Live TLS Inspector

See yourJA3, JA4 & HTTP/2fingerprint — the way Cloudflare sees it.

Captured from the very first packet of every HTTPS request, your TLS fingerprint is the signal anti-bot systems trust most. This tool reveals yours in real time — and shows whether it matches a real browser or a scraper library like Python requests or curl.

Check my fingerprint Bypass anti-bot with Scrappey

100% client-sideNo signup requiredNever stored or logged

clienthello.pcap

JA3cd08e31494f9531f560d64c695473da9

JA4t13d1516h2_8daaf6152771_b0da82dd1658

HTTP/21:65536,3:1000,4:6291456,6:262144|15663105|0|m,a,s,p

UAMozilla/5.0 (...) Chrome/128 Safari/537.36

Mismatch — UA claims Chrome, JA3 is python-requests

Client ▲	Version	OS	TLS lib	JA3 hash	JA4	Category
.NET HttpClient	.NET 8	Windows 11	Schannel	98231b5d3c14…	t13d1715h2_5b57614c22b0_3d5424432f57	scraper-lib
Android Chrome	Chrome 128 (Android 14)	Android 14	BoringSSL	773906b0efde…	t13d1517h2_8daaf6152771_b0da82dd1658	real-browser
axios (Node)	1.6	Linux	Node OpenSSL 3.0	44f7ed5185d2…	t13d1715h2_5b57614c22b0_eeeeb91e21d8	scraper-lib
cloudscraper	1.2.71	Linux	Python ssl (OpenSSL)	cd08e31494f9…	t13d1715h2_5b57614c22b0_eeeeb91e21d8	scraper-lib
curl	7.84.0	Linux (Ubuntu)	OpenSSL 3.0	f436b9416f37…	t13d3113h2_e8f1e7e78f70_1d8619447c8d	scraper-lib
curl	8.4.0	macOS 14	LibreSSL 3.3	475c9302dc42…	t13d2014h2_a09f3c656075_e7c285222651	scraper-lib
curl	8.4.0	Windows 11	Schannel	54328bd36c14…	t13d1715h2_5b57614c22b0_3d5424432f57	scraper-lib
curl-impersonate	0.7 (chrome-124)	Linux	Forked BoringSSL	773906b0efde…	t13d1516h2_8daaf6152771_b0da82dd1658	stealth
Go net/http	1.22	Linux	Go crypto/tls	0d251b7d59c8…	t13d1517h2_8daaf6152771_b1ff8ab2d16f	scraper-lib
iOS Safari	iOS 17	iOS 17	Apple Security framework	8d8c2a4f5b4f…	t13d2014h2_a09f3c656075_e7c285222651	real-browser
Java Apache HttpClient	5.3	Linux (JDK 21)	JSSE	70d9da2e87a4…	t13d1517h2_8daaf6152771_b1ff8ab2d16f	scraper-lib
Java OkHttp	4.12	Linux (JDK 21)	JSSE	70d9da2e87a4…	t13d1517h2_8daaf6152771_b1ff8ab2d16f	scraper-lib
Node fetch (undici)	Node 20	Linux	OpenSSL 3.0 (Node built-in)	44f7ed5185d2…	t13d1715h2_5b57614c22b0_eeeeb91e21d8	scraper-lib
node-fetch	3.3	Linux	Node OpenSSL 3.0	0c0944f7bcdf…	t13d1714h2_5b57614c22b0_eeeeb91e21d8	scraper-lib
PHP cURL	PHP 8.2	Linux	libcurl + OpenSSL 3.0	f436b9416f37…	t13d3113h2_e8f1e7e78f70_1d8619447c8d	scraper-lib
Playwright Chromium	1.45 (Chrome 127)	Linux	BoringSSL (real Chrome build)	773906b0efde…	t13d1516h2_8daaf6152771_b0da82dd1658	headless
Playwright Firefox	1.45 (Firefox 128)	Linux	NSS (real Firefox build)	b20b44b18b85…	t13d1715h2_5b57614c22b0_b0da82dd1658	headless
puppeteer-extra-stealth + Chrome	Chrome 128	Linux	BoringSSL	773906b0efde…	t13d1516h2_8daaf6152771_b0da82dd1658	headless
Python aiohttp	3.9	Linux	OpenSSL 3.0	19e29534fd49…	t13d1716h2_5b57614c22b0_eeeeb91e21d8	scraper-lib
Python httpx	0.27	Linux	OpenSSL 3.0 / h11+httpcore	19e29534fd49…	t13d1717h2_5b57614c22b0_eeeeb91e21d8	scraper-lib
Python requests	2.31.0	Linux	OpenSSL 1.1.1 / urllib3 1.26	cd08e31494f9…	t13d1715h2_5b57614c22b0_eeeeb91e21d8	scraper-lib
Python requests	2.32.0	Linux	OpenSSL 3.0 / urllib3 2.x	773906b0efde…	t13d1716h2_5b57614c22b0_eeeeb91e21d8	scraper-lib
Python urllib3	1.26	Linux	OpenSSL 1.1.1	cd08e31494f9…	t13d1715h2_5b57614c22b0_eeeeb91e21d8	scraper-lib
Python urllib3	2.2	Linux	OpenSSL 3.0	773906b0efde…	t13d1716h2_5b57614c22b0_eeeeb91e21d8	scraper-lib
Real Chrome	Chrome 124	Windows 11	BoringSSL	27b56ed4cca8…	t13d1516h2_8daaf6152771_b0da82dd1658	real-browser
Real Chrome	Chrome 128	Windows 11	BoringSSL	773906b0efde…	t13d1516h2_8daaf6152771_b0da82dd1658	real-browser
Real Edge	Edge 128	Windows 11	BoringSSL (Chromium)	773906b0efde…	t13d1516h2_8daaf6152771_b0da82dd1658	real-browser
Real Firefox	Firefox 128	Windows 11	NSS	b20b44b18b85…	t13d1715h2_5b57614c22b0_b0da82dd1658	real-browser
Real Safari	Safari 17	macOS 14	Apple Security framework	773e76b32f4c…	t13d2014h2_a09f3c656075_b0da82dd1658	real-browser
Rust reqwest	0.12 (rustls)	Linux	rustls 0.23	3fed133de60c…	t13d1314h2_8daaf6152771_b1ff8ab2d16f	scraper-lib
Rust reqwest	0.12 (native-tls)	Linux	OpenSSL 3.0	f436b9416f37…	t13d3113h2_e8f1e7e78f70_1d8619447c8d	scraper-lib
Selenium Chrome	Chrome 128	Linux	BoringSSL	773906b0efde…	t13d1516h2_8daaf6152771_b0da82dd1658	headless
tls-client (Go)	1.7	Linux	utls (mimics Chrome 124)	773906b0efde…	t13d1516h2_8daaf6152771_b0da82dd1658	stealth
undetected-chromedriver	3.5 (Chrome 128)	Linux	BoringSSL	773906b0efde…	t13d1516h2_8daaf6152771_b0da82dd1658	headless

.NET HttpClient

.NET 8 • Windows 11

scraper-lib

JA3: 98231b5d3c1419cdc8b94e09a3d2db3a

JA4: t13d1715h2_5b57614c22b0_3d5424432f57

Schannel on Windows. Different cipher order than .NET on Linux (which uses OpenSSL).

Android Chrome

Chrome 128 (Android 14) • Android 14

real-browser

JA3: 773906b0efdefa24a7f2b8eb6985bf37

JA4: t13d1517h2_8daaf6152771_b0da82dd1658

Android Chrome's TLS is BoringSSL — same as desktop Chrome — but mobile UA + HTTP/2 settings differ.

axios (Node)

1.6 • Linux

scraper-lib

JA3: 44f7ed5185d22c92b96da72dbe68d307

JA4: t13d1715h2_5b57614c22b0_eeeeb91e21d8

axios on Node delegates to Node's https module — TLS fingerprint matches the Node version, not axios itself.

cloudscraper

1.2.71 • Linux

scraper-lib

JA3: cd08e31494f9531f560d64c695473da9

JA4: t13d1715h2_5b57614c22b0_eeeeb91e21d8

cloudscraper does JS-challenge solving on top of requests — TLS fingerprint is still Python requests. Cloudflare moved on.

curl

7.84.0 • Linux (Ubuntu)

scraper-lib

JA3: f436b9416f37d134cadd04886327d3e8

JA4: t13d3113h2_e8f1e7e78f70_1d8619447c8d

Verified live against tls.peet.ws/api/all. Default `curl` from the Cloud Run egress. JA3 shifts with OpenSSL version.

curl

8.4.0 • macOS 14

scraper-lib

JA3: 475c9302dc42b2751db9edcac3b74891

JA4: t13d2014h2_a09f3c656075_e7c285222651

macOS system curl uses LibreSSL, different cipher order than Linux OpenSSL builds.

curl

8.4.0 • Windows 11

scraper-lib

JA3: 54328bd36c14bd82ddaa0c04b25ed9ad

JA4: t13d1715h2_5b57614c22b0_3d5424432f57

Windows curl when built against Schannel — different cipher set than OpenSSL builds. Detected as 'Windows non-browser TLS' by Cloudflare.

curl-impersonate

0.7 (chrome-124) • Linux

stealth

JA3: 773906b0efdefa24a7f2b8eb6985bf37

JA4: t13d1516h2_8daaf6152771_b0da82dd1658

Drop-in curl that impersonates Chrome/Firefox/Safari at the TLS layer. JA3 = whatever browser profile you target.

Go net/http

1.22 • Linux

scraper-lib

JA3: 0d251b7d59c87dd5ad6dd31a05c5af3a

JA4: t13d1517h2_8daaf6152771_b1ff8ab2d16f

Go's crypto/tls has a distinctive small cipher set + GREASE absent — instantly identifiable. Same on every OS.

iOS Safari

iOS 17 • iOS 17

real-browser

JA3: 8d8c2a4f5b4f8e3a0e9b9c6f7a8b9c0d

JA4: t13d2014h2_a09f3c656075_e7c285222651

Mobile Safari shares the TLS stack with macOS Safari but advertises mobile-specific ALPN/HTTP2 settings.

Java Apache HttpClient

5.3 • Linux (JDK 21)

scraper-lib

JA3: 70d9da2e87a4dcae5da4cb83ca3f1ebd

JA4: t13d1517h2_8daaf6152771_b1ff8ab2d16f

Shares JSSE with OkHttp — identical TLS fingerprint.

Java OkHttp

4.12 • Linux (JDK 21)

scraper-lib

JA3: 70d9da2e87a4dcae5da4cb83ca3f1ebd

JA4: t13d1517h2_8daaf6152771_b1ff8ab2d16f

JDK's JSSE produces a very recognisable ClientHello. Same JVM = same JA3 across OkHttp and Apache HttpClient.

Node fetch (undici)

Node 20 • Linux

scraper-lib

JA3: 44f7ed5185d22c92b96da72dbe68d307

JA4: t13d1715h2_5b57614c22b0_eeeeb91e21d8

Native fetch() in Node 18+ uses undici. ClientHello differs slightly from node-fetch.

node-fetch

3.3 • Linux

scraper-lib

JA3: 0c0944f7bcdfeb02cc7d4cd7f02d2ec1

JA4: t13d1714h2_5b57614c22b0_eeeeb91e21d8

Pre-undici Node HTTPS client. Older but still common.

PHP cURL

PHP 8.2 • Linux

scraper-lib

JA3: f436b9416f37d134cadd04886327d3e8

JA4: t13d3113h2_e8f1e7e78f70_1d8619447c8d

PHP's curl extension is libcurl — TLS shape identical to the curl CLI on the same box.

Playwright Chromium

1.45 (Chrome 127) • Linux

headless

JA3: 773906b0efdefa24a7f2b8eb6985bf37

JA4: t13d1516h2_8daaf6152771_b0da82dd1658

TLS layer is genuine Chrome — JA3 matches the Chrome version Playwright ships. Detection happens via WebDriver/JS APIs, not TLS.

Playwright Firefox

1.45 (Firefox 128) • Linux

headless

JA3: b20b44b18b853ef29ab773e921b03422

JA4: t13d1715h2_5b57614c22b0_b0da82dd1658

Genuine Firefox TLS stack. JA3 indistinguishable from real Firefox at the TLS layer.

puppeteer-extra-stealth + Chrome

Chrome 128 • Linux

headless

JA3: 773906b0efdefa24a7f2b8eb6985bf37

JA4: t13d1516h2_8daaf6152771_b0da82dd1658

Stealth plugin patches JS-level signals — TLS is already real Chrome, so JA3 is identical to a normal Chrome install.

Python aiohttp

3.9 • Linux

scraper-lib

JA3: 19e29534fd49dd27d09234e639c4057e

JA4: t13d1716h2_5b57614c22b0_eeeeb91e21d8

Same underlying ssl module as requests/httpx. Treat as identical from anti-bot's perspective.

Python httpx

0.27 • Linux

scraper-lib

JA3: 19e29534fd49dd27d09234e639c4057e

JA4: t13d1717h2_5b57614c22b0_eeeeb91e21d8

httpx wraps Python's stdlib ssl — same OpenSSL ClientHello as requests + h2 by default.

Python requests

2.31.0 • Linux

scraper-lib

JA3: cd08e31494f9531f560d64c695473da9

JA4: t13d1715h2_5b57614c22b0_eeeeb91e21d8

The classic Python-requests fingerprint famously blocked by Cloudflare and Akamai. JA3 stable across most 2.x versions on Linux.

Python requests

2.32.0 • Linux

scraper-lib

JA3: 773906b0efdefa24a7f2b8eb6985bf37

JA4: t13d1716h2_5b57614c22b0_eeeeb91e21d8

urllib3 2.x bumped TLS extension order; new JA3 still extremely common in fingerprint blocklists.

Python urllib3

1.26 • Linux

scraper-lib

JA3: cd08e31494f9531f560d64c695473da9

JA4: t13d1715h2_5b57614c22b0_eeeeb91e21d8

1.x branch — identical TLS shape to requests since requests uses urllib3 under the hood.

Python urllib3

2.2 • Linux

scraper-lib

JA3: 773906b0efdefa24a7f2b8eb6985bf37

JA4: t13d1716h2_5b57614c22b0_eeeeb91e21d8

2.x branch reordered some extensions; still trivially flagged.

Real Chrome

Chrome 124 • Windows 11

real-browser

JA3: 27b56ed4cca80e6aa6b6d4a4a3a3b5e0

JA4: t13d1516h2_8daaf6152771_b0da82dd1658

Chrome randomises GREASE values; JA3 hash is technically unstable byte-for-byte but the JA4 main hash stays the same.

Real Chrome

Chrome 128 • Windows 11

real-browser

JA3: 773906b0efdefa24a7f2b8eb6985bf37

JA4: t13d1516h2_8daaf6152771_b0da82dd1658

Post-Chrome-110 extension shuffling means raw JA3 changes per session — JA4 normalises it.

Real Edge

Edge 128 • Windows 11

real-browser

JA3: 773906b0efdefa24a7f2b8eb6985bf37

JA4: t13d1516h2_8daaf6152771_b0da82dd1658

Edge is Chromium — JA3/JA4 identical to Chrome of the same major version.

Real Firefox

Firefox 128 • Windows 11

real-browser

JA3: b20b44b18b853ef29ab773e921b03422

JA4: t13d1715h2_5b57614c22b0_b0da82dd1658

Firefox's NSS ClientHello is distinct from Chrome's BoringSSL. Both look 'browser-like' to anti-bot.

Real Safari

Safari 17 • macOS 14

real-browser

JA3: 773e76b32f4c0eca5c34fe9ab63e8d6e

JA4: t13d2014h2_a09f3c656075_b0da82dd1658

macOS Safari uses the system Security framework — unique among major browsers.

Rust reqwest

0.12 (rustls) • Linux

scraper-lib

JA3: 3fed133de60c35724739b913924b6c24

JA4: t13d1314h2_8daaf6152771_b1ff8ab2d16f

rustls has a small, distinctive ClientHello — easy to flag. Switch reqwest to the native-tls backend for OpenSSL fingerprint.

Rust reqwest

0.12 (native-tls) • Linux

scraper-lib

JA3: f436b9416f37d134cadd04886327d3e8

JA4: t13d3113h2_e8f1e7e78f70_1d8619447c8d

With native-tls backend, fingerprint matches plain curl/OpenSSL — still obviously not a browser.

Selenium Chrome

Chrome 128 • Linux

headless

JA3: 773906b0efdefa24a7f2b8eb6985bf37

JA4: t13d1516h2_8daaf6152771_b0da82dd1658

Drives real Chrome — TLS fingerprint matches the Chrome build.

tls-client (Go)

1.7 • Linux

stealth

JA3: 773906b0efdefa24a7f2b8eb6985bf37

JA4: t13d1516h2_8daaf6152771_b0da82dd1658

Popular scraping library that uses utls to forge Chrome's ClientHello. JA3 matches whatever Chrome profile you pick.

undetected-chromedriver

3.5 (Chrome 128) • Linux

headless

JA3: 773906b0efdefa24a7f2b8eb6985bf37

JA4: t13d1516h2_8daaf6152771_b0da82dd1658

Patches CDP / navigator.webdriver. TLS itself is plain Chrome — already a good fingerprint.

Showing 34 of 34 clients. Hashes vary with TLS library version, OS, and build flags — use this as a starting point, then verify with your exact environment via tls.peet.ws/api/all.

What is a browser fingerprint?

A browser fingerprint is a set of device, network, and software signals a website can read from your client to identify it — without using cookies. Two broad families exist. Passive fingerprints come from data you send just by connecting: the TLS ClientHello, HTTP/2 SETTINGS frame, IP, and headers. Active fingerprints are gathered with JavaScript: canvas, WebGL, fonts, audio context, screen geometry. Anti-bot systems combine both into a stable identifier that survives proxy rotation, incognito mode, and clearing cookies — which is exactly why simple "rotate the User-Agent" tactics rarely fool modern WAFs.

What is JA3?

JA3 is a fingerprint of the TLS ClientHello — the first packet your client sends on every HTTPS connection. It hashes (MD5) five fields concatenated in order: TLS version, cipher suites, extensions, elliptic curves, EC point formats. Because each TLS library (OpenSSL, BoringSSL, NSS, Schannel, rustls, Go crypto/tls) builds the ClientHello slightly differently, the resulting hash is a strong tell about which client you're using — even if your User-Agent says otherwise. JA3 was published by Salesforce in 2017 and is used in Suricata, Zeek, and most commercial anti-bot vendors. Its weakness: post-Chrome-110 extension shuffling and GREASE values broke JA3's stability for real browsers, which is why JA4 was created.

What is JA4?

JA4 is the 2023 successor to JA3 from FoxIO. It fixes two big problems: it sorts extensions before hashing (so Chrome's extension shuffling no longer changes the fingerprint), and it explicitly covers TLS 1.3 features JA3 didn't — ALPN, signature algorithms, supported versions. The format is human-readable: t13d1516h2_8daaf6152771_b0da82dd1658 means TLS 1.3, 15 ciphers, 16 extensions, ALPN h2, then a hash of the sorted ciphers and a hash of the extensions plus signature algorithms. Anti-bot vendors are migrating from JA3 to JA4 throughout 2024–2025.

