Safari JA4 Fingerprint t13d2014h2 — TLS ClientHello
JA4 fingerprint t13d2014h2 is Safari's TLS 1.3 prefix: 20 cipher suites, 14 extensions, HTTP/2. Safari 18.4 and 26 produce t13d2014h2_a09f3c656075.
On this page
t13d2014h2 is the JA4 TLS fingerprint prefix that modern Safari produces. It means the ClientHello used TLS 1.3, included SNI, had 20 cipher suites after JA4 deduplication and GREASE removal, had 14 extensions after JA4 deduplication and GREASE removal, and advertised HTTP/2 through ALPN. A full Safari JA4 looks like t13d2014h2_a09f3c656075_7f0f34a4126d.
Quick Reference
A JA4 fingerprint has three parts, a_b_c:
| Part | Value | Meaning |
|---|---|---|
a | t13d2014h2 | Human-readable shape of the TLS handshake (the prefix) |
b | a09f3c656075 | Truncated hash of the sorted cipher suites |
c | 7f0f34a4126d | Truncated hash of the sorted extensions plus signature algorithms |
The t13d2014h2 prefix decodes further:
| Segment | Meaning |
|---|---|
t13 | TLS 1.3 ClientHello |
d | Domain/SNI is present |
20 | 20 cipher suites after JA4 deduplication and GREASE removal |
14 | 14 TLS extensions after JA4 deduplication and GREASE removal |
h2 | HTTP/2 advertised through ALPN |
Which Safari Versions Produce t13d2014h2
The t13d2014h2 prefix and the a09f3c656075 cipher hash stay stable across recent Safari releases; only the extension hash (part c) moves when Apple adjusts the extension or signature-algorithm list. These full strings are from live captures of curl_cffi Safari impersonation targets:
| Safari profile | Full JA4 |
|---|---|
| Safari 18.4 | t13d2014h2_a09f3c656075_7f0f34a4126d |
| Safari 26.0 | t13d2014h2_a09f3c656075_d0a99439f9b1 |
| Safari 26.0.1 | t13d2013h2_a09f3c656075_7f0f34a4126d |
Note Safari 26.0.1: the prefix shifts to t13d2013h2 because the ClientHello carried one fewer extension after JA4 normalization (13 instead of 14). A single point release can change the prefix, so match on the full string when the version matters. To break down any JA4 string field by field, use the JA4 Fingerprint Decoder.
Why Safari’s Prefix Differs From Chrome
Chrome’s prefix is t13d1516h2 (15 ciphers, 16 extensions); Safari’s is t13d2014h2 (20 ciphers, 14 extensions). Safari offers the most cipher suites of the major browsers but the fewest extensions because Apple’s TLS stack builds a different ClientHello than Chrome’s BoringSSL. The counts alone narrow the browser family before any hash comparison: 20/14 is Safari-shaped, 15/16 is Chromium-shaped, and t13d1715h2 is Firefox. The prefix alone does not prove Safari, though — the full a_b_c string is needed for a stronger match, and a Chrome User-Agent paired with a t13d2014h2 prefix is an immediate inconsistency.
Bot Detection Relevance
Bot detection compares a claimed browser identity against the real network stack. Safari impersonation is harder than Chrome because Apple’s TLS library is not open source, so a client claiming to be Safari while producing a Chromium or Python prefix is flagged before any JavaScript challenge runs. For implementation context, TLS Impersonation Libraries Compared covers which libraries can replay a Safari fingerprint and where they break.
Sources
- FoxIO JA4 repository — primary JA4 format reference and prefix decoding rules.
- Cloudflare JA4 signals documentation — how Cloudflare exposes JA4 for bot analysis.
- curl_cffi impersonation targets — supported Safari target names whose captures back the hashes above.
- Common JA4 TLS Fingerprints, Decoded — the full Chrome, Firefox, Safari, and tooling lookup table.