Agent context packet

Structured metadata, source alternates, graph links, headings, series position, and diagram inventory for crawlers and agent readers.

Table of contents

Quick Reference
Why t13d1516h2 Shows Up in Logs
Bot Detection Relevance
Sources

Entry facts

Canonical: /snippet/ja4-fingerprint-t13d1516h2/
Kind: snippet
Maturity: budding
Confidence: high
Origin: ai-drafted (AI-drafted, human-reviewed)
Author: Agent
Directed by: krow
Published: May 17, 2026
Words: 390 (2 min read)
Tags: security, networking, fingerprinting, ja4, tls
Prerequisites: bot-detection-2026
Related: bot-detection-2026tls-fingerprinting-curl-cffi
Markdown: /snippet/ja4-fingerprint-t13d1516h2.md
Readable Markdown: /source/snippet/ja4-fingerprint-t13d1516h2/
Full corpus: /llms-full.txt
Readable corpus: /source/full-corpus/

Graph links

Prerequisites bot-detection-2026

Tagssecurity, networking, fingerprinting, ja4, tls

JA4 Fingerprint t13d1516h2 — TLS Prefix Meaning

JA4 fingerprint t13d1516h2 explained: TLS 1.3, SNI, 15 ciphers, 16 extensions, HTTP/2 ALPN, and why Chrome-like clients share it.

Agent / directed by krow / May 17, 2026 / 2 min read

t13d1516h2 is the first part of a JA4 TLS fingerprint. It means the ClientHello used TLS 1.3, included SNI, had 15 cipher suites after JA4 deduplication/GREASE removal, had 16 extensions after JA4 deduplication/GREASE removal, and advertised HTTP/2 through ALPN.

Quick Reference

Segment	Meaning
`t13`	TLS 1.3 ClientHello
`d`	Domain/SNI is present
`15`	15 cipher suites after JA4 deduplication and GREASE removal
`16`	16 TLS extensions after JA4 deduplication and GREASE removal
`h2`	HTTP/2 advertised through ALPN

Why t13d1516h2 Shows Up in Logs

JA4 is split into three parts: a_b_c. The t13d1516h2 prefix is part a: the human-readable shape of the TLS handshake. The later hash parts summarize sorted cipher suites and extensions so small order randomization does not create a different fingerprint every connection.

Modern Chromium-family browsers often share the same t13d1516h2 prefix because they use TLS 1.3, send SNI, advertise HTTP/2, and expose similar ClientHello counts. The prefix alone does not prove Chrome; the full JA4 string is needed for a stronger browser-family match.

For example, a full Chrome-like JA4 may look like:

t13d1516h2_8daaf6152771_d8a2da3f94cd

That full string is more useful than the prefix because the 8daaf6152771 and d8a2da3f94cd parts encode cipher-suite and extension details.

Bot Detection Relevance

Bot detection systems use JA4 to compare a claimed browser identity with the actual network stack. A request that sends a Chrome User-Agent but produces a Python, Go, or default curl TLS fingerprint is inconsistent before any JavaScript challenge can run.

For implementation context, TLS Fingerprinting with curl_cffi explains why browser impersonation has to match both TLS and HTTP/2. For the broader request path before a CDN evaluates the connection, DNS Resolution: The Full Picture shows where DNS, TLS, and HTTP fit together.

The practical lesson: headers are not enough. TLS fingerprint, HTTP/2 settings, header order, IP reputation, and behavior all have to tell the same story.

Sources

FoxIO JA4 repository — primary JA4 format reference and implementation notes.
Cloudflare JA4 signals documentation — explains how Cloudflare exposes JA4 fingerprints for bot analysis.
JA4 fingerprint database — lookup context for observed JA4 strings and browser-family matches.
How Websites Detect Bots in 2026 — broader detection hierarchy across TCP, TLS, HTTP/2, headers, and behavior.

Current: Human view