What Is a JA3 / JA4 Fingerprint?
A JA3 / JA4 fingerprint is a short hash derived from a TLS client handshake that identifies which TLS library, browser, or bot made a connection, without relying on IP address. JA3 was introduced by Salesforce in 2017 using MD5; JA4 is the modern FoxIO successor that uses SHA-256 and sorts input fields to resist evasion. Bot defenses, fraud platforms, and access-control systems use these hashes to flag suspicious clients at the protocol level.
How JA3 and JA4 Fingerprints Work
JA3 concatenates five fields from the TLS ClientHello message: TLS version, cipher suites, extensions, elliptic curves, and EC point formats, then MD5-hashes them into a 32-character string (Fingerprint.com - TLS Fingerprinting, 2024). Every client that sends the same combination, regardless of IP address, produces the same hash. That consistency lets security systems cluster traffic by client type rather than by origin.
JA4 addresses a core weakness in JA3: extension order. Clients could rotate the order of TLS extensions to generate a different JA3 hash while presenting identical capabilities. JA4 sorts cipher suites and extensions before hashing, removing that evasion path. The output is a three-part string (for example, t13d1516h2_8daaf6152771_b186095e22b6), built from a human-readable prefix plus two 12-character truncated SHA-256 hashes (FoxIO-LLC JA4 specification, 2025). JA4 also strips GREASE values, which browsers insert for compatibility testing and would otherwise add noise.
The FoxIO JA4+ suite extends the concept beyond TLS. JA4H covers HTTP request headers, JA4S covers the server-side TLS response, and JA4L measures network latency patterns. Combining sub-fingerprints tightens detection accuracy considerably.
Use Cases
Bot mitigation systems use JA3/JA4 hashes to identify scraper libraries (such as Python's requests, httpx, or headless Chromium builds) even when those clients rotate IP addresses or spoof user-agent strings. A residential IP paired with a Python TLS stack still produces a recognizable non-browser fingerprint.
Access-control platforms layer JA3/JA4 with other signals (user-agent, HTTP/2 frame order, canvas hash) to build a composite device profile. A mismatch between the claimed browser and the TLS fingerprint is a strong anomaly signal worth investigating.
Security researchers and red teams use the fingerprints in reverse: profiling which TLS library a target server expects, then configuring their client to match it. Tools like curl-impersonate and the utls library patch the TLS stack to produce a Chrome-matching handshake.
When accessing sites at scale via residential proxies, a client's JA4 fingerprint still needs to match a real browser or the IP-reputation advantage disappears. Pairing genuine residential IPs (such as those on the Massive network) with browser-accurate TLS is the standard practice.
Frequently Asked Questions
A JA3 fingerprint is a 32-character MD5 hash of five TLS ClientHello fields (TLS version, cipher suites, extensions, elliptic curves, EC point formats), introduced by Salesforce in 2017 (Fingerprint.com - TLS Fingerprinting, 2024). It lets network security tools identify a client's TLS library without relying on IP address.
JA4 sorts fields before hashing, which defeats extension-order randomization, and uses SHA-256 instead of MD5. The result is a human-readable a_b_c string rather than an opaque hex hash (FoxIO-LLC JA4 specification, 2025). JA4 also ignores GREASE values, making fingerprints more stable across browser updates.
Yes. Libraries like curl-impersonate and utls patch the TLS stack to mimic a target browser's exact ClientHello. Bot defenses counter this by combining JA4 with additional signals such as HTTP/2 frame order, timing patterns, and canvas fingerprints to build a harder-to-fake composite.
Rotating IP addresses does not change the TLS fingerprint of the underlying HTTP client. A scraper running on a residential IP but using Python's default TLS stack will still match a known bot fingerprint. Browser-accurate TLS emulation is needed alongside IP rotation to avoid detection.