This checklist maps the technical specification to the current repository implementation.
- Composer package metadata for
globus-studio/fingerprintwith PSR-4 namespaceGlobusStudio\\Fingerprint\\. - PHP 8.3 to PHP 8.5 compatible strict-typed source files.
- Privacy profiles:
strict,balanced,maximum,custom. - Production secret validation and development hashing mode.
- HMAC-SHA-256 hasher, optional Sodium hasher, canonical JSON payloads, algorithm and key versioning.
- Request abstractions for native PHP arrays plus PSR-7, PSR-15, Symfony, Laravel, Laminas, and Slim-style adapters.
- Header, network, proxy, server, framework, TLS, cookie, and header order collectors.
- User-Agent, Accept, Accept-Language, Accept-Encoding, Client Hints, IP, CIDR, and canonical JSON normalization.
- Trusted proxy model with explicit CIDR allowlist and trusted forwarded headers.
- Full IP excluded from
strictandbalancedprofiles by default. - Authorization, cookie, token, CSRF, API key, and secret-like headers denied by default.
- Cookie allowlist with presence, hash, and normalized modes.
- Fingerprint result with ID, version, profile, scores, signals, environment, diagnostics, TTL, expiration, safe export, storage export, and data portability export.
- Redaction interface and default redactor for safe output.
- Confidence, entropy, stability, and risk scoring.
- Fingerprint matcher with exact, partial, distance, changed signal, stable signal, volatile change, and risk reason support.
- PSR-15-compatible middleware without hard PSR dependency.
- In-memory storage implementation and storage interface.
- Diagnostics for unavailable collectors and warnings.
- PSR-3-compatible logger hook through
FingerprintBuilder::withLogger().
- Header and value normalization.
- User-Agent derived browser, OS, engine, device, and bot signals.
- IPv4 and IPv6 prefixing, CIDR matching, IP classification.
- Stable balanced fingerprints and deterministic golden fixtures.
- Strict and balanced privacy behavior for full IP exclusion.
- Explicit maximum-profile full IP inclusion.
- Optional header order hashing.
- Authorization, cookie, API key, raw IP, and raw cookie redaction.
- Trusted proxy and spoofed
X-Forwarded-Forbehavior. - Cookie hash and normalized modes.
- TLS protocol, cipher, and client certificate safe handling.
- TTL, expiration, safe output, storage output, and export output.
- Custom redactor behavior.
- Logger behavior for collector failures.
- PSR-7, PSR-15, Symfony, Laravel, Laminas, and Slim adapter paths.
- Matcher levels and unknown comparison behavior.
- In-memory storage behavior.
- Golden fixtures for Nginx Chrome, Apache Firefox, IIS Edge, Cloudflare Safari, mobile Chrome, curl, and bot client.
composer validate --strictpasses.composer testpasses.composer analysepasses at PHPStan max level.composer cspasses.composer test:coveragepasses with line coverage above the 85% core target.
- Privacy and legal cautions.
- Configuration examples and profiles.
- Signal dictionary and denied headers.
- Trusted proxy model.
- Server notes for Nginx, Apache, IIS, Caddy, LiteSpeed, OpenResty, FrankenPHP, RoadRunner, and Swoole.
- Limitations for header order, JA3/JA4, Client Hints, CDN rewrites, IP drift, and collision risk.
- Algorithm versioning policy.
- Testing workflow.
- Real header order behavior across all production SAPI/server combinations.
- JA3/JA4 values from a trusted reverse proxy, WAF, CDN, or custom infrastructure header.
- CDN provider CIDR freshness in production.
- End-to-end behavior through real Nginx, Apache, IIS, Cloudflare, Fastly, Akamai, AWS ALB, RoadRunner, and Swoole deployments.
- Legal compliance in a specific product and jurisdiction.
- Production latency under real workload and hardware.