net.Conn, error) {
+			return h.Dialer.DialTLS(ctx, network, addr)
+		}
+	}
+
+	tlsCfg := &tls.Config{InsecureSkipVerify: true, MinVersion: tls.VersionTLS10}
+
+	strategy, identity := resolveImpersonateStrategy(options.TlsImpersonate)
+
+	return func(ctx context.Context, network, addr string) (net.Conn, error) {
+		return h.Dialer.DialTLSWithConfigImpersonate(ctx, network, addr, tlsCfg, strategy, identity)
+	}
+}
+
+func resolveImpersonateStrategy(value string) (impersonate.Strategy, *impersonate.Identity) {
+	switch strings.ToLower(value) {
+	case "", "chrome":
+		return impersonate.Chrome, nil
+	default:
+		spec, err := ja3.ParseWithJa3(value)
+		if err != nil {
+			return impersonate.Chrome, nil
+		}
+		identity := impersonate.Identity(*spec)
+		return impersonate.Custom, &identity
+	}
+}
+
 // Do http request
 func (h *HTTPX) Do(req *retryablehttp.Request, unsafeOptions UnsafeOptions) (*Response, error) {
 	timeStart := time.Now()

diff --git a/common/httpx/option.go b/common/httpx/option.go
@@ -58,7 +58,7 @@ type Options struct {
 	Resolvers                 []string
 	customCookies             []*http.Cookie
 	SniName                   string
-	TlsImpersonate            bool
+	TlsImpersonate            string
 	NetworkPolicy             *networkpolicy.NetworkPolicy
 	CDNCheckClient            *cdncheck.Client
 	Protocol                  Proto