JA3 TLS Fingerprint

JA3 is a method for creating TLS/SSL client fingerprints that are easy to produce and share. It collects decimal byte values from the Client Hello packet during the TLS handshake and creates a fingerprint by concatenating specific fields.

JA3 Components

• TLS Version: The TLS protocol version requested by the client
• Cipher Suites: List of encryption algorithms supported
• Extensions: TLS extensions requested (SNI, ALPN, etc.)
• Supported Groups: Elliptic curves supported for key exchange
• Point Formats: EC point format preferences

The JA3 string concatenates these values separated by commas, then generates an MD5 hash. This hash uniquely identifies the TLS client implementation.

JA3 vs JA3N vs Scrapfly FP

• JA3: Original algorithm, excludes GREASE and padding extensions
• JA3N: Normalized version that handles more edge cases
• Scrapfly FP: Enhanced fingerprint with additional TLS parameters

Websites and security systems use JA3 fingerprints to identify and block automated tools:

Detection Methods

• Blacklist Known Bots: Block JA3 hashes from known scraping libraries (curl, requests, etc.)
• Inconsistency Detection: Compare JA3 with User-Agent string - mismatch indicates spoofing
• Rate by Fingerprint: Apply stricter rate limits to suspicious JA3 hashes
• Browser Verification: Real browsers have consistent JA3 signatures per version

Common Problematic Fingerprints

• curl/7.x - Distinctive TLS configuration easily identified
• Python requests - Uses urllib3 with unique cipher suite order
• Go http.Client - Different extension set than browsers
• Node.js https - OpenSSL defaults differ from browser TLS

To avoid detection, scrapers must match the exact JA3 fingerprint of the target browser, including cipher suite order, extension set, and TLS version.

To bypass JA3 fingerprinting, you need to match the exact TLS configuration of a real browser:

Solutions for Web Scraping

• Browser Automation: Use Puppeteer, Playwright, or Selenium - they use real browser engines with matching JA3
• curl-impersonate: Modified curl that mimics Chrome/Firefox TLS handshakes
• curl_cffi (Python): Python bindings for curl-impersonate
• tls-client (Go): Go library that can mimic browser TLS fingerprints
• Scrapfly API: Automatically handles JA3 fingerprinting with our ASP (Anti-Scraping Protection)

Manual Configuration (Advanced)

You can manually configure your HTTP client to match browser TLS settings:

• Set exact cipher suite order from target browser
• Include all required TLS extensions in correct order
• Match TLS version and supported groups
• Handle GREASE values properly

Note: Manual configuration is complex and fragile. Browser automation or specialized libraries are recommended for reliable JA3 bypass.

Learn more in our comprehensive guide: How to Avoid Web Scraping Blocking: TLS Fingerprinting

You can access your TLS fingerprint programmatically via our API:

API Endpoint

GET https://tools.scrapfly.io/api/fp/ja3

Response Format (JSON)

{
  "ja3": "771,4865-4866-4867...",
  "ja3_digest": "579ccef312d18482fc42e2b822ca2430",
  "ja3n": "771,4865-4866-4867...",
  "ja3n_digest": "...",
  "scrapfly_fp": "...",
  "scrapfly_fp_digest": "...",
  "tls": {
    "version": "TLS 1.3",
    "ciphers": [...],
    "extensions": [...],
    "curves": [...],
    "points": [...],
    "versions": [...],
    "protocols": [...]
  }
}

JavaScript Example

fetch('https://tools.scrapfly.io/api/fp/ja3')
  .then(r => r.json())
  .then(data => {
    console.log('JA3 Hash:', data.ja3_digest);
    console.log('TLS Version:', data.tls.version);
  });

The fingerprint data is also available in the browser console via window.fingerprint.