Hey Shopify,
In the modern API security landscape, the JA4 Fingerprint has become a very useful tool. This fingerprint can only be generated on the proxy which is receiving the requests from the client, therefore it is normal practise for modern proxies (Such as Cloudflare, Azure Front Door) to append the clients JA4 Fingerprint as a header on requests.
As we must use App Proxy to call our API (We cant direct calls through our own proxy), we must receive the JA4 Fingerprint from the proxy. The JA4 Fingerprint is an important tool in any modern day API protection.
Previously, before Shopify unfortunately removed all the headers which contain ‘shopify’ attached to App Proxy requests ( Missing Shopify-Ipgeo-Country and X-Shopify-Client-IP in app proxy requests? ), requests were always appended with the header shopify-ua-ja4 which was the JA4 Fingerprint. Therefore please bring back a JA4 header on all App Proxy Requests.
Thanks
Drew