Client fingerprinting is a security measure that allows load balancers to identify browsers and devices attempting to access a web application. Like a human fingerprint is unique to an individual, each client's unique fingerprint helps the load balancer apply rate limiting, WAF, and routing rules, even if the client is behind a NAT. Fingerprinting considers numerous data points to ensure users are humans or approved bots.
How does client fingerprinting work?
When a client connects to an application for the first time, important identifying information is shared between it and the load balancer. This is stored and remembered for later within the load balancer. Client fingerprinting relies upon a combination of the following data:
IP address
HTTP request headers
User-Agent information
Installed plugins
Time zone
Device-specific information like OS, language, etc.
Supported TLS ciphers
Based on this information, each client receives their unique identifier within the load balancer's data store. This helps separate bad traffic from good traffic. If a client is fingerprinted and deemed problematic, the load balancer will later restrict that client from accessing the application and its resources.
Finally, fingerprinting is more reliable than using cookies, as cookies can be altered or deleted completely by the user. By assigning a hash to each client, the load balancer can maintain immutable device identification without storing plain text client identifiers. Doing so can be a privacy and security risk, making careful fingerprinting data handling and storage essential.
Does HAProxy support client fingerprinting?
Yes! HAProxy Enterprise and HAProxy ALOHA offer an optional fingerprinting module that lets HAProxy regulate traffic more effectively. Alongside ACLs and our Global Profiling Engine, client fingerprinting is a key application security feature.
