What is JA3 Fingerprint?
A JA3 fingerprint is a 32-character MD5 hash computed from five fields of a TLS ClientHello: version, cipher suites, extensions, elliptic curves, and curve point formats. It condenses a client's TLS negotiation behavior into a single comparable value that identifies the software stack making a connection.
How a JA3 fingerprint is computed
JA3 reads the ClientHello at the start of a TLS connection and extracts five fields: the TLS version, the list of cipher suites, the list of extensions, the supported elliptic curves, and the elliptic curve point formats. Each field's values are written as decimal numbers joined by dashes, the five fields are joined with commas, and the resulting string is hashed with MD5 into a fixed 32-character value. Any client built on the same TLS library, version, and configuration produces the same hash on every connection.
A companion, JA3S, applies the same idea to the server's ServerHello, hashing the negotiated version, chosen cipher, and extensions. The JA3/JA3S pair characterizes both ends of a session, and the method has been widely deployed in intrusion detection, CDN, and anti-bot tooling since it was published in 2017.
Why it matters for scraping and proxies
Because the default hashes of popular HTTP libraries are publicly catalogued, a scraper running library defaults effectively announces its tooling on every connection. Defenders maintain lists of JA3 values associated with automation and either block them outright or weight them heavily in risk scoring, and they cross-check the hash against the claimed User-Agent: a Chrome header arriving with a script-library JA3 is an immediate contradiction.
IP rotation does not affect any of this. The hash is generated by the client's TLS stack and travels with every connection through any proxy, so a flagged JA3 stays flagged from every exit IP until the client software itself changes.
Practical notes and misconceptions
JA3 identifies software, not individuals — every user of a given browser release shares one hash, which is precisely why an uncommon hash stands out. The method is also aging: Chrome began randomizing ClientHello extension order in 2023, which scrambles JA3 values between connections from the same browser and led to JA4, a successor that sorts extensions before hashing and encodes additional context. Many detection stacks now compute both.
For scraping clients, the fix lives at the handshake layer: use a real browser, or a TLS-impersonation client whose hash matches the browser your headers claim to be.
JA3 Fingerprint, answered
Is a JA3 hash unique to an individual user?
What replaced JA3 after browsers randomized TLS extensions?
Related terms
Theory covered. Now route something. Start free.
Residential, ISP, mobile and IPv6 networks under one account — test the concepts on real infrastructure.