Skip to content

rozetyp/rq4

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

RQ4: Request Context Fingerprinting

Detect browser-impersonating bots by analyzing whether HTTP headers are logically consistent with real browser behavior.

RQ4 is an open standard for fingerprinting HTTP clients based on request context validity. It produces a 4-character fingerprint (vvvv, xvvx, ----) indicating whether the request's headers could have been generated by a real browser.

Why

Modern bot tooling can perfectly replicate browser TLS fingerprints (defeating JA3/JA4) and copy browser header sets (defeating JA4H). But these tools set headers statically — the same navigation headers on every request regardless of context. Real browsers are state machines that generate different headers for page loads vs. API calls, GET vs. POST, user-initiated vs. programmatic requests.

RQ4 catches this architectural gap. Zero client-side JavaScript required.

Quick Start

import { computeRQ4, rq4FromRequest } from './src/rq4';

// From a standard Request object
const input = rq4FromRequest(request);
const result = computeRQ4(input);

console.log(result.fingerprint); // "xvvx" — Mode and Transfer dimensions impossible
console.log(result.dimensions.mode.signals); // ["navigate_dest_empty"]

The Four Dimensions

Code Dimension What it checks
M Mode Is Sec-Fetch-Mode × Sec-Fetch-Dest valid per the Fetch spec?
U Upgrade Are Upgrade-Insecure-Requests and Sec-Fetch-User only on navigations?
I Identity Are Sec-CH-UA-* Client Hints consistent with User-Agent?
T Transfer Are Content-Type, Accept, body presence consistent with request context?

Each dimension returns v (valid), x (impossible), or - (indeterminate).

Results

Real browsers: Zero false positives across Chrome, Firefox, Safari, Edge on Windows, macOS, Android, iOS.

Browser impersonation tools (default config): Detected — xvvx or xxvx.

Non-browser clients (curl, Python requests): ---- — indeterminate, not flagged.

RQ4-S: Session-Level Extension (v2.0)

RQ4-S correlates per-request RQ4 across a cookie session to catch the cookie-reuse attack — where a real browser solves a WAF challenge (Imperva reese84, Cloudflare Turnstile, F5 Shape, DataDome) and the resulting session cookies are transferred to an HTTP client (curl_cffi, etc.) for fast automated requests.

Per-request RQ4 detects bot requests in isolation. RQ4-S detects the precise moment a session was hijacked — catching the handoff on the first bot request after cookie transfer, with zero false positives across all tested scenarios (Chrome, Firefox, Safari, Edge, WebView, Service Workers, native apps, header-stripping extensions).

import { computeRQ4, rq4FromRequest } from './src/rq4';
import { trackSession, getSessionId, CloudflareKVStore } from './src/rq4s';

const rq4 = computeRQ4(rq4FromRequest(request));
const sessionId = getSessionId(request.headers.get('cookie') ?? undefined);
if (sessionId) {
  const store = new CloudflareKVStore(env.RQ4S_SESSIONS);
  const verdict = await trackSession(store, sessionId, rq4);
  if (verdict.state === 'transition' || verdict.state === 'compromised') {
    return new Response('Forbidden', { status: 403 });
  }
}

Validated, bidirectionally:

  • Detection (April 2026): Caught a curl_cffi cookie-handoff on the first bot request against a production Imperva Incapsula reese84 deployment. Imperva did not flag the same handoff.
  • Evasion model (June 2026): The context-aware HTTP client architecture identified in SPEC §6.6 as the only effective RQ4-S bypass was independently observed defeating top-tier commercial within-session bot detection in production testing. The spec's symmetric prediction held — what defeats RQ4-S defeats top-tier commercial equivalents implementing the same signal class.

Relationship to commercial WAFs: Within-session behavioral scoring exists in closed-source products (e.g., DataDome's Agent Trust). RQ4-S formalizes one specific signal — RQ4 fingerprint transitions across a cookie session — as an open standard any deployment can implement without commercial licensing. Same relationship JA3 has to closed-source TLS-fingerprint products.

See SPEC.md §6 for the full specification, empirical results, and evasion analysis.

Live Demo

Check your own fingerprint: https://rq4.dev

Specification

Read the full spec: SPEC.md

Platform Support

RQ4 runs on any platform with access to HTTP headers:

  • Cloudflare Workers
  • Nginx (ngx_lua / njs)
  • Express / Node.js
  • Vercel Edge Middleware
  • AWS CloudFront (Lambda@Edge)

License

  • Implementation: MIT
  • Specification: CC BY 4.0

Citation

RQ4: Request Context Fingerprinting. Version 2.0, June 2026.
AZ. https://rq4.dev

About

RQ4: Request Context Fingerprinting - detect browser-impersonating bots via HTTP header context analysis

Topics

Resources

License

Stars

6 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors