ShieldLabs is an anonymous visitor identification and traffic quality platform. It analyzes device, browser, IP, and network signals, detecting mismatches between them to identify anonymous visitors and assign a real-time explainable risk score to every visit, as well as detect abuse patterns across your traffic.

What is ShieldLabs used for?

ShieldLabs is used to identify anonymous visitors, assess traffic quality, and detect abuse activity such as multi-accounting, fake account creation, account takeover, free trial abuse, bonus abuse, ban evasion, referral fraud, account sharing, coupon abuse, subscription abuse, giveaway fraud, voting manipulation, and survey fraud.

Who is ShieldLabs for?

ShieldLabs is best for startups, small-to-mid-sized businesses, and digital platforms with medium to high traffic volume that need a cost-effective anonymous visitor identification solution. Built for product, fraud, and growth teams at SaaS platforms, fintech, iGaming, e-commerce, Web3, media and streaming, travel, and technology platforms - any business dealing with anonymous traffic and abuse.

How accurate is ShieldLabs?

ShieldLabs detects anonymized connections and environment spoofing with up to 99% accuracy through multi-layer analysis.

How is ShieldLabs different from traditional abuse prevention platforms?

ShieldLabs delivers the same level of visitor identification and abuse detection used by platforms like Google and X / Twitter — with transparent per-request pricing, self-serve integration in 5 minutes, and an explainable risk score. No "Contact Sales," no enterprise contracts.

Can a visitor be recognized when IP changes?

Yes. ShieldLabs generates a persistent visitor ID. This identifier remains stable across sessions even when the visitor changes IP, clears cookies, switches to incognito mode, or creates a new account.

What is a persistent visitor ID?

A persistent visitor ID is a stable identifier assigned to each visitor. Unlike cookies or IP addresses, it survives IP rotation, cookie clearing, incognito mode, and account changes - allowing real-time recognition of returning visitors regardless of how they try to hide.

What is browser fingerprinting?

Browser fingerprinting is a technique for identifying website visitors by collecting unique browser signals such as browser version, preferred language, screen resolution, installed fonts, and graphics rendering. These signals are combined to generate a unique identifier that recognizes the visitor across sessions — even without cookies.

What is device fingerprinting?

Device fingerprinting identifies a visitor based on hardware and operating system signals such as device type, OS version, memory, processor, and screen parameters. Combined with browser fingerprinting, it produces a more stable and accurate identification.

How does device fingerprinting differ from browser fingerprinting?

Browser fingerprinting collects signals from the browser — version, language, plugins, screen resolution. Device fingerprinting collects signals from the hardware and operating system — device type, OS, memory, processor. ShieldLabs combines both to generate a persistent visitor ID with higher accuracy than either method alone.

Does ShieldLabs do device fingerprinting or browser fingerprinting?

Both. ShieldLabs analyzes 70+ signals across device, operating system, and browser to generate a persistent visitor ID. It then cross-validates these signals against network and IP data to detect mismatches and expose anonymous visitors.

Is browser fingerprinting safe?

For businesses, browser fingerprinting is used to identify anonymous visitors and distinguish between legitimate users and potentially fraudulent ones. ShieldLabs does not track users across sites and does not collect personally identifiable information during the fingerprinting process. For visitors, the process is invisible and adds no friction to their experience.

Can ShieldLabs detect a visitor in incognito mode or on a VPN?

Yes. Device and browser fingerprinting signals remain consistent even in incognito mode. VPN connections are detected through IP intelligence and cross-layer mismatch analysis. ShieldLabs identifies the visitor in both cases.

What can ShieldLabs detect?

ShieldLabs detects VPN, proxy, TOR, iCloud Private Relay, anti-detect browsers, tampered browsers, anti-fingerprint tools, data center and hosting infrastructure, environment spoofing, device tampering, location spoofing, timezone mismatches, and abuse activity. All detection works in real time.

Does ShieldLabs detect anti-detect browsers?

Yes. Anti-detect browsers are designed to mask device fingerprints and rotate identities. ShieldLabs detects them through cross-layer mismatch analysis, identifying the difference between what the browser claims and what is actually detected.

Can ShieldLabs detect fake accounts and multi-accounting?

Yes. The system builds an identity graph linking visitors, devices, and accounts across sessions. When the same person creates multiple accounts — even using different IPs, browsers, or anti-detect tools — the system connects them through shared device and network characteristics.

Can ShieldLabs detect account takeover?

Yes. When an account is accessed from an unrecognized device, suspicious connection, or unusual location, the system flags it as a potential account takeover.

Can ShieldLabs detect location spoofing?

Yes. The system detects timezone and geolocation mismatches between what the browser reports and what the IP and network reveal — indicating masked or spoofed visitor location.

Does ShieldLabs detect account sharing?

Yes. When multiple devices, locations, and network signatures access the same account, the system flags it as potential account sharing — helping protect subscription value and enforce per-user access.

Risk Score is a numerical assessment of explainable risk for every visit. It is calculated from anonymity indicators, cross-layer mismatches, and network signals. A high score indicates an increased probability of an anonymous or masked visit. Every score includes clear reasons for every contributing factor.

How is Risk Score calculated?

Each detected signal contributes to the final score - VPN detection, proxy connection, OS mismatch between browser and network, timezone conflict, data center IP, and more. Risk score reflects the cumulative risk level and explains each factor.

What is traffic risk level?

Traffic risk level is an overall assessment of anonymity across all your traffic. It shows what percentage of visitors are clean, low risk, medium risk, or high risk - giving you visibility into overall traffic quality.

Does ShieldLabs automatically block users?

No. ShieldLabs provides risk score, scoring reasons, and detailed visitor data. The blocking decision is made by you - either manually or through automated rules you configure.

What is an identity graph?

An identity graph is a map of connections between visitors, devices, and accounts. ShieldLabs builds this graph automatically by linking persistent visitor IDs, device fingerprints, and network signals across all sessions — revealing which accounts are connected and the risk level of each connection.

What are abuse patterns?

Abuse patterns are ready-made detection rules that identify suspicious connections between visitors, devices, and accounts — such as many accounts on one device, changing IDs on one account, or many devices on one account. Each pattern flags potential multi-accounting, account sharing, ban evasion, or coordinated abuse.

What is traffic quality?

Traffic quality is a measure of how much of your traffic comes from real, identifiable visitors versus anonymous, masked, or suspicious traffic. ShieldLabs assigns a risk level to your overall traffic and a risk score to every visitor.

How long does integration take?

Integration takes approximately 5 minutes. Add a code snippet to your site, and the system immediately begins anonymous visitor identification and real-time traffic analysis.

Which frameworks are supported?

ShieldLabs supports JavaScript, Next.js, React, Angular, Vue.js, Preact, and Svelte.

Does ShieldLabs provide API and Webhooks?

Yes. Risk score, visitor IDs, and detailed detection signals are available via API and Webhooks in real time for automation of fraud prevention rules and protection scenarios.

Does ShieldLabs affect real users?

No. The system operates in the background and does not require any additional actions from visitors. No CAPTCHAs, no challenges, no friction.

How does pricing work?

ShieldLabs offers transparent per-request pricing with a free tier. Start free, scale as you grow. No enterprise contracts, no "Contact Sales."

Is there a free plan?

Yes. The free plan includes 5,000 requests for initial traffic quality check and anonymous visitor identification.

What is a JA4 fingerprint?

A JA4 fingerprint is a short, readable string that identifies the software stack behind a connection, derived from the TLS Client Hello a client sends when it opens a secure connection. Because a browser, a script, and a tool each build that handshake differently, the JA4 string is characteristic of the client type. It is created by FoxIO as the successor to JA3 and is written in a compact, multi-part format that a person can read directly.

Is JA4 better than JA3?

For most purposes, yes. JA3 hashed the TLS Client Hello in the order the client sent it, so once browsers began randomizing their extension order, the same browser produced a different JA3 on every connection and the fingerprint stopped working. JA4 sorts the values before fingerprinting, so reordering does not break it, and it is human-readable and covers more protocols. JA3 still appears in older tooling, but JA4 is the more resilient successor.

Is a JA4 fingerprint unique?

No. A JA4 fingerprint identifies a client's software stack, not an individual device or person, so everyone using the same browser version and operating system tends to share the same JA4. Some clients are not even stable across connections, for example Safari can present a different fingerprint when it reuses a prior TLS session. That is why JA4 is best used as a corroborating signal weighed with others, not as a unique identifier.

What is the difference between JA3 and JA4?

JA3 produces a single opaque hash of the TLS Client Hello in the order it arrived, which made it break when clients reordered their extensions. JA4 produces a readable, multi-part string and sorts the values so reordering does not change it, and it is part of the JA4+ family that also fingerprints HTTP, TCP, and the server side. In short, JA4 is more resilient, more readable, and broader in scope than JA3.

Does ShieldLabs use JA4?

ShieldLabs reads the TLS and connection layer, of which a JA4-style fingerprint is one part, as a single input among many. It is cross-checked against the declared browser and the rest of the session and folded into a risk score, never acted on as a standalone verdict. ShieldLabs scores the session and hands the result to your own rules, and the free tier covers your first 5,000 identifications.

Back to blog

June 16, 2026TLS fingerprinting Network signals Fraud prevention

JA4 fingerprinting explained: how it improves on JA3, and what it actually identifies

Vasil MakarchukChief Technology Officer

JA4 fingerprinting: a TLS Client Hello is read into a readable JA4 string that identifies the client software stack, where JA3 produced an opaque hash that broke on randomization

Last updated on June 16, 2026 · 9 min read

JA3, the old way of fingerprinting a TLS client, broke when the browsers it watched started shuffling their own handshake. After Chrome began randomizing the order of its TLS extensions in 2023, JA3, which hashed those extensions in the order they arrived, produced a different value on almost every connection, so the fingerprint that was supposed to recognize a client recognized nothing. JA4, released the same year by FoxIO, is the answer: it sorts the values instead of trusting their order, stays human-readable, and covers more than just TLS. This guide explains what JA4 is, how it improves on JA3, and the part most write-ups skip, what it actually identifies and what it does not.

Key takeaways

JA4 is a network fingerprint that identifies the software stack behind a connection, a browser, a script, or a tool, from the TLS Client Hello it sends, before any page code runs.
It replaced JA3 because JA3 was order-sensitive: once browsers randomized their TLS extension order, JA3's hash changed on every connection. JA4 sorts the values, so reordering no longer breaks the match.
A JA4 fingerprint is readable, not just a hash. Its parts spell out the TLS version, the cipher and extension makeup, and the application protocol, and JA4 is one of a family (JA4+) that also covers HTTP, TCP, and the server side.
JA4 identifies a client type, not a person or a unique device. Everyone on the same browser and operating system can share one JA4, so it is a corroborating signal, never an identifier on its own.
In fraud detection its value is the contradiction: a request that claims to be one browser but whose JA4 says it is a script or a tool is the tell, read at the network layer.

What is JA4 fingerprinting?

JA4 fingerprinting is a method of identifying the software behind a connection by reading the TLS Client Hello, the first, unencrypted message a client sends when it opens a secure connection, and condensing its characteristics into a short, standardized string. Because different software, a Chrome browser, a Python script, a Go HTTP library, builds that handshake differently, the resulting JA4 string is characteristic of the client type that produced it. It is the successor to JA3, created by FoxIO and published as an open specification, and it sits at the network and transport layer rather than in the browser. It is the JA4 piece of TLS fingerprinting more broadly.

The reason it reads the Client Hello is that this message is sent in the clear, before encryption begins, so a server can fingerprint the client without decrypting anything. What the fingerprint captures is configuration, the TLS version offered, the list of cipher suites, the extensions, and the application protocols, which together form a signature of the software, not the user.

How JA4 improves on JA3

JA3, introduced in 2017, hashed the Client Hello fields in the exact order the client sent them and reduced the result to a single opaque value. That worked until the order stopped being stable. When browsers began permuting their TLS extensions on purpose, a change Chrome rolled out in 2023, the same browser produced a different JA3 on every connection, and the fingerprint collapsed. JA4 fixes this by sorting the values before it builds the fingerprint, so a harmless reordering produces the same JA4. It also keeps the fingerprint readable instead of hashing everything into one blob, and it extends beyond TLS into a whole family of fingerprints. The differences at a glance:

	JA3	JA4
Introduced	2017	2023
Output	one opaque MD5 hash	a readable, multi-part string
Extension order	order-sensitive, breaks on reordering	sorts the values, survives reordering
Readability	none, just a hash	parts you can read (TLS version, cipher and extension counts, ALPN)
Scope	the TLS client only	a suite covering TLS, the server, HTTP, TCP, and more

The practical upshot is resilience. JA3 was easy to defeat by accident, every browser that randomized its handshake broke it, and easy to defeat on purpose. JA4 raises the bar on both, which is why detection tooling moved to it.

The JA4 string format

A JA4 fingerprint is written in readable parts, often shown as a_b_c, in a compact multi-part shape (the two trailing hashes are 12 characters each, while the readable first part varies). Each part answers a different question:

Part a captures the protocol and transport, the TLS version, whether the connection is over TCP or QUIC, the presence of a server name, and the application protocol negotiated via ALPN (Application-Layer Protocol Negotiation), so t13 reads as TLS 1.3.
Part b summarizes the cipher suites the client offered, as a count plus a sorted hash, so reordering the same ciphers does not change it.
Part c does the same for the extensions and the signature algorithms.

A complete JA4 looks like t13d1516h2_8daaf6152771_02713d6af862: the t13d reads as TLS 1.3 over TCP with a server name present, the digits 1516 count the offered cipher suites (15) and extensions (16), h2 is the negotiated HTTP/2 preference, and the two trailing blocks are the sorted cipher and extension hashes. JA4 also ignores GREASE values, the deliberately random entries a browser adds to its handshake to keep the protocol extensible (defined in RFC 8701), so that padding never shifts the fingerprint.

