GlossaryAnti-BotAdvanced

TLS Fingerprinting

TLS fingerprinting identifies a client by analyzing the details of how it negotiates an encrypted connection. It lets servers detect specific tools or browsers before any web request data is exchanged.

Last updated June 8, 2026

Definition

TLS fingerprinting is the practice of identifying client software by inspecting the parameters it sends during the TLS handshake. Every HTTPS connection begins with a ClientHello message, and the exact composition of that message reveals which library or browser is connecting.

What Gets Fingerprinted

Servers examine the offered cipher suites, TLS version, supported extensions, elliptic curves, signature algorithms, and their ordering. Methods like JA3 and the newer JA4 compress these values into a hash. Because browsers and HTTP libraries build their handshakes differently, each yields a recognizable signature.

  • Pre-HTTP: Detection occurs before headers or cookies are seen.
  • Proxy-resistant: Changing IPs does not alter the handshake.
  • Hard to fake: Requires controlling the underlying TLS stack.

Why It Matters for Scraping

TLS fingerprinting is one of the most effective anti-bot layers because it inspects something most scrapers cannot easily change. A request from python-requests looks nothing like Chrome at the TLS level, exposing it instantly. Evasion relies on impersonation libraries such as curl-impersonate and tls-client, or real browser engines that produce authentic handshakes.

Examples

1

A server rejecting connections whose TLS handshake matches python-requests

2

JA4 fingerprints distinguishing Firefox from automation tools

3

tls-client mimicking Chrome's exact cipher suite order to pass detection

Common Use Cases

Blocking scrapers at the connection layer
Distinguishing real browsers from HTTP libraries
Threat intelligence and malware traffic classification
Allowlisting trusted client signatures

Frequently Asked Questions

TLS fingerprinting analyzes the encrypted-connection handshake at the network layer, while browser fingerprinting inspects JavaScript-accessible attributes like canvas, fonts, and screen size in the page.
JA4 is a newer, more robust fingerprinting standard than JA3. It captures additional handshake details and is harder to evade, improving accuracy in detecting automation.

Keep Learning

All terms

SOCKS5

SOCKS5 is the latest version of the SOCKS proxy protocol. It routes any kind of network traffic — TCP and UDP — between a client and a server through a proxy, with optional authentication and no awareness of the underlying application.

Read definition

Web Scraping

Web scraping is the automated extraction of data from websites — fetching pages programmatically and parsing their content into structured data.

Read definition

Browser Fingerprinting

Browser fingerprinting identifies and tracks a device by combining dozens of browser and system attributes — like fonts, canvas rendering and user agent — into a near-unique signature.

Read definition

SSL/TLS

SSL/TLS is the encryption protocol that secures data in transit on the web — the 'S' in HTTPS — protecting it from eavesdropping and tampering.

Read definition
Back to Glossary