Inferensys

Glossary

Bot Signature

A composite fingerprint derived from a combination of HTTP header order, TLS handshake parameters, and TCP/IP stack attributes that uniquely identifies a specific automated agent or crawler family.
Developer demonstrating multi-agent tool use, agent tool selection interface on laptop, casual tech demo moment.
DEFINITION

What is Bot Signature?

A bot signature is a composite fingerprint used to uniquely identify a specific automated agent or crawler family by analyzing the unique characteristics of its network stack and HTTP client implementation.

A bot signature is a composite fingerprint derived from the unique combination of HTTP header order, TLS handshake parameters, and TCP/IP stack attributes that distinguishes one automated agent from another. Unlike a simple User-Agent string, which is easily spoofed, a signature analyzes the immutable quirks of a client's network implementation to establish a persistent identity.

This technique relies on passive OS fingerprinting and TLS fingerprinting (JA4) to examine elements like cipher suite order, extension lists, and initial TTL values. By cross-referencing these attributes against known crawler profiles, edge bot management systems can assign a bot score and enforce access policies even when the User-Agent header is falsified.

FINGERPRINTING

Key Characteristics of Bot Signatures

A bot signature is a composite fingerprint derived from multiple layers of the network stack and application protocol. Unlike a simple User-Agent string, a robust signature combines passive OS attributes, TLS handshake parameters, and HTTP header ordering to uniquely identify an automated agent family, even when it attempts to spoof its identity.

01

TCP/IP Stack Attributes

The foundation of passive OS fingerprinting, analyzing network-layer parameters that are difficult for bots to modify without kernel-level access.

  • Initial TTL (Time-to-Live): The starting value decremented by each hop. Linux bots typically use 64, Windows uses 128, and embedded devices may use 255.
  • TCP Window Size: The receive buffer size advertised in the SYN packet. This value is often unique to specific OS versions and kernel configurations.
  • Don't Fragment (DF) Flag: Whether the IP packet sets the DF bit, a behavior that varies predictably across operating systems.
  • TCP Options Ordering: The sequence and values of options like Maximum Segment Size (MSS), Window Scale, and Selective Acknowledgments (SACK) form a distinctive stack signature.
64/128
Common Initial TTL Values
02

TLS Handshake Fingerprinting (JA4)

The TLS Client Hello message reveals the client's capabilities before any encrypted channel is established. JA4 is the modern standardized method for hashing these parameters into a compact fingerprint.

  • Cipher Suite Order: The prioritized list of cryptographic algorithms the client supports. Bots often use a limited, library-default set distinct from browsers.
  • Supported Extensions: The specific TLS extensions and their order, such as Server Name Indication (SNI), Application-Layer Protocol Negotiation (ALPN), and supported groups.
  • Elliptic Curve Preferences: The named curves the client offers for key exchange. Common browser curves differ from those in Python's requests library or Go's crypto/tls.
  • GREASE Values: Legitimate browsers inject random, invalid extension IDs to prevent protocol ossification. The absence of GREASE is a strong indicator of automation.
JA4
Modern Fingerprint Hash Standard
03

HTTP Header Order & Structure

The sequence, casing, and presence of HTTP request headers create a high-level signature that varies significantly between browser engines and HTTP client libraries.

  • Header Ordering: Browsers send headers in a specific, engine-defined sequence (e.g., Host, Connection, sec-ch-ua, User-Agent). Python's requests library uses an entirely different, alphabetical order.
  • Header Casing: Variations like Content-Type vs. Content-type are library-specific artifacts.
  • Accept-Language Precision: Bots often send generic en-US or * values, while real browsers transmit nuanced, user-configured language quality values (q-factors).
  • Connection Header: The presence and value of Connection: keep-alive and related keep-alive headers differ between persistent browser sessions and stateless scripted requests.
Sec-CH-UA
Client Hint Header
04

HTTP/2 & HTTP/3 Settings

Modern protocols expose additional fingerprinting surfaces through their connection-level settings and frame sequencing.

