TLS fingerprinting identifies clients before any application data is exchanged. Your TLS handshake parameters reveal what software you're using - even if you spoof everything else. In 2025, JA4 has replaced JA3 as the industry standard.
Research updated: December 2025
When your browser connects to a website, it sends a TLS ClientHello message to initiate encryption. This message contains dozens of parameters that uniquely identify your client software.
Client Hello
Browser sends supported ciphers, extensions, and TLS version
Server Fingerprints
Server hashes ClientHello to identify client before responding
Decision Made
Block, challenge, or allow - before data exchange begins
TLS fingerprinting has evolved rapidly. Chrome's randomization broke JA3, leading to JA4's development.
Salesforce releases JA3, enabling TLS client fingerprinting by hashing cipher suites and extensions from the ClientHello.
Chrome 108 begins randomizing TLS extension order in ClientHello. JA3 effectiveness drops dramatically as Chrome now produces billions of different hashes.
FoxIO releases JA4+, sorting extensions before hashing to defeat randomization. Cloudflare begins JA4 integration.
Cloudflare, Akamai, and major CDNs integrate JA4. Bot management solutions widely adopt the new standard.
JA4 is now standard for enterprise detection. HTTP/3 fingerprinting added. ML models combine JA4 with behavioral signals.
JA4 consists of three parts: protocol info, cipher hash, and extension hash. By sorting before hashing, it defeats Chrome's randomization.
Example JA4 Fingerprint
t13d1516h2_a0e9c7f32f1c_e5b1d8a03d9at13d1516h2TLS version (13), SNI presence (d), cipher count (15), extension count (16), ALPN (h2)
a0e9...2f1c12-character truncated SHA256 of sorted cipher suites
e5b1...3d9a12-character truncated SHA256 of sorted extensions
Chrome randomizes extension order on each connection, generating billions of possible JA3 hashes. JA4 sorts extensions alphabetically before hashing, producing the same fingerprint regardless of order.
JA3 (Broken)
Chrome v128: 109+ possible hashes
JA4 (Current)
Chrome v128: 1 consistent fingerprint
Major CDNs and bot protection services now use JA4 as a core detection signal.
JA4 integrated into Bot Management and WAF. Enterprise customers can create rules based on JA4 fingerprints. Also exposes JA4 in Workers for custom detection logic.
EdgeWorker implementation of JA4 for edge-based detection. Combined with Akamai's HTTP/2 fingerprinting and "sensor data" collection for multi-layered bot detection.
Combines JA4 with behavioral signals and JavaScript challenges. ML models correlate TLS fingerprints with client-side fingerprints for bot detection.
TLS fingerprinting is one of the hardest detection methods to bypass. Here are the current approaches in 2025.
# Install curl-impersonate (Chrome 119 fingerprint)
docker pull lwthiker/curl-impersonate:0.5-chrome
# Use curl that mimics Chrome's TLS fingerprint
docker run --rm lwthiker/curl-impersonate:0.5-chrome \
curl_chrome119 https://target-site.com \
-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) ..."
# The TLS handshake now matches real Chrome 119
# JA4: t13d1516h2_... (authentic Chrome fingerprint)TLS fingerprinting doesn't work in isolation. Detection systems correlate your JA4 fingerprint with your IP address.
Modern detection systems check if your IP type matches your TLS fingerprint. A Chrome JA4 fingerprint from a datacenter IP is immediately suspicious - real Chrome users don't browse from datacenters.
Mobile IPs from real carriers have high trust scores. Combined with authentic TLS fingerprints, your traffic looks indistinguishable from a real mobile user.
Verify your TLS fingerprint matches your intended browser profile.
Shows your JA3 hash, ClientHello parameters, cipher suites, and extensions. Compare against known browser fingerprints.
Tests HTTP/3 over QUIC fingerprinting. Shows QUIC transport parameters and HTTP/3 settings frames used for detection.
Detailed TLS analysis including JA3, JA4, Akamai fingerprints, and HTTP/2 settings. Good for comparing automation tools.
Test your mobile proxy with IP detection, anonymity checks, and connection verification. Ensure your setup works correctly.
High-trust mobile IP pool
Dedicated modem
Get 1GB free to test our mobile proxies with your automation setup.