Skip to content

docs(bots): document JA3/JA4 unavailability on O2O traffic#31979

Open
zeinjaber wants to merge 1 commit into
productionfrom
docs/DEE-3696-ja3-ja4-o2o-limitation
Open

docs(bots): document JA3/JA4 unavailability on O2O traffic#31979
zeinjaber wants to merge 1 commit into
productionfrom
docs/DEE-3696-ja3-ja4-o2o-limitation

Conversation

@zeinjaber

Copy link
Copy Markdown
Collaborator

What

Adds a Limitations section to the JA3/JA4 fingerprint page with a subsection explaining that fingerprints are unavailable on orange-to-orange (O2O) traffic, and recommending alternative bot fields.

Why

When a Cloudflare zone proxies requests to another Cloudflare zone via O2O, the receiving zone sees only the inner Cloudflare-to-Cloudflare TLS session — not the original client handshake — so no JA3/JA4 fingerprint can be derived. Customers using JA3/JA4-based bot rules on O2O-receiving zones see missing fingerprints with no explanation in the docs, leading to confusion and support escalations.

Files changed

  • src/content/docs/bots/additional-configurations/ja3-ja4-fingerprint/index.mdx — new ## Limitations section with O2O subsection (+9 lines)

How to verify

Navigate to /bots/additional-configurations/ja3-ja4-fingerprint/ and confirm the Limitations section appears at the bottom with the O2O explanation and alternative field recommendations.

Closes DEE-3696

@github-actions github-actions Bot added the product:bots Related to Bots product label Jul 9, 2026
@cloudflare-docs-bot

cloudflare-docs-bot Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review

✅ No issues found in commit 5ea74da.

Code Review

This code review is in beta and may not always be helpful — use your judgment.

No code review issues found.

Conventions

No convention issues found.

Style Guide Review

No style-guide issues found.

Commands

Only codeowners can run commands. Post a comment with the command to trigger it.

Command Description
/review Runs a review now. Incremental if a prior review exists, full if not.
/full-review Re-reviews the entire PR diff from scratch, ignoring incremental history. Useful after a rebase, when you want a fresh review, or if the bot gets out of sync and reports issues that no longer exist.
/ignore-review-limit Permanently lifts the 2-review automatic limit for this PR. Future pushes will trigger reviews as normal.
/disable-auto-review Stops automatic reviews from triggering on future pushes to this PR. Codeowners can still run /review or /full-review manually.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern Owners
/src/content/docs/bots/ @jinhee-c-lee, @cloudflare/appsec-reviewers, @elithrar, @cloudflare/product-owners, @marinaelmore, @njustus1

@zeinjaber zeinjaber force-pushed the docs/DEE-3696-ja3-ja4-o2o-limitation branch from 49f05d9 to 5ea74da Compare July 9, 2026 18:25
@zeinjaber zeinjaber enabled auto-merge (squash) July 9, 2026 18:27

### Orange-to-orange (O2O) traffic

When traffic routes through an O2O setup — where one Cloudflare zone proxies requests to another — JA3 and JA4 fingerprints may be unavailable. Cloudflare sees only the inner Cloudflare-to-Cloudflare TLS session on the receiving zone, not the original client handshake, so no fingerprint can be derived.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"may be" or "is"?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

product:bots Related to Bots product size/s

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants