Markdown source

Safari JA4 Fingerprint t13d2014h2 — TLS ClientHello Markdown source

Readable source view for humans. The raw Markdown endpoint remains available for crawlers and agent readers.

Canonical entry Raw file 
---
title: "Safari JA4 Fingerprint t13d2014h2 — TLS ClientHello"
description: "JA4 fingerprint t13d2014h2 is Safari's TLS 1.3 prefix: 20 cipher suites, 14 extensions, HTTP/2. Safari 18.4 and 26 produce t13d2014h2_a09f3c656075."
kind: snippet
maturity: budding
confidence: high
origin: ai-drafted
author: "Agent"
directedBy: "krow"
tags: [security, networking, fingerprinting, ja4, tls]
published: 2026-06-15
modified: 2026-06-15
wordCount: 526
readingTime: 3
prerequisites: [bot-detection-2026]
related: [ja4-fingerprint-t13d1516h2, ja4-decoder, common-ja4-fingerprints-decoded, tls-impersonation-library-comparison]
url: https://krowdev.com/snippet/ja4-fingerprint-t13d2014h2/
---
## Agent Context

- Canonical: https://krowdev.com/snippet/ja4-fingerprint-t13d2014h2/
- Markdown: https://krowdev.com/snippet/ja4-fingerprint-t13d2014h2.md
- Full corpus: https://krowdev.com/llms-full.txt
- Kind: snippet
- Maturity: budding
- Confidence: high
- Origin: ai-drafted
- Author: Agent
- Directed by: krow
- Published: 2026-06-15
- Modified: 2026-06-15
- Words: 526 (3 min read)
- Tags: security, networking, fingerprinting, ja4, tls
- Prerequisites: bot-detection-2026
- Related: ja4-fingerprint-t13d1516h2, ja4-decoder, common-ja4-fingerprints-decoded, tls-impersonation-library-comparison
- Content map:
  - h2: Quick Reference
  - h2: Which Safari Versions Produce t13d2014h2
  - h2: Why Safari's Prefix Differs From Chrome
  - h2: Bot Detection Relevance
  - h2: Sources
- Crawl policy: same canonical content is exposed through HTML, Markdown, and llms-full; no crawler-specific content gate.

`t13d2014h2` is the JA4 TLS fingerprint prefix that modern Safari produces. It means the ClientHello used TLS 1.3, included SNI, had 20 cipher suites after JA4 deduplication and GREASE removal, had 14 extensions after JA4 deduplication and GREASE removal, and advertised HTTP/2 through ALPN. A full Safari JA4 looks like `t13d2014h2_a09f3c656075_7f0f34a4126d`.

## Quick Reference

A JA4 fingerprint has three parts, `a_b_c`:

| Part | Value | Meaning |
|---|---|---|
| `a` | `t13d2014h2` | Human-readable shape of the TLS handshake (the prefix) |
| `b` | `a09f3c656075` | Truncated hash of the sorted cipher suites |
| `c` | `7f0f34a4126d` | Truncated hash of the sorted extensions plus signature algorithms |

The `t13d2014h2` prefix decodes further:

| Segment | Meaning |
|---|---|
| `t13` | TLS 1.3 ClientHello |
| `d` | Domain/SNI is present |
| `20` | 20 cipher suites after JA4 deduplication and GREASE removal |
| `14` | 14 TLS extensions after JA4 deduplication and GREASE removal |
| `h2` | HTTP/2 advertised through ALPN |

## Which Safari Versions Produce t13d2014h2

The `t13d2014h2` prefix and the `a09f3c656075` cipher hash stay stable across recent Safari releases; only the extension hash (part `c`) moves when Apple adjusts the extension or signature-algorithm list. These full strings are from live captures of `curl_cffi` Safari impersonation targets:

| Safari profile | Full JA4 |
|---|---|
| Safari 18.4 | `t13d2014h2_a09f3c656075_7f0f34a4126d` |
| Safari 26.0 | `t13d2014h2_a09f3c656075_d0a99439f9b1` |
| Safari 26.0.1 | `t13d2013h2_a09f3c656075_7f0f34a4126d` |

Note Safari 26.0.1: the prefix shifts to `t13d2013h2` because the ClientHello carried one fewer extension after JA4 normalization (13 instead of 14). A single point release can change the prefix, so match on the full string when the version matters. To break down any JA4 string field by field, use the [JA4 Fingerprint Decoder](/snippet/ja4-decoder/).

## Why Safari's Prefix Differs From Chrome

Chrome's prefix is `t13d1516h2` (15 ciphers, 16 extensions); Safari's is `t13d2014h2` (20 ciphers, 14 extensions). Safari offers the most cipher suites of the major browsers but the fewest extensions because Apple's TLS stack builds a different ClientHello than Chrome's BoringSSL. The counts alone narrow the browser family before any hash comparison: 20/14 is Safari-shaped, 15/16 is Chromium-shaped, and `t13d1715h2` is Firefox. The prefix alone does not prove Safari, though — the full `a_b_c` string is needed for a stronger match, and a Chrome User-Agent paired with a `t13d2014h2` prefix is an immediate inconsistency.

## Bot Detection Relevance

Bot detection compares a claimed browser identity against the real network stack. Safari impersonation is harder than Chrome because Apple's TLS library is not open source, so a client claiming to be Safari while producing a Chromium or Python prefix is flagged before any JavaScript challenge runs. For implementation context, [TLS Impersonation Libraries Compared](/article/tls-impersonation-library-comparison/) covers which libraries can replay a Safari fingerprint and where they break.

## Sources

- [FoxIO JA4 repository](https://github.com/FoxIO-LLC/ja4) — primary JA4 format reference and prefix decoding rules.
- [Cloudflare JA4 signals documentation](https://developers.cloudflare.com/bots/additional-configurations/ja3-ja4-fingerprint/) — how Cloudflare exposes JA4 for bot analysis.
- [curl_cffi impersonation targets](https://curl-cffi.readthedocs.io/en/stable/impersonate/targets.html) — supported Safari target names whose captures back the hashes above.
- [Common JA4 TLS Fingerprints, Decoded](/article/common-ja4-fingerprints-decoded/) — the full Chrome, Firefox, Safari, and tooling lookup table.