2 min read

TLS Fingerprints

Learn how to work with JA3 and JA4 TLS fingerprints.
Table of Contents

Vercel Firewall supports JA3 and JA4 TLS fingerprints to identify and restrict malicious traffic. TLS fingerprints allow the unique identification of user sessions inspecting details in the Transport Layer Security (TLS) protocol initiation process.

TLS Fingerprints are available on all plans

TLS fingerprinting is a process used to identify and categorize encrypted network traffic.

It creates a unique identifier from the details of a TLS client hello packet, such as the version of TLS, supported cipher suites, and included extensions.

  • TLS fingerprints allow the unique identification of user session
  • JA3 and JA4 transform the TLS handshake details into a hash
  • The hash is used as a fingerprint to monitor and restrict access
  • The hash can then be read from your Functions through the request headers

Controlling access by TLS fingerprint allows us to mitigate malicious actors that use sophisticated methods of attack. For example, a DDoS attack that is spread across multiple user agents, IPs, or geographic locations might share the same TLS fingerprint. With fingerprinting, the Vercel Firewall can block all of the traffic that matches that TLS fingerprint.

JA4 is part of the JA4+ suite. It offers a more granular and flexible approach to network fingerprinting, helping to mitigate malicious traffic and prevent bot traffic.

With JA4, it's possible to identify, track, and categorize server-side encrypted network traffic. This is crucial in detecting and mitigating potential security threats, as it provides a more comprehensive view of the network traffic when used in conjunction with other fields.

JA3 is a tool that uses TLS fingerprinting to track and identify potential security threats. It specifically focuses on the details of the TLS client hello packet, generating a unique hash from it. This client hello packet contains specific information such as the TLS version, supported cipher suites, and any extensions used.

In the Default web traffic view of the Vercel WAF monitoring page, you can group the web traffic by JA4 Digest to review the fingerprints of the live traffic or the past 24 hours.

The following headers are sent to each deployment and can be used to process the request before sending back a response. These headers can be read from the Request object in your Function.

Unique client fingerprint hash generated by the JA4 algorithm.

Unique client fingerprint hash generated by the JA3 algorithm.

Last updated on June 21, 2024