Support FAQ

What is JA4 and JA4+ Fingerprinting?

Back to learning

JA4 is a fingerprint of a TLS ClientHello. It keeps a small set of readable properties in its first section and uses two truncated hashes for the advertised ciphers and extensions. Unlike JA3, JA4 sorts those lists before hashing them, so extension or cipher ordering alone does not change the canonical value.

JA4 is one method. JA4+ is FoxIO's name for a wider family that includes other observations, such as TLS server responses, HTTP clients, certificates, SSH and TCP. The names are related, but they do not all describe the same data or use the same licence.

How is a JA4 fingerprint built?

The canonical form has three underscore-separated sections: a_b_c.

JA4 = a_b_c

The a section is readable. In order, it records:

  1. Transport: t for TLS over TCP, q for QUIC, or d for DTLS.
  2. The highest advertised TLS or DTLS version, ignoring GREASE.
  3. Whether the SNI extension is present: d when it is, i when it is not.
  4. The number of advertised cipher suites, excluding GREASE.
  5. The number of extensions, excluding GREASE.
  6. Two characters derived from the first ALPN value, or 00 if it is absent.

The b section is the first 12 characters of a SHA-256 hash over the sorted, comma-separated cipher suite codes. The c section is the first 12 characters of a SHA-256 hash over the sorted extension codes followed by signature algorithms in their advertised order. SNI and ALPN extension codes are omitted from that extension list because their presence or value is already represented in a.

JA4 removes GREASE values wherever the algorithm encounters them. The authoritative field rules and edge cases are in FoxIO's JA4 technical specification.

Reading a JA4 example

FoxIO's canonical example is:

t13d1516h2_8daaf6152771_e5627efa2ab1

It describes TLS over TCP, TLS 1.3, SNI present, 15 ciphers, 16 extensions and an ALPN value represented as h2. The remaining two sections are 12-character truncated SHA-256 values. They are normal cryptographic hashes, not fuzzy hashes.

JA4 implementations can also expose JA4_r, a raw form that replaces the two hashes with the normalised source lists. Retaining that form makes field-level investigation possible; the compact form is easier to index and exchange.

JA4, JA4+ and JA4 Signals are different things

  • JA4 fingerprints a TLS client ClientHello.
  • JA4S fingerprints a TLS server response or session.
  • JA4H fingerprints an HTTP client request.
  • JA4X fingerprints X.509 certificate information.
  • JA4+ is the umbrella name FoxIO uses for these and its other fingerprinting methods.
  • Cloudflare's JA4 Signals are inter-request statistics calculated around JA4 values, such as ratios and ranks. They are not additional fields inside a JA4 fingerprint. Cloudflare explains the distinction in its JA4 Signals introduction.

This naming matters when comparing tools or datasets. A product that supplies JA4 does not necessarily supply JA4H, JA4S or Cloudflare's aggregates.

Licensing

FoxIO publishes the core JA4 TLS client method under the BSD 3-Clause licence. Its licensing FAQ says the other named JA4+ methods, including JA4H and JA4S, use the FoxIO License 1.1 and require separate terms for monetised use. Read the current FoxIO licensing FAQ for the exact scope. This summary is not legal advice, and projects should check the licence covering the particular method and implementation they plan to use.

What does a JA4 value establish?

A JA4 groups handshakes after the format's chosen normalisation. That can be useful in threat hunting, traffic analysis and request policy, but it does not establish identity. Different clients can share a TLS implementation; an automated client can imitate a browser; and the fingerprint changes as software changes. The capture point also decides which TLS client is visible—a reverse proxy may hide the original client from an upstream observer.

For these reasons, use JA4 with destination, request, account and behavioural context. JA3 versus JA4 compares the formats without treating either as a verdict.

Related Articles

AI Crawler User Agents

A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.

AI For Cybersecurity

AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

AI Image Generation

AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

© PEAKHOUR.IO PTY LTD 2026   ABN 76 619 930 826    All rights reserved.