Detect browser-impersonating bots by analyzing whether HTTP headers are logically consistent with real browser behavior.
RQ4 is an open standard for fingerprinting HTTP clients based on request context validity. It produces a 4-character fingerprint (vvvv, xvvx, ----) indicating whether the request's headers could have been generated by a real browser.
Modern bot tooling can perfectly replicate browser TLS fingerprints (defeating JA3/JA4) and copy browser header sets (defeating JA4H). But these tools set headers statically — the same navigation headers on every request regardless of context. Real browsers are state machines that generate different headers for page loads vs. API calls, GET vs. POST, user-initiated vs. programmatic requests.
RQ4 catches this architectural gap. Zero client-side JavaScript required.
import { computeRQ4, rq4FromRequest } from './src/rq4';
// From a standard Request object
const input = rq4FromRequest(request);
const result = computeRQ4(input);
console.log(result.fingerprint); // "xvvx" — Mode and Transfer dimensions impossible
console.log(result.dimensions.mode.signals); // ["navigate_dest_empty"]| Code | Dimension | What it checks |
|---|---|---|
| M | Mode | Is Sec-Fetch-Mode × Sec-Fetch-Dest valid per the Fetch spec? |
| U | Upgrade | Are Upgrade-Insecure-Requests and Sec-Fetch-User only on navigations? |
| I | Identity | Are Sec-CH-UA-* Client Hints consistent with User-Agent? |
| T | Transfer | Are Content-Type, Accept, body presence consistent with request context? |
Each dimension returns v (valid), x (impossible), or - (indeterminate).
Real browsers: Zero false positives across Chrome, Firefox, Safari, Edge on Windows, macOS, Android, iOS.
Browser impersonation tools (default config): Detected — xvvx or xxvx.
Non-browser clients (curl, Python requests): ---- — indeterminate, not flagged.
RQ4-S correlates per-request RQ4 across a cookie session to catch the cookie-reuse attack — where a real browser solves a WAF challenge (Imperva reese84, Cloudflare Turnstile, F5 Shape, DataDome) and the resulting session cookies are transferred to an HTTP client (curl_cffi, etc.) for fast automated requests.
Per-request RQ4 detects bot requests in isolation. RQ4-S detects the precise moment a session was hijacked — catching the handoff on the first bot request after cookie transfer, with zero false positives across all tested scenarios (Chrome, Firefox, Safari, Edge, WebView, Service Workers, native apps, header-stripping extensions).
import { computeRQ4, rq4FromRequest } from './src/rq4';
import { trackSession, getSessionId, CloudflareKVStore } from './src/rq4s';
const rq4 = computeRQ4(rq4FromRequest(request));
const sessionId = getSessionId(request.headers.get('cookie') ?? undefined);
if (sessionId) {
const store = new CloudflareKVStore(env.RQ4S_SESSIONS);
const verdict = await trackSession(store, sessionId, rq4);
if (verdict.state === 'transition' || verdict.state === 'compromised') {
return new Response('Forbidden', { status: 403 });
}
}Validated, bidirectionally:
- Detection (April 2026): Caught a curl_cffi cookie-handoff on the first bot request against a production Imperva Incapsula reese84 deployment. Imperva did not flag the same handoff.
- Evasion model (June 2026): The context-aware HTTP client architecture identified in SPEC §6.6 as the only effective RQ4-S bypass was independently observed defeating top-tier commercial within-session bot detection in production testing. The spec's symmetric prediction held — what defeats RQ4-S defeats top-tier commercial equivalents implementing the same signal class.
Relationship to commercial WAFs: Within-session behavioral scoring exists in closed-source products (e.g., DataDome's Agent Trust). RQ4-S formalizes one specific signal — RQ4 fingerprint transitions across a cookie session — as an open standard any deployment can implement without commercial licensing. Same relationship JA3 has to closed-source TLS-fingerprint products.
See SPEC.md §6 for the full specification, empirical results, and evasion analysis.
Check your own fingerprint: https://rq4.dev
Read the full spec: SPEC.md
RQ4 runs on any platform with access to HTTP headers:
- Cloudflare Workers
- Nginx (ngx_lua / njs)
- Express / Node.js
- Vercel Edge Middleware
- AWS CloudFront (Lambda@Edge)
- Implementation: MIT
- Specification: CC BY 4.0
RQ4: Request Context Fingerprinting. Version 2.0, June 2026.
AZ. https://rq4.dev