---
title: "JA4+ Fingerprints — JA4S, JA4H, JA4X, JA4L, JA4SSH"
description: "JA4+ fingerprinting suite decoded: JA4S, JA4H, JA4X, JA4L, JA4SSH, and JA4T show TLS server, HTTP, certificate, latency, SSH, and TCP signals."
kind: article
maturity: budding
confidence: high
origin: ai-drafted
author: "Agent"
directedBy: "krow"
tags: [networking, fingerprinting, bot-detection, ja4, tls]
published: 2026-06-25
modified: 2026-06-25
wordCount: 2064
readingTime: 10
prerequisites: [ja4-vs-ja3]
related: [akamai-bot-manager-2026, ja4-vs-ja3, ja4t-tcp-fingerprinting, bot-detection-2026, http2-fingerprinting-akamai, ja4-waf-rules-cloudflare-google-cloud-armor]
url: https://krowdev.com/article/ja4-plus-fingerprint-suite/
---
## Agent Context

- Canonical: https://krowdev.com/article/ja4-plus-fingerprint-suite/
- Markdown: https://krowdev.com/article/ja4-plus-fingerprint-suite.md
- Full corpus: https://krowdev.com/llms-full.txt
- Kind: article
- Maturity: budding
- Confidence: high
- Origin: ai-drafted
- Author: Agent
- Directed by: krow
- Published: 2026-06-25
- Modified: 2026-06-25
- Words: 2064 (10 min read)
- Tags: networking, fingerprinting, bot-detection, ja4, tls
- Prerequisites: ja4-vs-ja3
- Related: akamai-bot-manager-2026, ja4-vs-ja3, ja4t-tcp-fingerprinting, bot-detection-2026, http2-fingerprinting-akamai, ja4-waf-rules-cloudflare-google-cloud-armor
- Content map:
  - h2: Quick Reference
  - h2: Where the JA4+ signals sit
  - h2: JA4: TLS client fingerprinting
  - h2: JA4S: TLS server and session response
  - h2: JA4H: HTTP client fingerprinting
  - h2: JA4X: certificate generation fingerprinting
  - h2: JA4L and JA4LS: latency and light distance
  - h2: JA4SSH: SSH traffic fingerprinting
  - h2: How defenders combine the suite
  - h2: Practical pitfalls
  - h2: Sources
- Diagrams: Mermaid fences are paired with adjacent ASCII companions in this document (1 Mermaid, 1 ASCII); HTML figures expose rendered SVG plus copyable Mermaid/ASCII source tabs.
- Crawl policy: same canonical content is exposed through HTML, Markdown, and llms-full; no crawler-specific content gate.

JA4+ fingerprinting is the FoxIO family around JA4: JA4 for TLS clients, JA4S for TLS server responses, JA4H for HTTP requests, JA4X for X.509 certificates, JA4L for latency or light-distance checks, JA4SSH for SSH, and JA4T for TCP. The useful mental model is not "one better JA3 hash." It is a cross-layer map of what each packet layer exposes.

Last verified: 2026-06-25 against the FoxIO JA4+ repository and technical-details table, Cloudflare's JA3/JA4 Bot Management documentation, Cloudflare Signals Intelligence docs, and Webscout's JA4H detection write-up.

## Quick Reference

| Method | Layer | What it fingerprints | Best use |
|---|---|---|---|
| JA4 | TLS client | ClientHello transport, version, SNI flag, cipher hash, extension hash, ALPN | Group browser, library, malware, and bot TLS clients despite extension randomization |
| JA4S | TLS server | ServerHello response and selected TLS parameters for a given client | Identify server-side TLS stacks and session behavior |
| JA4H | HTTP client | Method, HTTP version, cookies/referrer presence, header count/order hashes, cookie names/values | Detect HTTP tooling and C2 clients after TLS terminates |
| JA4X | Certificate | How an X.509 certificate is generated, not only its literal fields | Cluster malware, reverse proxies, and self-signed certificate toolchains |
| JA4L / JA4LS | Latency | Client-to-server or server-to-client latency/light-distance signals | Estimate network distance and spot impossible geography or relay paths |
| JA4SSH | SSH | SSH algorithm and session negotiation shape | Classify SSH clients, servers, reverse shells, and admin tooling |
| JA4T / JA4TS | TCP | SYN or SYN-ACK window, option order, MSS, window scale | Catch OS, proxy, VPN, relay, scanner, and path clues before TLS exists |
| JA4TScan | Active TCP | Server SYN-ACK plus retransmission timing from a single SYN probe | Fingerprint servers when passive traffic is not available |

JA4 remains the broadest production signal because it is open-source under BSD 3-Clause and already appears in systems such as Cloudflare Bot Management. The rest of JA4+ is still practically important, but licensing matters: FoxIO's README says JA4S, JA4H, JA4X, JA4L, JA4SSH, JA4T, JA4TS, JA4TScan, and future additions use the FoxIO License for non-JA4 methods.

## Where the JA4+ signals sit

The suite is easiest to reason about by packet order. TCP comes first, TLS negotiates next, HTTP rides on top, and certificates or server responses add the other side of the same connection.

```mermaid
flowchart LR
  accTitle: JA4+ fingerprint layers from TCP through HTTP and SSH
  accDescr: JA4T observes the TCP SYN before TLS. JA4 observes the TLS ClientHello. JA4S observes the TLS ServerHello. JA4H observes HTTP request shape. JA4X describes X.509 certificate generation. JA4L and JA4LS describe latency direction. JA4SSH covers SSH negotiation.
  client["Client / tool / browser"] --> tcp["TCP SYN<br/>JA4T"]
  tcp --> tlsClient["TLS ClientHello<br/>JA4"]
  tlsClient --> tlsServer["TLS ServerHello<br/>JA4S"]
  tlsServer --> http["HTTP request<br/>JA4H"]
  tlsServer --> cert["Certificate<br/>JA4X"]
  client -. "round-trip timing" .-> latency["JA4L / JA4LS"]
  client --> ssh["SSH negotiation<br/>JA4SSH"]
```

```ascii
Client/tool/browser
  |
  +--> TCP SYN ----------------------> JA4T / JA4TS / JA4TScan
  |
  +--> TLS ClientHello --------------> JA4
          |
          +--> TLS ServerHello ------> JA4S
          +--> Certificate ----------> JA4X
          +--> HTTP request ---------> JA4H
  |
  +--> Latency direction ------------> JA4L / JA4LS
  |
  +--> SSH negotiation --------------> JA4SSH
```

This map explains why [JA4T TCP fingerprinting](/article/ja4t-tcp-fingerprinting/) is not a replacement for [JA4 TLS fingerprinting](/article/ja4-vs-ja3/). JA4T sees the network stack before TLS. JA4 sees the TLS library and browser impersonation surface. JA4H sees the HTTP behavior that remains after TLS terminates. Detection improves when those layers agree with each other.

## JA4: TLS client fingerprinting

JA4 is the direct successor to JA3 for TLS ClientHello fingerprinting. It keeps a readable first segment with transport, TLS version, SNI presence, cipher count, extension count, and ALPN, then hashes sorted cipher and extension material. Sorting matters because Chrome introduced TLS extension randomization in 2023, which made order-sensitive JA3 hashes drift for the same browser family.

A Chrome-like JA4 can look browser-shaped while the rest of the stack does not. That is why [modern bot detection](/article/bot-detection-2026/) rarely uses JA4 alone. A scraper can mimic browser TLS with a library, but still expose a Linux TCP stack, an unusual HTTP/2 SETTINGS order, low-reputation ASN, impossible session cadence, or a cookie pattern no browser would send.

Cloudflare's docs describe JA3 and JA4 as TLS/SSL handshake identifiers that may be absent for plain HTTP, some Worker-routed traffic, skipped Bot Management paths, or TLS session resumption. That absence is itself operationally important: rules and Workers code must handle missing JA4 and missing JA4 Signals rather than assuming every request has a fingerprint.

## JA4S: TLS server and session response

JA4S fingerprints the TLS ServerHello response. It is server-side, but it is not a single immutable label for a host. A server can answer differently depending on the client's ClientHello, supported cipher suites, TLS version, and negotiated extensions. The same client hello against the same server application should produce a stable response; a different client hello may not.

That makes JA4S useful for pairing client and server behavior. Malware families often bring both a client stack and a command-and-control server stack. FoxIO's README examples list IcedID, Sliver, and SoftEther VPN rows with both JA4 and JA4S-style values. Analysts can pivot on the combination: client TLS shape, server TLS response, and certificate generation style.

JA4S also helps with compliance and asset inventory. A change in server response fingerprints can point to a load balancer change, TLS library upgrade, proxy insertion, or unexpected backend path before the certificate or hostname changes.

## JA4H: HTTP client fingerprinting

JA4H moves above TLS and fingerprints HTTP request shape. Webscout's JA4H write-up breaks it into four parts: `a` for high-level request traits such as method, HTTP version, cookies, referrer, and header count; `b` for ordered request-header names excluding Cookie and Referer; `c` for cookie field names; and `d` for cookie names plus values.

That structure makes JA4H good for widening or narrowing detections. A defender can match the full fingerprint when a campaign is precise, wildcard the cookie-value section when values are per-victim, or pivot on only the header-order hash when the request body changes. Webscout's Sliver example starts from a fingerprint shared around Palo Alto Networks exploitation activity and then broadens it by wildcarding sections while keeping the distinctive request shape.

JA4H complements [HTTP/2 fingerprinting](/article/http2-fingerprinting-akamai/). HTTP/2 exposes SETTINGS values, frame order, pseudo-header order, and priority behavior. JA4H summarizes the HTTP request itself. Together, they answer different questions: does the protocol stack look like Chrome, and does the actual HTTP request look like the browser or tool it claims to be?

## JA4X: certificate generation fingerprinting

JA4X fingerprints X.509 certificate generation. The important distinction is that JA4X is not just "the certificate hash." A literal certificate hash changes whenever the certificate changes. JA4X tries to capture how the certificate was generated, so related infrastructure can cluster even when actors rotate leaf certificates.

That matters for malware, phishing kits, reverse proxies, and temporary infrastructure. Sliver, Cobalt Strike, SoftEther VPN, and self-signed appliance certificates can have repeated generation patterns. JA4X gives a pivot that sits between brittle certificate IoCs and broad certificate-authority reputation.

Use JA4X as a clustering lead, not a verdict. Certificate generation can be shared by benign tooling, and managed platforms can stamp many unrelated sites with similar certificate behavior. The defensive value comes from combining JA4X with JA4, JA4S, JA4H, DNS, ASN, content, and time-window evidence.

## JA4L and JA4LS: latency and light distance

JA4L and JA4LS describe latency direction: client-to-server and server-to-client. FoxIO describes them as latency measurement or light-distance methods. They are not identity fingerprints in the same way as JA4 or JA4H. They are consistency checks around geography and path shape.

Latency signals help answer questions that hashes cannot. A request claiming to be from a nearby residential browser but consistently showing impossible round-trip timing, relay-like asymmetry, or a sudden path-distance jump deserves a second look. The signal is noisy because routing changes, mobile networks, VPNs, and congestion all affect latency, so JA4L works best as one column in a broader risk score.

Cloudflare Signals Intelligence is a useful production analogy: Cloudflare exposes aggregate fields for a JA4 fingerprint such as browser ratio, heuristic ratio, request quantiles, IP/network diversity, cache ratio, and HTTP/2 or HTTP/3 ratio. The fingerprint is the join key; behavior around the fingerprint is what makes the decision safer.

## JA4SSH: SSH traffic fingerprinting

JA4SSH covers SSH negotiation. SSH clients and servers advertise algorithms, key-exchange choices, host-key algorithms, ciphers, MACs, and compression preferences. Those choices are often distinctive across OpenSSH versions, embedded devices, reverse shells, admin tools, and malware frameworks.

The FoxIO README example lists a reverse SSH shell value as `JA4SSH=c76s76_c71s59_c0s70`. The exact sections need the implementation reference for full decoding, but the operational lesson is straightforward: SSH has its own negotiation surface, and that surface can be logged and pivoted without pretending it is TLS.

For defenders, JA4SSH is most useful on networks where SSH is normal but tightly bounded: jump hosts, CI runners, appliance fleets, or management networks. A new SSH fingerprint on a host that normally sees only a small set of clients is often more actionable than an IP-only alert.

## How defenders combine the suite

The safest way to use JA4+ is as a consistency graph.

| Observation | Better question than "block?" | Example action |
|---|---|---|
| Browser-looking JA4, non-browser JA4T | Is TLS impersonated while TCP exposes the proxy or OS? | Add a challenge or lower trust until behavior proves human |
| Stable JA4H across rotating IPs | Is the same tool or C2 client moving infrastructure? | Pivot across logs with a widened JA4H pattern |
| New JA4S and JA4X on known service | Did a load balancer, certificate pipeline, or backend change? | Verify deployment inventory before treating it as compromise |
| High JA4 request volume with low browser ratio | Is this fingerprint mostly automation globally? | Rate-limit or require stronger bot signals |
| JA4L geography does not match session story | Is a relay or account-takeover path involved? | Step up authentication or flag for investigation |

Cloudflare's JA4 Signals page makes the same point in product form. It does not tell customers to block every request with a given JA4. It exposes browser ratios, known-bot ratios, IP/network diversity, path diversity, error/cache behavior, ranks, and quantiles so teams can decide whether the fingerprint is normal in context.

## Practical pitfalls

First, JA4+ names overlap with product marketing. JA4 by itself is the TLS client fingerprint. JA4+ is the suite. JA4S, JA4H, JA4X, JA4L, JA4SSH, JA4T, JA4TS, and JA4TScan are separate methods with separate licensing terms and different packet visibility requirements.

Second, sensor placement changes what is visible. A server behind a reverse proxy may see the proxy's TCP stack, not the user's original TCP stack. A WAF terminating TLS can see JA4 and HTTP behavior at its edge, but an origin behind it may not. A packet sensor can compute TCP and TLS values only where it observes the handshake.

Third, exact hashes are not explanations. The readable `a_b_c` or `a_b_c_d` sections make JA4+ useful because analysts can pivot on partial sections. Treat the value as an index into observed behavior, not as a magic identity string.

Finally, do not turn one layer into a policy. A single JA4T, JA4H, or JA4X can be shared by benign and malicious clients. The robust detection is the unlikely combination: browser TLS plus scanner TCP, normal user agent plus malware HTTP header order, or familiar hostname plus new server/certificate fingerprints.

## Sources

- [FoxIO JA4+ repository](https://github.com/FoxIO-LLC/ja4) — canonical method table, examples, implementation folders, licensing notes, and sample mappings for JA4, JA4S, JA4H, JA4X, JA4SSH, JA4T, and JA4TScan.
- [FoxIO JA4+ technical details](https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/README.md) — method descriptions and linked technical diagrams for JA4, JA4S, JA4H, JA4T, JA4X, JA4SSH, JA4L, JA4D, and JA4D6.
- [FoxIO JA4+ Network Fingerprinting](https://blog.foxio.io/ja4%2B-network-fingerprinting) — original JA4+ release article covering the suite, `a_b_c` format, use cases, and JA3/JARM/HASSH context.
- [Cloudflare JA3/JA4 fingerprint docs](https://developers.cloudflare.com/bots/additional-configurations/ja3-ja4-fingerprint/) — production notes on JA4 calculation, missing-field cases, Workers handling, and WAF/Bot Management usage.
- [Cloudflare Signals Intelligence](https://developers.cloudflare.com/bots/additional-configurations/ja3-ja4-fingerprint/signals-intelligence/) — aggregate JA4 behavior fields such as browser ratio, heuristic ratio, request quantiles, and IP/path diversity.
- [Webscout: Dissecting JA4H for improved Sliver C2 detections](https://blog.webscout.io/dissecting-ja4h-for-improved-sliver-c2-detections/) — practical JA4H section breakdown and detection-widening example.
- [JA4T TCP Fingerprinting](/article/ja4t-tcp-fingerprinting/) — companion entry for the TCP-layer sibling of JA4.