What is an Account-Control Surface?
Understand the account-control surface and why account protection has to cover more than the login form.
Support FAQ
JA4 is a fingerprint of a TLS ClientHello. It keeps a small set of readable properties in its first section and uses two truncated hashes for the advertised ciphers and extensions. Unlike JA3, JA4 sorts those lists before hashing them, so extension or cipher ordering alone does not change the canonical value.
JA4 is one method. JA4+ is FoxIO's name for a wider family that includes other observations, such as TLS server responses, HTTP clients, certificates, SSH and TCP. The names are related, but they do not all describe the same data or use the same licence.
The canonical form has three underscore-separated sections: a_b_c.
JA4 = a_b_c
The a section is readable. In order, it records:
t for TLS over TCP, q for QUIC, or d for DTLS.d when it is, i when it is not.00 if it is absent.The b section is the first 12 characters of a SHA-256 hash over the sorted, comma-separated cipher suite codes. The c section is the first 12 characters of a SHA-256 hash over the sorted extension codes followed by signature algorithms in their advertised order. SNI and ALPN extension codes are omitted from that extension list because their presence or value is already represented in a.
JA4 removes GREASE values wherever the algorithm encounters them. The authoritative field rules and edge cases are in FoxIO's JA4 technical specification.
FoxIO's canonical example is:
t13d1516h2_8daaf6152771_e5627efa2ab1
It describes TLS over TCP, TLS 1.3, SNI present, 15 ciphers, 16 extensions and an ALPN value represented as h2. The remaining two sections are 12-character truncated SHA-256 values. They are normal cryptographic hashes, not fuzzy hashes.
JA4 implementations can also expose JA4_r, a raw form that replaces the two hashes with the normalised source lists. Retaining that form makes field-level investigation possible; the compact form is easier to index and exchange.
ClientHello.This naming matters when comparing tools or datasets. A product that supplies JA4 does not necessarily supply JA4H, JA4S or Cloudflare's aggregates.
FoxIO publishes the core JA4 TLS client method under the BSD 3-Clause licence. Its licensing FAQ says the other named JA4+ methods, including JA4H and JA4S, use the FoxIO License 1.1 and require separate terms for monetised use. Read the current FoxIO licensing FAQ for the exact scope. This summary is not legal advice, and projects should check the licence covering the particular method and implementation they plan to use.
A JA4 groups handshakes after the format's chosen normalisation. That can be useful in threat hunting, traffic analysis and request policy, but it does not establish identity. Different clients can share a TLS implementation; an automated client can imitate a browser; and the fingerprint changes as software changes. The capture point also decides which TLS client is visible—a reverse proxy may hide the original client from an upstream observer.
For these reasons, use JA4 with destination, request, account and behavioural context. JA3 versus JA4 compares the formats without treating either as a verdict.
Understand the account-control surface and why account protection has to cover more than the login form.
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
An overview of Account Takeover Attacks
A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.
AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
© PEAKHOUR.IO PTY LTD 2026 ABN 76 619 930 826 All rights reserved.