From 5ea74dafaf95223723c7de2c335d60324849968e Mon Sep 17 00:00:00 2001 From: zeinjaber Date: Thu, 9 Jul 2026 21:22:13 +0300 Subject: [PATCH] docs(bots): document JA3/JA4 unavailability on O2O traffic Closes DEE-3696 --- .../ja3-ja4-fingerprint/index.mdx | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/content/docs/bots/additional-configurations/ja3-ja4-fingerprint/index.mdx b/src/content/docs/bots/additional-configurations/ja3-ja4-fingerprint/index.mdx index b575e485e4d..5002d988f48 100644 --- a/src/content/docs/bots/additional-configurations/ja3-ja4-fingerprint/index.mdx +++ b/src/content/docs/bots/additional-configurations/ja3-ja4-fingerprint/index.mdx @@ -111,3 +111,11 @@ JA3 may also be useful if you want to immediately remedy false positives or fals Often, mobile application traffic will produce the same JA3 fingerprint across devices and users. This means you can identify your mobile application traffic by its JA3 fingerprint. Use the JA3 fingerprint to [allow traffic](/waf/custom-rules/use-cases/challenge-bad-bots/#adjust-for-mobile-traffic) from your mobile application, but block or challenge remaining traffic. + +## Limitations + +### Orange-to-orange (O2O) traffic + +When traffic routes through an O2O setup — where one Cloudflare zone proxies requests to another — JA3 and JA4 fingerprints may be unavailable. Cloudflare sees only the inner Cloudflare-to-Cloudflare TLS session on the receiving zone, not the original client handshake, so no fingerprint can be derived. + +If you rely on JA3/JA4 for bot detection on zones that receive O2O traffic, use `cf.bot_management.verified_bot`, `cf.bot_management.score`, or other bot fields that do not depend on the TLS handshake.