Client fingerprinting is a check performed at the load balancing layer that determines which type of entity a client is — like a browser such as Safari on iOS, Firefox on Windows, or a command line tool such as curl. The load balancer assigns each client an identifier and can then monitor them for suspicious behavior more easily. 

If an offender triggers actions based on preconfigured security thresholds or other measures, the load balancer can enforce response policies to stop further abuse. The fingerprinting process can also help detect when any software attempts to misrepresent itself by changing these identifiers via spoofing. This enables teams to fight back against bots and malicious actors.

How does client fingerprinting work?

Client fingerprinting considers multiple data points to better understand where a client resides, what type of client they are, and whether they're friend or foe. One such clue is the User-Agent HTTP request header string. Sent from the web browser or script, User-Agent tells the server about the application, OS, and any corresponding version numbers. 

The load balancer or reverse proxy (for example) attaches this fingerprint to each request a specific client makes. This identity is theoretically immutable by intermediaries and the client itself. 

A client fingerprint is typically represented as a randomized, alphanumeric string. Multiple segments comprise this string, each carrying information about the client — much like a serial number would for a physical product. These fingerprints persist within activity logs so that administrators can audit suspicious activity, outside of any immediate actions they'd taken to counteract possible threats. They also help teams better estimate which users are human and which are machines. 

Fingerprinting is largely a passive feature. When a client that was previously fingerprinted makes a bad request, the system might do the following: 

Fingerprinting happens quietly and most clients won't know they've been fingerprinted. This is ideal, since application developers don't want suspicious clients to try and circumvent any protections they've added. From the establishment of an initial connection through the end of the session, client fingerprinting gives teams deeper observability and helps them classify groups of clients more accurately.

You’ve mastered one topic, but why stop there?

Our blog delivers the expert insights, industry analysis, and helpful tips you need to build resilient, high-performance services.

By clicking "Get new posts first" above, you confirm your agreement for HAProxy to store and processes your personal data in accordance with its updated Privacy Policy, which we encourage you to review.

Thank you! Your submission was successful.

Does HAProxy support client fingerprinting? 

Yes! HAProxy Enterprise supports client fingerprinting for all clients — including those attempting to modify their own HTTP attributes and those whose details were captured during the SSL/TLS handshake. Our Fingerprint and TLS Fingerprint modules enable this. Conversely, HAProxy ALOHA only supports the standard Fingerprint module. HAProxy users can easily install these optional modules in conjunction with HAProxy Enterprise Bot Management Module to implement flexible fingerprinting policies. 

To learn more about client fingerprinting in HAProxy, please contact our team.