Amazon CloudFront now supports JA4 fingerprinting of incoming requests, enabling customers to allow known clients or block requests from malicious clients. The JA4 fingerprint is passed via the Cloudfront-viewer-ja4-fingerprint header. You can inspect the JA4 fingerprints using custom logic on your application web servers or using CloudFront Functions or Lambda@Edge.
A JA4 TLS client fingerprint contains a 38-character long fingerprint of the TLS Client Hello which is used to initiate a secure connection from clients. The fingerprint can be used to build a database of known good and bad actors to apply when inspecting HTTP requests. You can add the Cloudfront-viewer-ja4-fingerprint header to an origin request policy and attach the policy to your CloudFront distributions. You can then inspect the header value on your application web servers or in your Lambda@Edge and CloudFront Functions to compare the header value against a list of known malware fingerprints to block malicious clients. You can also compare the header value against a list of expected fingerprints to allow only requests bearing the expected fingerprints.
Cloudfront-viewer-ja4-fingerprint headers are available for immediate use in all CloudFront edge locations. You can enable JA4 fingerprint headers in the CloudFront Console
or using the AWS SDK
. There are no additional fees to use JA4 fingerprint headers. For more information, see the CloudFront Developer Guide
.