Skip to content

Commit 5ea74da

Browse files
committed
docs(bots): document JA3/JA4 unavailability on O2O traffic
Closes DEE-3696
1 parent 737863e commit 5ea74da

1 file changed

Lines changed: 8 additions & 0 deletions

File tree

  • src/content/docs/bots/additional-configurations/ja3-ja4-fingerprint

src/content/docs/bots/additional-configurations/ja3-ja4-fingerprint/index.mdx

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -111,3 +111,11 @@ JA3 may also be useful if you want to immediately remedy false positives or fals
111111
Often, mobile application traffic will produce the same JA3 fingerprint across devices and users. This means you can identify your mobile application traffic by its JA3 fingerprint.
112112

113113
Use the JA3 fingerprint to [allow traffic](/waf/custom-rules/use-cases/challenge-bad-bots/#adjust-for-mobile-traffic) from your mobile application, but block or challenge remaining traffic.
114+
115+
## Limitations
116+
117+
### Orange-to-orange (O2O) traffic
118+
119+
When traffic routes through an O2O setup — where one Cloudflare zone proxies requests to another — JA3 and JA4 fingerprints may be unavailable. Cloudflare sees only the inner Cloudflare-to-Cloudflare TLS session on the receiving zone, not the original client handshake, so no fingerprint can be derived.
120+
121+
If you rely on JA3/JA4 for bot detection on zones that receive O2O traffic, use `cf.bot_management.verified_bot`, `cf.bot_management.score`, or other bot fields that do not depend on the TLS handshake.

0 commit comments

Comments
 (0)