  • SETTINGS Frame Values: HTTP/2 clients exchange a SETTINGS frame immediately after the preface. The specific parameters (e.g., SETTINGS_MAX_CONCURRENT_STREAMS, SETTINGS_INITIAL_WINDOW_SIZE) and their values are highly characteristic of the client library.
  • Stream Prioritization: The weight and dependency tree logic used to prioritize resource loading. Browsers implement complex, heuristic-based trees; scripts rarely implement prioritization at all.
  • Pseudo-Header Order: The sequence of :method, :path, :scheme, and :authority pseudo-headers is strictly defined but can vary in edge cases across implementations.
  • QUIC Version Negotiation: For HTTP/3, the specific QUIC transport parameters and version negotiation behavior provide additional fingerprinting data.
SETTINGS
Primary H2 Fingerprint Vector
05

JavaScript Runtime Fingerprinting

When a bot executes JavaScript, the headless browser or automation framework leaks detectable artifacts into the runtime environment.

  • Navigator.Webdriver: The navigator.webdriver property is set to true by default in Selenium, Puppeteer, and Playwright. This is the most basic and widely checked automation signal.
  • Navigator Plugins & MIME Types: Headless browsers often report an empty or minimal plugin array, whereas real browsers list PDF viewers, Chrome PDF Plugin, etc.
  • WebGL Vendor & Renderer: The GPU vendor string and renderer identifier in headless mode often default to generic values like "Google Inc." with "SwiftShader" rather than the actual hardware.
  • Prototype Chain Integrity: Automation tools sometimes modify native browser APIs. Checking toString() on functions or inspecting prototype chains can reveal monkey-patched methods.
navigator.webdriver
Primary Automation Leak
06

Behavioral & Timing Heuristics

Beyond static fingerprints, the dynamic behavior of a session provides a continuous signature that is difficult to simulate convincingly.

  • Request Inter-Arrival Time: Bots typically exhibit unnaturally consistent delays or extremely high request velocities. Human traffic follows stochastic, bursty patterns.
  • URL Traversal Logic: Bots often traverse links in sequential, depth-first, or breadth-first patterns. Humans navigate non-linearly, revisiting pages and following tangential links.
  • Mouse Movement & Keystroke Dynamics: When interaction data is available, bots generate perfectly linear mouse paths or instant keystrokes, lacking the micro-hesitations and acceleration curves of human input.
  • Session Depth & Bounce Patterns: Automated sessions may fetch every link on a page without dwell time, creating a flat, high-depth session profile distinct from focused human browsing.
< 50ms
Suspicious Inter-Request Delay
BOT SIGNATURE DETECTION

Frequently Asked Questions

Explore the technical nuances of bot signatures, the composite fingerprints used to identify and categorize automated web traffic at the network and application layers.

A bot signature is a composite fingerprint derived from a combination of HTTP header order, TLS handshake parameters, and TCP/IP stack attributes that uniquely identifies a specific automated agent or crawler family. Unlike a simple User-Agent string that can be trivially spoofed, a bot signature aggregates multiple layers of the network stack to create a high-entropy identifier. Detection engines analyze the specific order of HTTP headers, the exact set of cipher suites advertised in the TLS Client Hello message, and the initial Time-to-Live (TTL) value of IP packets. When these attributes are combined and hashed, they form a stable signature that persists even when the bot operator rotates IP addresses or modifies the User-Agent string, enabling precise long-term tracking and mitigation of unwanted automation.

IDENTIFICATION METHOD COMPARISON

Bot Signature vs. Other Identification Methods

A technical comparison of bot signature fingerprinting against other common crawler identification techniques across key operational dimensions.

FeatureBot SignatureUser-Agent StringIP Reputation

Spoofing Resistance

High — requires TCP/IP stack emulation

Low — trivial to modify header text

Medium — bypassed via residential proxies

Uniqueness Granularity

Crawler family or specific tool version

Self-declared, no verification

Network or ISP level

Passive Detection

Requires Active Probing

False Positive Rate

< 0.1%

High — legitimate browsers can be misclassified

5-15% — shared IPs and CGNAT

Persistence Across Sessions

High — tied to TLS/TCP stack

None — changes per request

Low — IPs rotate dynamically

Computational Overhead

Low — passive packet inspection

Negligible — header parsing

Low — database lookup

Effectiveness Against Headless Browsers

High — detects automation artifacts in TLS handshake

None — headless browsers send identical strings

None — traffic originates from same IP

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.