Because the parts are separate and legible, an analyst can match on the whole string or on a single segment, and can read roughly what a client is from the fingerprint alone rather than looking it up in a table. Because a JA4 is readable and portable, common fingerprints are catalogued in open databases such as JA4DB and can be read directly in tools like Wireshark, so a value seen in your logs can be identified rather than reverse-engineered.

The JA4+ suite: more than TLS

JA4 is the TLS-client member of a larger family called JA4+, a set of fingerprints for different layers of a connection. The ones that come up most:

JA4 fingerprints the TLS client from its Client Hello.
JA4S fingerprints the server's response, the Server Hello.
JA4H fingerprints the HTTP request, including the order of headers and the presence of things like an Accept-Language.
JA4T fingerprints the TCP characteristics, such as window size, which can hint at the operating system or a proxy in the path.
JA4X fingerprints an X.509 certificate, and JA4SSH covers SSH sessions.

Read together, the suite describes a connection from several angles at once, which is what makes a contradiction between layers, a TLS stack that does not match the HTTP behavior, so informative.

What JA4 can and cannot tell you

This is the part that matters most and is the easiest to get wrong. A JA4 fingerprint identifies a client's software stack, not a person and not a unique device. Everyone running the same browser version on the same operating system tends to produce the same JA4, so the fingerprint groups clients by type rather than singling anyone out. It is explicitly not designed to be unique, and there are real edge cases where it is not even stable for one client: Safari, for instance, can reuse a prior session through a TLS extension and present a different fingerprint on the next connection.

That is not a flaw to hide; it is the right way to use the signal. JA4 tells you what kind of client is connecting, with high confidence and almost no cost, and it tells you that server-side before a single line of page code runs. What it does not do is tell you who the visitor is or pin them to one machine. Treated as a corroborating signal rather than an identifier, it is genuinely useful. Treated as a unique ID, it produces false matches and misses.

JA4 in fraud detection

For threat hunters and web application firewalls, JA4 is mostly about grouping malicious traffic and rate-limiting clients that rotate IPs. For fraud and abuse detection the more useful read is narrower: the contradiction between what a client claims to be and what its JA4 says it is. A request can set a user-agent header that says Chrome on Windows, but the user-agent is just a string the client chooses, while the JA4 is produced by the actual TLS library underneath. When the header says one thing and the TLS stack says a scripting library or an automation framework, the mismatch is hard to fake and easy to read. A missing or unusual application protocol value, where a real browser would normally negotiate HTTP/2, points the same way.

That makes JA4 a strong corroborating signal for automated abuse and for anti-detect browser setups, which spoof the browser-side fingerprint but often miss the transport layer underneath. It is read alongside the rest of the session rather than acted on alone, because a shared JA4 is normal: the goal is to catch the session whose layers disagree, not to treat a common fingerprint as guilt.

How ShieldLabs uses the TLS signal

ShieldLabs reads the connection layer, including the TLS fingerprint, as one input among many, never as a standalone verdict. The TLS stack behind a request is one of the network signals it reads, cross-checked against the declared browser, the anonymity signals on the connection, and the rest of the session, so a client whose transport layer disagrees with what it claims to be raises the read rather than passing on a header alone.

ShieldLabs scores the session, the device, and the network, and names the signals behind a risk score from 0 to 100. You read that score and the named signals through the API and webhooks and decide, by your own rules, what a contradiction is worth. The TLS read is one corroborating layer in that picture, read alongside the broader TLS fingerprinting signal and the wider set of browser fingerprinting techniques.

Frequently asked questions

WebGL fingerprinting: a hidden 3D scene rendered by a device's GPU into a distinct hash that identifies the graphics hardware

Browser fingerprinting Device intelligence

What is WebGL fingerprinting? How the GPU gives a device away

WebGL fingerprinting identifies a device by how its GPU renders 3D graphics. How it works, what it reveals, and how it differs from canvas.

Pavel NuryieuHead of ResearchJune 29, 2026

TLS fingerprinting: a client's TLS handshake, its cipher suites and extensions, condensed into a JA3 or JA4 hash that identifies the software behind the connection

Browser fingerprinting Network signals

What is TLS fingerprinting? How JA3 and JA4 identify a client

TLS fingerprinting identifies the software behind a connection from its TLS handshake. How it works, what JA3 and JA4 are, and what it reveals.

Vasil MakarchukChief Technology OfficerJune 29, 2026

Font fingerprinting: the set of fonts installed on a device measured from how text renders, condensed into a value that identifies the device