Skip to content

docs(bots): document JA3/JA4 unavailability on O2O traffic#31979

Closed
zeinjaber wants to merge 1 commit into
productionfrom
docs/DEE-3696-ja3-ja4-o2o-limitation
Closed

docs(bots): document JA3/JA4 unavailability on O2O traffic#31979
zeinjaber wants to merge 1 commit into
productionfrom
docs/DEE-3696-ja3-ja4-o2o-limitation

Conversation

@zeinjaber

Copy link
Copy Markdown
Collaborator

What

Adds a Limitations section to the JA3/JA4 fingerprint page with a subsection explaining that fingerprints are unavailable on orange-to-orange (O2O) traffic, and recommending alternative bot fields.

Why

When a Cloudflare zone proxies requests to another Cloudflare zone via O2O, the receiving zone sees only the inner Cloudflare-to-Cloudflare TLS session — not the original client handshake — so no JA3/JA4 fingerprint can be derived. Customers using JA3/JA4-based bot rules on O2O-receiving zones see missing fingerprints with no explanation in the docs, leading to confusion and support escalations.

Files changed

  • src/content/docs/bots/additional-configurations/ja3-ja4-fingerprint/index.mdx — new ## Limitations section with O2O subsection (+9 lines)

How to verify

Navigate to /bots/additional-configurations/ja3-ja4-fingerprint/ and confirm the Limitations section appears at the bottom with the O2O explanation and alternative field recommendations.

Closes DEE-3696

@github-actions github-actions Bot added the product:bots Related to Bots product label Jul 9, 2026
@cloudflare-docs-bot

cloudflare-docs-bot Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review

✅ No issues found in commit 5ea74da.

Code Review

This code review is in beta and may not always be helpful — use your judgment.

No code review issues found.

Conventions

No convention issues found.

Style Guide Review

No style-guide issues found.

Commands

Only codeowners can run commands. Post a comment with the command to trigger it.

Command Description
/review Runs a review now. Incremental if a prior review exists, full if not.
/full-review Re-reviews the entire PR diff from scratch, ignoring incremental history. Useful after a rebase, when you want a fresh review, or if the bot gets out of sync and reports issues that no longer exist.
/ignore-review-limit Permanently lifts the 2-review automatic limit for this PR. Future pushes will trigger reviews as normal.
/disable-auto-review Stops automatic reviews from triggering on future pushes to this PR. Codeowners can still run /review or /full-review manually.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern Owners
/src/content/docs/bots/ @jinhee-c-lee, @cloudflare/appsec-reviewers, @elithrar, @cloudflare/product-owners, @marinaelmore, @njustus1

@zeinjaber zeinjaber force-pushed the docs/DEE-3696-ja3-ja4-o2o-limitation branch from 49f05d9 to 5ea74da Compare July 9, 2026 18:25
@zeinjaber zeinjaber enabled auto-merge (squash) July 9, 2026 18:27

### Orange-to-orange (O2O) traffic

When traffic routes through an O2O setup — where one Cloudflare zone proxies requests to another — JA3 and JA4 fingerprints may be unavailable. Cloudflare sees only the inner Cloudflare-to-Cloudflare TLS session on the receiving zone, not the original client handshake, so no fingerprint can be derived.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"may be" or "is"?

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch — after checking the existing ja3-ja4-null partial on the live page, the correct behavior is that O2O traffic generally includes JA3/JA4 fingerprints; they're only absent when a Worker is used to route the O2O traffic. The limitation I added was an oversimplification that contradicted the existing docs. Closing this PR — no new section is needed here.

@zeinjaber

Copy link
Copy Markdown
Collaborator Author

Closing this PR — the existing ja3-ja4-null partial already documents the O2O behavior correctly: fingerprints are absent only when a Worker is used to route O2O traffic, not for O2O traffic in general. The Limitations section I added oversimplified this and contradicted the existing docs. No new section is needed.

@zeinjaber zeinjaber closed this Jul 13, 2026
auto-merge was automatically disabled July 13, 2026 11:09

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

product:bots Related to Bots product size/s

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants