JA4 is a modern network fingerprint that identifies the software behind a connection — independent of the User-Agent, which anyone can spoof. It's the backbone of reliable bot and AI-agent detection. Here's what it is and why it works.
The JA4+ family
- JA4 — TLS ClientHello fingerprint (cipher suites, extensions, ALPN, version).
- JA4H — HTTP header fingerprint (order, casing, values).
- JA4T — TCP fingerprint (window size, options, MSS).
- JA4L — latency/distance hint from round-trip time.
- QUIC JA4 — the same idea for HTTP/3 connections.
Why it beats the User-Agent
The User-Agent is a self-reported string — trivial to fake. JA4 is computed from how the client actually builds its TLS/HTTP/TCP handshake, which is determined by its real software stack. A request can claim to be Chrome while its JA4 says "Go HTTP client" — a contradiction that's hard to fake because it lives below the application layer.
JA4 vs JA3
JA3 hashed an ordered field list into one opaque MD5, making it brittle (GREASE and ordering caused churn). JA4 is human-readable, GREASE-aware, sorts unstable fields, and splits into meaningful parts — more stable and more informative. See the JA4 deep dive.
Using JA4 for detection
- Match the JA4 against known browser vs automation stacks.
- Cross-check JA4 vs the claimed User-Agent/Client Hints for contradictions.
- Correlate a stable JA4 across many IPs to catch proxy rotation.
- Reputation: score by the historical bot-rate of each JA4.
detectip.ai computes the full JA4+ suite and folds it into an explainable verdict — see the live demo.
FAQ
Can JA4 be spoofed? Much harder than a User-Agent; faking a browser's exact stack across TLS/HTTP/TCP is non-trivial and itself detectable.
Is JA4 enough on its own? It's powerful but best combined with IP and behavioral signals. Start free with a key.