Skip to main content

Support for JA4 Fingerprint in Nginx Logs

· One min read
Skpr Platform Team
Platform Engineering

Overview

Nginx access logs now include a JA4 fingerprint for each request. JA4 is an open standard for fingerprinting TLS clients based on how they negotiate their connection, rather than what they claim to be.

This matters because details like the user agent can be faked. A JA4 fingerprint identifies the underlying client, so two requests from the same tool share a fingerprint even if one spoofs its user agent.

The fingerprint comes through from CloudFront and appears in the http_cloudfront_viewer_ja4_fingerprint field:

"http_cloudfront_viewer_ja4_fingerprint": "t13d1516h2_8daaf6152771_02713d6af862"

You can use it to spot bots, group related traffic, and investigate suspicious activity. It's especially useful for identifying automated clients during traffic spikes or denial-of-service attempts.