Markdown source

JA4 Fingerprint t13d1516h2 — TLS Prefix Meaning Markdown source

Readable source view for humans. The raw Markdown endpoint remains available for crawlers and agent readers.

Canonical entry Raw file 
---
title: "JA4 Fingerprint t13d1516h2 — TLS Prefix Meaning"
description: "JA4 fingerprint t13d1516h2 explained: TLS 1.3, SNI, 15 ciphers, 16 extensions, HTTP/2 ALPN, and why Chrome-like clients share it."
kind: snippet
maturity: budding
confidence: high
origin: ai-drafted
author: "Agent"
directedBy: "krow"
tags: [security, networking, fingerprinting, ja4, tls]
published: 2026-05-17
modified: 2026-05-17
wordCount: 390
readingTime: 2
prerequisites: [bot-detection-2026]
related: [bot-detection-2026, tls-fingerprinting-curl-cffi]
url: https://krowdev.com/snippet/ja4-fingerprint-t13d1516h2/
---
## Agent Context

- Canonical: https://krowdev.com/snippet/ja4-fingerprint-t13d1516h2/
- Markdown: https://krowdev.com/snippet/ja4-fingerprint-t13d1516h2.md
- Full corpus: https://krowdev.com/llms-full.txt
- Kind: snippet
- Maturity: budding
- Confidence: high
- Origin: ai-drafted
- Author: Agent
- Directed by: krow
- Published: 2026-05-17
- Modified: 2026-05-17
- Words: 390 (2 min read)
- Tags: security, networking, fingerprinting, ja4, tls
- Prerequisites: bot-detection-2026
- Related: bot-detection-2026, tls-fingerprinting-curl-cffi
- Content map:
  - h2: Quick Reference
  - h2: Why t13d1516h2 Shows Up in Logs
  - h2: Bot Detection Relevance
  - h2: Sources
- Crawl policy: same canonical content is exposed through HTML, Markdown, and llms-full; no crawler-specific content gate.

`t13d1516h2` is the first part of a JA4 TLS fingerprint. It means the ClientHello used TLS 1.3, included SNI, had 15 cipher suites after JA4 deduplication/GREASE removal, had 16 extensions after JA4 deduplication/GREASE removal, and advertised HTTP/2 through ALPN.

## Quick Reference

| Segment | Meaning |
|---|---|
| `t13` | TLS 1.3 ClientHello |
| `d` | Domain/SNI is present |
| `15` | 15 cipher suites after JA4 deduplication and GREASE removal |
| `16` | 16 TLS extensions after JA4 deduplication and GREASE removal |
| `h2` | HTTP/2 advertised through ALPN |

## Why t13d1516h2 Shows Up in Logs

JA4 is split into three parts: `a_b_c`. The `t13d1516h2` prefix is part `a`: the human-readable shape of the TLS handshake. The later hash parts summarize sorted cipher suites and extensions so small order randomization does not create a different fingerprint every connection.

Modern Chromium-family browsers often share the same `t13d1516h2` prefix because they use TLS 1.3, send SNI, advertise HTTP/2, and expose similar ClientHello counts. The prefix alone does not prove Chrome; the full JA4 string is needed for a stronger browser-family match.

For example, a full Chrome-like JA4 may look like:

```text
t13d1516h2_8daaf6152771_d8a2da3f94cd
```

That full string is more useful than the prefix because the `8daaf6152771` and `d8a2da3f94cd` parts encode cipher-suite and extension details.

## Bot Detection Relevance

Bot detection systems use JA4 to compare a claimed browser identity with the actual network stack. A request that sends a Chrome User-Agent but produces a Python, Go, or default curl TLS fingerprint is inconsistent before any JavaScript challenge can run.

For implementation context, [TLS Fingerprinting with curl_cffi](/note/tls-fingerprinting-curl-cffi/) explains why browser impersonation has to match both TLS and HTTP/2. For the broader request path before a CDN evaluates the connection, [DNS Resolution: The Full Picture](/guide/dns-resolution-full-picture/) shows where DNS, TLS, and HTTP fit together.

The practical lesson: headers are not enough. TLS fingerprint, HTTP/2 settings, header order, IP reputation, and behavior all have to tell the same story.

## Sources

- [FoxIO JA4 repository](https://github.com/FoxIO-LLC/ja4) — primary JA4 format reference and implementation notes.
- [Cloudflare JA4 signals documentation](https://developers.cloudflare.com/bots/additional-configurations/ja3-ja4-fingerprint/) — explains how Cloudflare exposes JA4 fingerprints for bot analysis.
- [JA4 fingerprint database](https://ja4db.com/) — lookup context for observed JA4 strings and browser-family matches.
- [How Websites Detect Bots in 2026](/article/bot-detection-2026/) — broader detection hierarchy across TCP, TLS, HTTP/2, headers, and behavior.