Add JA4 fingerprint header to App Proxy requests?

Hey Shopify,

In the modern API security landscape, the JA4 Fingerprint has become a very useful tool. This fingerprint can only be generated on the proxy which is receiving the requests from the client, therefore it is normal practise for modern proxies (Such as Cloudflare, Azure Front Door) to append the clients JA4 Fingerprint as a header on requests.

As we must use App Proxy to call our API (We cant direct calls through our own proxy), we must receive the JA4 Fingerprint from the proxy. The JA4 Fingerprint is an important tool in any modern day API protection.

Previously, before Shopify unfortunately removed all the headers which contain ‘shopify’ attached to App Proxy requests ( Missing Shopify-Ipgeo-Country and X-Shopify-Client-IP in app proxy requests? ), requests were always appended with the header shopify-ua-ja4 which was the JA4 Fingerprint. Therefore please bring back a JA4 header on all App Proxy Requests.

Thanks
Drew

Hey agaim @Drew_Loynes - thanks for flagging this too. shopify-ua-ja4 isn’t currently part of the documented App Proxy request contract, and App Proxy doesn’t currently expose a documented JA4 equivalent as you mentioned.

For now, I’d recommend combining X-Forwarded-For with App Proxy signature validation, request/customer-level rate limits, and application-level behavioural signals. These aren’t a direct replacement for JA4, but they’re the supported options available through App Proxy today (like I mentioned in that other thread, I get how this isn’t ideal).

I’m happy to pass this along as a feature request. Could you confirm whether you primarily use JA4 for blocking, risk scoring, or rate limiting? That context would be helpful on our end - thanks!