What is JA4? TLS client fingerprinting explained
JA4 is a fingerprint of the TLS ClientHello a client sends when it opens an HTTPS connection. Because different software builds that handshake differently, JA4 reveals what is really connecting — independent of the User-Agent string, which anyone can spoof.
What goes into a JA4
The JA4 part of the JA4+ suite (by FoxIO) summarizes the ClientHello: the TLS version, whether SNI is present, the count of cipher suites and extensions, the ALPN value, plus a truncated hash of the sorted cipher list and a hash of the sorted extension list. The result looks like t13d1516h2_8daaf6152771_b0da82dd1658.
JA4 vs JA3
JA3 hashed an ordered list of fields into a single MD5, which made it brittle (GREASE values and ordering caused churn) and opaque. JA4 is human-readable, GREASE-aware, sorts where order is unstable, and splits the fingerprint into meaningful sections — so it is both more stable and more informative.
Why it matters for bot detection
Automation libraries (Go's net/http, Python requests, curl, Selenium drivers) produce TLS stacks that do not match any real browser. A request can claim to be Chrome in its User-Agent while its JA4 says "Go stdlib" — a contradiction that is hard to fake because it lives below the application layer. detectip.ai also captures JA4H (HTTP headers), JA4T (TCP), JA4L (latency) and a QUIC JA4 for HTTP/3.