Skip to content

Spike: Investigate JA4 fingerprint CloudFront Header #1038

New issue
New issue
Open
Feature
Open
Spike: Investigate JA4 fingerprint CloudFront Header#1038
Feature
Labels
could haveCould be done, or nice to have, low priority for now
@owaincuvelier

Description

@owaincuvelier
owaincuvelier
opened on Oct 7, 2025

Context

It's possible that bad actors can be identified from clues in the TLS/HTTPS fingerprint. CloudFront introduced a header which you can enable without additional cost: https://aws.amazon.com/about-aws/whats-new/2024/10/amazon-cloudfront-ja4-fingerprinting/

Which adds the ja4 fingerprint. I'm thinking we enable this, and see if this can help us mitigate bad actors.

We need to investigate and determine the value that the JA4 fingerprint will bring to us. This will help us know wether to enable it or not. Also check if AWS has added extra functionality to JA4 fingerprint since this post https://aws.amazon.com/about-aws/whats-new/2024/10/amazon-cloudfront-ja4-fingerprinting/.

Check this out also https://blog.foxio.io/ja4+-network-fingerprinting

Current Behaviour

Any TLS/HTTPS fingerprinting is hidden under-the-hood of CloudFront.

Improved Behaviour

Enabling this header will provide additional data to our CloudFront logs.

We can also rate limit based on ja4 fingerprint

Impact

We can use the additional data in CloudFront logs as part of incident response. If we can reduce the impact of an incident as we can identify and block a bad actor based on a ja4 fingerprint, this improves customer satisfaction. The additional data might also assist in identfiying bad actors sooner.

Possible Solutions

Should just be as simple as enabling the header via CloudFront

Acceptance Criteria

  • A summary of what the JA4 fingerprint is and what value it brings to us especially around DDoS attacks and traffic security.
  • Implementation options to use this to improve security and cost implications (if any)
  • Create ticket to implement this feature if investigation summary and team review advises a go-ahead

Timebox: 1 day

For Altis Team Use

Ready for Work Checklist

Is this ticket ready to be worked on? See
the Play Book Definition of Ready

  • Is the title clear?
  • Is the description clear and detailed enough?
  • Are acceptance criteria listed?
  • Have any dependencies been identified? (Optional)
  • Have any documentation/playbook changes been identified? (Optional)
  • Is an estimate or time box assigned?
  • Is a priority label assigned?
  • Is this ticket added to a milestone?
  • Is this ticket added to an epic? (Optional)

Completion Checklist

Is this ticket done? See
the Play Book Definition of Done

  • Has the acceptance criteria been met?
  • Is the documentation updated (including README)?
  • Do any code/documentation changes meet project standards?
  • Are automatic tests in place to verify the fix or new functionality?
    • Or are manual tests documented (at least on this ticket)?
  • Are any Playbook/Handbook pages updated?
  • Has a new module release (patch/minor) been created/scheduled?
  • Have the appropriate backport labels been added to the PR?
  • Is there a roll-out (and roll-back) plan if required?

Metadata

Metadata

Assignees

No one assigned

    Labels

    could haveCould be done, or nice to have, low priority for now

    Type

    Feature

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions