diff --git a/src/content/docs/bots/additional-configurations/ja3-ja4-fingerprint/index.mdx b/src/content/docs/bots/additional-configurations/ja3-ja4-fingerprint/index.mdx index b575e485e4d..5002d988f48 100644 --- a/src/content/docs/bots/additional-configurations/ja3-ja4-fingerprint/index.mdx +++ b/src/content/docs/bots/additional-configurations/ja3-ja4-fingerprint/index.mdx @@ -111,3 +111,11 @@ JA3 may also be useful if you want to immediately remedy false positives or fals Often, mobile application traffic will produce the same JA3 fingerprint across devices and users. This means you can identify your mobile application traffic by its JA3 fingerprint. Use the JA3 fingerprint to [allow traffic](/waf/custom-rules/use-cases/challenge-bad-bots/#adjust-for-mobile-traffic) from your mobile application, but block or challenge remaining traffic. + +## Limitations + +### Orange-to-orange (O2O) traffic + +When traffic routes through an O2O setup — where one Cloudflare zone proxies requests to another — JA3 and JA4 fingerprints may be unavailable. Cloudflare sees only the inner Cloudflare-to-Cloudflare TLS session on the receiving zone, not the original client handshake, so no fingerprint can be derived. + +If you rely on JA3/JA4 for bot detection on zones that receive O2O traffic, use `cf.bot_management.verified_bot`, `cf.bot_management.score`, or other bot fields that do not depend on the TLS handshake.