RQ4

Request Context Fingerprinting. Detects browser-impersonating bots by analyzing whether HTTP request context is logically valid. No JavaScript fingerprinting needed. Open specification: github.com/rozetyp/rq4

LAYER 1 - RQ4 (per-request)
Analyzes one HTTP request in isolation. Catches static-header bots (curl_cffi defaults, scraping frameworks) whose Sec-Fetch headers can't coexist in a real browser.
LAYER 2 - RQ4-S (per-session)
Correlates RQ4 results across your cookie session. Catches the cookie-reuse attack - bot reusing the cookies a real browser earned by solving a WAF challenge.
LAYER 1RQ4 - this request only
Your current request was fingerprinted across four dimensions. Each dimension returns v (valid), x (impossible - no real browser produces this), or - (no headers to evaluate).
----
M · U · I · T

Dimension breakdown

ModeIndeterminate
UpgradeIndeterminate
IdentityIndeterminate
TransferIndeterminate
LAYER 2RQ4-S - this session over time
RQ4 catches a single impossible request. RQ4-S catches the transition: a session that started clean (real browser) and then produced an impossible fingerprint (bot reusing the cookies). Try it below - replay your own session cookie via curl with intentionally impossible headers, then refresh.
YOUR SESSION COOKIE (tracked by RQ4-S)
rq4s_demo=18a0a91dba4beb063e9e20030d5d4161
REQUEST TIMELINE (last 20 in this session)
#1your browserGET----Clean
Modeindeterminateindeterminate (no headers to evaluate)
Upgradeindeterminateindeterminate (no headers to evaluate)
Identityindeterminateindeterminate (no headers to evaluate)
Transferindeterminateindeterminate (no headers to evaluate)
REPLAY THIS YOURSELF - paste into a terminal
curl -X POST 'https://rq4.dev/demo/replay' \
  -H 'Cookie: rq4s_demo=18a0a91dba4beb063e9e20030d5d4161' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Dest: document' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'Sec-Fetch-User: ?1' \
  -H 'Upgrade-Insecure-Requests: 1' \
  -H 'Accept: text/html,application/xhtml+xml' \
  -H 'Sec-CH-UA: "Chromium";v="131"' \
  -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36'
The headers above intentionally combine navigation-only signals (Sec-Fetch-User, Upgrade-Insecure-Requests, Sec-Fetch-Dest:document) with Sec-Fetch-Mode:cors - a combination a real browser cannot produce. RQ4 will return fingerprint xxvx. RQ4-S will see this is the first impossible request on a previously-clean session and flag it.
HOW RQ4-S WORKS
  1. Every request that arrives with your rq4s_demo cookie is RQ4-fingerprinted (Mode/Upgrade/Identity/Transfer dimensions).
  2. The server keeps one entry per session in KV: {clean: bool, count: int, flaggedAt?: int}.
  3. While all observed fingerprints are v/-, the session is clean.
  4. The first fingerprint containing x on a previously-clean session triggers TRANSITION at that request number.
  5. Any subsequent request - even valid ones - keeps the session compromised. The handoff signature stays.
A real browser stays clean indefinitely. A bot replaying your cookie produces an impossible fingerprint on its first request. That asymmetry is the detection.
Request details - your headers, connection, RQ4 raw signals

Connection

ProtocolHTTP/2
MethodGET
LocationUS / CMH

Headers (what RQ4 analyzes)

accept*/*
accept-encodinggzip, br
user-agentMozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Clau...
Check Again

Read the RQ4 specification · API endpoint

Stay updated

We publish on request fingerprinting, browser bot detection, and running it in production. Drop your email for new posts.

Read recent posts →