Skip to content

rozetyp/rq4

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
src
src
 
 
test
test
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SPEC.md
SPEC.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

RQ4: Request Context Fingerprinting

Detect browser-impersonating bots by analyzing whether HTTP headers are logically consistent with real browser behavior.

RQ4 is an open standard for fingerprinting HTTP clients based on request context validity. It produces a 4-character fingerprint (vvvv, xvvx, ----) indicating whether the request's headers could have been generated by a real browser.

Why

Modern bot tooling can perfectly replicate browser TLS fingerprints (defeating JA3/JA4) and copy browser header sets (defeating JA4H). But these tools set headers statically — the same navigation headers on every request regardless of context. Real browsers are state machines that generate different headers for page loads vs. API calls, GET vs. POST, user-initiated vs. programmatic requests.

RQ4 catches this architectural gap. Zero client-side JavaScript required.

Quick Start

import { computeRQ4, rq4FromRequest } from './src/rq4';

// From a standard Request object
const input = rq4FromRequest(request);
const result = computeRQ4(input);

console.log(result.fingerprint); // "xvvx" — Mode and Transfer dimensions impossible
console.log(result.dimensions.mode.signals); // ["navigate_dest_empty"]

The Four Dimensions

Code Dimension What it checks
M Mode Is Sec-Fetch-Mode × Sec-Fetch-Dest valid per the Fetch spec?
U Upgrade Are Upgrade-Insecure-Requests and Sec-Fetch-User only on navigations?
I Identity Are Sec-CH-UA-* Client Hints consistent with User-Agent?
T Transfer Are Content-Type, Accept, body presence consistent with request context?

Each dimension returns v (valid), x (impossible), or - (indeterminate).

Results

Real browsers: Zero false positives across Chrome, Firefox, Safari, Edge on Windows, macOS, Android, iOS.

Browser impersonation tools (default config): Detected — xvvx or xxvx.

Non-browser clients (curl, Python requests): ---- — indeterminate, not flagged.

Live Demo

Check your own fingerprint: https://rq4.dev

Specification

Read the full spec: SPEC.md

Platform Support

RQ4 runs on any platform with access to HTTP headers:

  • Cloudflare Workers
  • Nginx (ngx_lua / njs)
  • Express / Node.js
  • Vercel Edge Middleware
  • AWS CloudFront (Lambda@Edge)

License

  • Implementation: MIT
  • Specification: CC BY 4.0

Citation

RQ4: Request Context Fingerprinting. Version 1.0, March 2026.
AZ. https://rq4.dev

About

RQ4: Request Context Fingerprinting - detect browser-impersonating bots via HTTP header context analysis

rq4.dev

Topics

security fingerprinting anti-bot bot-detection fraud-detection http-headers cloudflare-workers sec-fetch

Resources

Readme

License

MIT license
Activity

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages