docs(bots): document JA3/JA4 unavailability on O2O traffic#31979
docs(bots): document JA3/JA4 unavailability on O2O traffic#31979zeinjaber wants to merge 1 commit into
Conversation
Review✅ No issues found in commit Code ReviewThis code review is in beta and may not always be helpful — use your judgment. No code review issues found. ConventionsNo convention issues found. Style Guide ReviewNo style-guide issues found. CommandsOnly codeowners can run commands. Post a comment with the command to trigger it.
|
|
This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:
|
Closes DEE-3696
49f05d9 to
5ea74da
Compare
|
Preview URL: https://5ea74daf.preview.developers.cloudflare.com Files with changes (up to 15) |
|
|
||
| ### Orange-to-orange (O2O) traffic | ||
|
|
||
| When traffic routes through an O2O setup — where one Cloudflare zone proxies requests to another — JA3 and JA4 fingerprints may be unavailable. Cloudflare sees only the inner Cloudflare-to-Cloudflare TLS session on the receiving zone, not the original client handshake, so no fingerprint can be derived. |
There was a problem hiding this comment.
Good catch — after checking the existing ja3-ja4-null partial on the live page, the correct behavior is that O2O traffic generally includes JA3/JA4 fingerprints; they're only absent when a Worker is used to route the O2O traffic. The limitation I added was an oversimplification that contradicted the existing docs. Closing this PR — no new section is needed here.
|
Closing this PR — the existing |
Pull request was closed
What
Adds a Limitations section to the JA3/JA4 fingerprint page with a subsection explaining that fingerprints are unavailable on orange-to-orange (O2O) traffic, and recommending alternative bot fields.
Why
When a Cloudflare zone proxies requests to another Cloudflare zone via O2O, the receiving zone sees only the inner Cloudflare-to-Cloudflare TLS session — not the original client handshake — so no JA3/JA4 fingerprint can be derived. Customers using JA3/JA4-based bot rules on O2O-receiving zones see missing fingerprints with no explanation in the docs, leading to confusion and support escalations.
Files changed
src/content/docs/bots/additional-configurations/ja3-ja4-fingerprint/index.mdx— new## Limitationssection with O2O subsection (+9 lines)How to verify
Navigate to /bots/additional-configurations/ja3-ja4-fingerprint/ and confirm the Limitations section appears at the bottom with the O2O explanation and alternative field recommendations.
Closes DEE-3696