How JA3 vs JA4 vs JA4+ Fingerprints Differ and How to Spoof Them (2026)

The article is ready. Here’s the markdown body directly:

TLS fingerprinting has become the backbone of modern bot detection, and understanding the difference between JA3, JA4, and JA4+ fingerprints is now a prerequisite for anyone building a scraper that lasts past the first deployment. If your requests are getting blocked despite rotating IPs and valid headers, the TLS handshake itself is almost certainly the problem. For a full primer on why this layer matters, read What Is TLS Fingerprinting? JA3/JA4 Explained for Scrapers 2026 before diving in here.

What JA3 Actually Captures (and Why It Aged Out Fast)

JA3, introduced by Salesforce in 2017, hashes five fields from the TLS ClientHello into a 32-character MD5 digest:

  • TLS version
  • Cipher suites (in order)
  • Extension types
  • Elliptic curves
  • Elliptic curve point formats

The problem is MD5 collision resistance is not the issue here — the issue is that JA3 is trivially stable per client library. Every Python requests session using the same urllib3 build produces the same JA3 hash. Shuffle your cipher suite order and the hash changes completely, but the detection signal stays: you still look like requests, not Chrome.

Real-world JA3 hashes from 2025 CDN logs show that 769,47-53-5-10-49161-49162-49171-49172-53-47-10,65281-0-11,23-24,0 (a Python/urllib3 fingerprint) appears in less than 0.01% of legitimate Chrome traffic. One hash and you are tagged.

JA4: What Changed and Why It Is Harder to Evade

JA4, released by FoxIO in 2023 and now standard in Suricata, Zeek, and Arkime, restructures the fingerprint into a human-readable, sortable format:

t13d1516h2_8daaf6152771_b0da82dd1658

The three segments encode:

  1. Protocol prefix (t13 = TLS 1.3, d = SNI present, 1516 = number of extensions + cipher count)
  2. Sorted cipher suites hash (SHA-256 truncated, sorted so reordering doesn’t change it)
  3. Sorted extensions hash (also sorted, with ALPN and SNI values included separately)

The sort-before-hash design is the key difference. Randomizing cipher order, the classic JA3 bypass, does nothing against JA4 because the hash is computed on a sorted list. You have to change which ciphers are present, not just their order.

PropertyJA3JA4JA4+
FormatMD5 hexHuman-readable 3-partJA4 + payload entropy fields
Sensitive to cipher orderYesNoNo
Includes ALPNNoYesYes
Includes payload timingNoNoYes
Collision via reorderEasyNoNo
Deployed in open-source IDSZeek, SuricataZeek, Suricata, ArkimePartial (still expanding)

JA4+: The Extension to Behavioral Fields

JA4+ is a suite of sub-fingerprints that extend JA4 with additional signal sources. The most relevant for scraping are:

  • JA4H — HTTP/2 header order and pseudo-header values (:method, :path, :scheme, :authority sequence)
  • JA4T — TCP window size, scale factor, and options (MSS, SACK, timestamps)
  • JA4L — network latency distribution across the handshake (light fingerprint)

JA4T is particularly painful. Scrapers running on cloud VMs (AWS, GCP, DigitalOcean) have TCP window sizes and MSS values that differ from residential endpoints, even when the TLS layer is perfect. Cloudflare’s bot score combines JA4 with JA4T by default in Enterprise plans, which is part of why Cloudflare Turnstile vs hCaptcha vs reCAPTCHA Enterprise: Which Bypass Path? keeps getting harder even with browser automation.

Practical Spoofing: Tools and Techniques That Work in 2026

curl-impersonate and TLS client libraries

Browser TLS Fingerprint Mimicry with curl-impersonate (2026) covers this in depth, but the short version: curl-impersonate patches curl to use the exact cipher suite list, extension order, and ALPN values from a real Chrome or Firefox build. The resulting JA4 hash matches the target browser byte-for-byte.

# Chrome 124 impersonation -- JA4 matches real Chrome in Zeek logs
curl_chrome124 \
  -H "sec-ch-ua: \"Chromium\";v=\"124\"" \
  -H "sec-ch-ua-platform: \"Windows\"" \
  https://target.com/api/products

For Python, tls-client (Go-backed) and primp expose similar bindings without shelling out. Both produce correct JA4 hashes for Chrome 120+ and Firefox 124+.

Fixing JA4T (the TCP layer)

JA3/JA4 spoofing is table stakes. The next blocker is JA4T. On Linux you can adjust TCP parameters per-socket, but it is easier to route through a residential proxy where the TCP stack belongs to an actual home ISP device. The window size and MSS from a Singapore Singtel residential endpoint are indistinguishable from a real user because they are a real user’s stack.

Numbered checklist for a complete fingerprint-clean setup:

  1. Use curl-impersonate or tls-client to match the target browser’s JA4 hash exactly
  2. Set HTTP/2 header order and pseudo-header sequence to match Chrome (JA4H)
  3. Route through a residential or mobile proxy to inherit correct JA4T values
  4. Verify your JA4 output against Wireshark or ja4 CLI before running at scale
  5. Rotate the browser version string and JA4 target together — mismatches are a strong signal

What Tools Still Get Flagged

Playwright and Puppeteer with default settings still produce JA4 hashes that match their respective Node.js TLS builds, not Chrome. playwright-extra with the stealth plugin patches the JS-layer fingerprint but does nothing at the TCP/TLS layer. For targets using F5 Shape Security or Sift, the TLS layer is always inspected, and Shape’s sensor JS can read the browser’s reported cipher list and cross-check it against the wire.

For machine-learning fraud stacks like Sift Science, JA4 is one of 15-20 features in the session risk model. Getting JA4 right is necessary but not sufficient. you also need behavioral consistency: realistic mouse paths, session durations, and inter-request timing.

Verifying Your Fingerprint Before You Deploy

Run the ja4 CLI (FoxIO open-source) against a pcap before any production run:

pip install ja4
ja4 --tls capture.pcap
# Output: t13d1516h2_8daaf6152771_b0da82dd1658

Compare the output against the published JA4 fingerprint database at tlsfingerprint.io. Chrome 124 on Windows should produce t13d1516h2_8daaf6152771_b0da82dd1658. If your hash differs, the mismatch is in your cipher list or extension set, and you can diff the sorted extension hashes to find it.

Bottom Line

JA3 is dead as a reliable detection signal (too easy to spoof), JA4 is the current standard (sort-resistant, widely deployed), and JA4+ with JA4T is where the serious bot detection vendors are headed. For most scraping projects in 2026, matching JA4 via curl-impersonate or tls-client and routing through residential proxies to get correct TCP parameters will get you past 90% of fingerprint-based blocks. DRT covers this stack continuously — check back as JA4+ adoption in commercial WAFs accelerates through the year.

Related guides on dataresearchtools.com

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top
message me on telegram

Resources

Proxy Signals Podcast
Operator-level insights on mobile proxies and access infrastructure.

Multi-Account Proxies: Setup, Types, Tools & Mistakes (2026)