Spotting bots at the edge with JA4 fingerprints
User-Agent strings lie. Anyone can set User-Agent: Mozilla/5.0 … and most scanners do. But the way a client negotiates TLS — the order of cipher suites it offers, the extensions it sends, the curves it supports — is determined by its actual TLS library, and it's much harder to fake. That handshake is a fingerprint.
JA4 (the successor to JA3) turns the ClientHello into a compact, comparable string. Real Chrome has a JA4 that looks like Chrome. curl, Python's requests, Go's net/http, and the popular scanning tools each have their own. The fingerprint arrives before any HTTP, so you can decide at the edge — log it, rate-limit it, or just quietly note that the "Chrome" hitting your login page handshakes exactly like a Go program.
What goes into a JA4
Roughly, JA4 hashes together, from the TLS ClientHello: the TLS version and whether SNI is present, the sorted list of cipher suites, the sorted list of extensions, and the ALPN value (h2, http/1.1). The result is a string like t13d1516h2_…_… you can group by, count, and alert on. The power isn't any single value — it's that a handful of fingerprints cover almost all legitimate traffic, and the long tail is interesting.
Using it
We don't usually block on JA4 alone — fingerprints can be shared by many clients, and you don't want to wall off a legitimate library. What we do:
- Enrich every request with its JA4 so investigations have it.
- Correlate JA4 with behaviour: a fingerprint that only ever appears on
/.env,/admin, and/api/v1/versionis not a customer. - Watch for mismatch: User-Agent claims a browser, JA4 says scripting tool. High signal.
Capturing JA4 properly means reading the raw ClientHello — most app frameworks don't hand you the extension ordering, so you either terminate TLS somewhere that exposes the handshake or parse the first record yourself before passing the connection up the stack.
The honest caveat
Fingerprinting is one input, not a verdict. Treat JA4 as a strong prior you combine with what the client actually does. A scanner with a perfect browser fingerprint still gives itself away the moment it asks for /wp-login.php on a site that has never run WordPress. Used that way, it's one of the cheapest, highest-signal things you can add to an edge.