How anti-bot systems use TLS fingerprints

Cloudflare, Akamai Bot Manager, DataDome, PerimeterX (HUMAN), and Imperva all score the TLS fingerprint as one of their highest-weighted signals. The classic story: a scraper sends User-Agent: Mozilla/5.0 ... Chrome/128 but the JA3 hash is cd08e31494f9531f560d64c695473da9 — the well-known Python requests fingerprint. The WAF blocks the request before your code even gets to handle a response. This is why "Cloudflare blocks Python requests" is the most-Googled question in the scraping community — it's not Python, it's the OpenSSL ClientHello shape that gives it away. Real browsers send 15+ ciphers and 14+ extensions; OpenSSL clients send a distinct set with a different order. The mismatch is trivial to flag.

How to change your client's JA3/JA4

1. Use a TLS-mimicking library

Tools like curl-impersonate, tls-client (Go), and the curl_cffi Python binding patch the TLS stack to send a real browser's ClientHello byte-for-byte. JA3/JA4 will match whichever Chrome/Firefox/Safari profile you pick.

2. Use a real browser

Playwright and Selenium drive actual Chrome/Firefox/Safari binaries, so the TLS layer is genuine and the JA3 matches automatically. Detection then shifts to the JS layer (navigator.webdriver, CDP attributes) — which stealth plugins handle.

3. Route through Scrappey

Scrappey's requestType: "browser" mode runs your target inside a real Chrome with rotating residential proxies — TLS fingerprint, HTTP/2 settings, IP reputation, and JS challenges all handled in one call. 150 free credits to try it.

TLS fingerprinting vs. browser fingerprinting vs. IP reputation

Signal	When it's read	How to change it
TLS fingerprint (JA3/JA4)	First TLS packet, before any HTTP	Patch the TLS lib, use a real browser, or use a mimic tool
Browser fingerprint (canvas, WebGL, fonts)	After JS executes on the page	Anti-detect browser profiles, stealth plugins
IP reputation	At connection time, against threat-intel feeds	Residential proxies, mobile IPs

FAQ

What's the difference between JA3 and JA4?

JA3 hashes the TLS ClientHello in the order extensions are sent; JA4 sorts them first, so Chrome's post-110 extension shuffling no longer changes the fingerprint. JA4 also explicitly covers TLS 1.3 features (ALPN, signature algorithms) that JA3 ignored. Anti-bot vendors are migrating from JA3 to JA4 throughout 2024–2025.

Can I change my JA3 fingerprint?

Yes — but not by changing settings in your code. The JA3 is fixed by the TLS library you compile against. To change it you either patch the library (curl-impersonate, tls-client, curl_cffi), use a different language whose stack already matches a browser, or drive a real browser via Playwright/Selenium.

Does using a proxy change my TLS fingerprint?

No. The TLS handshake is end-to-end between your client and the destination server (the proxy just tunnels the encrypted bytes), so your JA3/JA4 is whatever your client produces regardless of the proxy. The only exception is a TLS-terminating proxy that re-handshakes, in which case the fingerprint becomes the proxy's, not yours.

Why does Cloudflare block Python requests?

Because the Python requests library produces a very distinctive ClientHello — a small cipher set in a specific OpenSSL order — that doesn't match any real browser. Cloudflare's bot scoring weights TLS fingerprint heavily; once the JA3 is on its blocklist, the request is dropped before your code even sees a response. Switching to curl_cffi, tls-client, or a real browser fixes it.

How accurate is JA3 for bot detection?

Very accurate for catching naive scrapers (Python requests, raw curl, Go net/http) — false-positive rate near zero against real browsers. Less accurate against modern tooling (curl-impersonate, tls-client) which deliberately match real Chrome/Firefox. That gap is why anti-bot vendors layer JA3/JA4 with HTTP/2 fingerprinting, JS-level signals, and IP reputation.