Server-side fingerprinting is limited by deployment reality.
- Header order is usually lost in classic PHP-FPM deployments.
- JA3/JA4 TLS fingerprints are not available to normal PHP behind Nginx, Apache, or IIS.
- Client Hints can be missing because of browser policy.
- CDN and reverse proxies can rewrite headers.
- IP addresses can change frequently.
- Fingerprint collisions and fingerprint drift are expected.
Use the result as one signal in a broader security decision.