Updated on 2025-08-19 GMT+08:00

Configuring a JA3/JA4 Fingerprint Tag

JA3/JA4 is a fingerprinting technology for SSL/TLS client identification. By analyzing TLS handshake metadata, it generates unique fingerprints to distinguish different client applications. With dedicated mode, if a layer-7 reverse proxy (for example, ELB) is deployed in front of WAF and its fingerprint is transferred to WAF with the header field, you can configure the JA3/JA4 fingerprint tags for the domain name protected by WAF. Then, the fingerprints along with tags will be transferred to WAF. WAF processes requests based on the TLS fingerprint (JA3) and TLS fingerprint (JA4) configured in the precise protection rule. This can mitigate JA3/JA4 fingerprinting attacks.

Prerequisites

You have connected your website to WAF in dedicated mode. For details, see Connecting a Website to WAF (Dedicated Mode).

Constraints

This function is only supported by dedicated mode access.

Configuring a JA3/JA4 Fingerprint Tag

  1. Log in to the WAF console.
  2. Click in the upper left corner and select a region or project.
  3. (Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
  4. In the navigation pane on the left, click Website Settings.
  5. On the Website Settings page, click the target website domain name.
  6. Choose Advanced Settings > TLS Fingerprint Identifier, click under JA3 Fingerprint Tag or JA4 Fingerprint Tag, and enter the corresponding fingerprint tags.

    • Set JA3 Fingerprint Tag to X-Forwarded-Tls-Ja3.
    • Set JA4 Fingerprint Tag to X-Forwarded-Tls-Ja4.
    Figure 1 TLS Fingerprint Identifier

Follow-up Operations

You can add a precise protection rule and configure TLS fingerprint (JA3) and TLS fingerprint (JA4) tags for the rules to process requests carrying JA3 and JA4 fingerprints.

  1. Return to the management console. In the navigation pane on the left, choose Policies.
  2. Click the target policy and enable Precise Protection.
  3. Click Add Rule and specify parameters.

    Figure 2 Adding TLS Fingerprint (JA3) or TLS Fingerprint (JA4) tag for a rule
    • Condition: Set Field to TLS fingerprint (JA3) or TLS fingerprint (JA4), and set Logic and Content as required.
    • Configure other parameters by referring to Configuring a Precise Protection Rule.

Operation Result Verification

  1. Clear the browser cache and access the protected website. The request is blocked.
  2. Return to the WAF console. In the navigation pane on the left, choose Events. On the displayed page, view the event log.