Skip to main content
use-apify.com

Anti Bot: guides & tutorials

How sites fingerprint bots—TLS, headers, behavior, rate limits—and what scrapers do next: residential IPs, real browsers, backoff, and Apify Actor design.

4 articles

View all tags

Anti-bot systems fingerprint automated traffic through TLS signatures, headers, behavior, and rate limits, then block or challenge anything that looks non-human. These guides explain how detection works and what scrapers do in response.

The durable answer is residential IPs, real browsers, consistent fingerprints, and request pacing that mimics people, plus backoff when challenges appear. Apify actor design folds these tactics in. Below you will find breakdowns of detection methods and practical anti-blocking techniques.

Related topics

Anti Bot6 min read

Bypassing Anti-Bot Walls for Claude Research Agents with IPRoyal Proxies (2026)

· 6 min read
Yassine El Haddad
Software Developer & Automation Specialist

Claude research agents need fresh web data to answer questions, summarize articles, and compare products. Many target sites block datacenter IPs and headless browsers within seconds. IPRoyal residential proxies route traffic through real ISP-assigned IPs, dramatically lowering block rates. This guide shows how to integrate IPRoyal with Python and build a Claude research tool that fetches web content reliably. For full-stack scraping pipelines, pair with Apify.

Anti Bot5 min read

Bright Data Web Unlocker Review: Bypassing Advanced WAFs in 2026

· 5 min read
Yassine El Haddad
Software Developer & Automation Specialist

Modern data extraction pipelines frequently collide with sophisticated Web Application Firewalls (WAFs) like Cloudflare, Datadome, Akamai, and PerimeterX. Good residential IPs alone are often not enough; these systems validate TLS handshakes, inspect JavaScript environments, and use signals like Canvas/WebGL to separate real browsers from automation.

The Bright Data Web Unlocker wraps that work behind a proxy-style endpoint. Instead of maintaining stealth Puppeteer patches yourself, you send normal HTTP requests to Bright Data, which handles CAPTCHAs, browser-like fingerprints, and returns the unblocked HTML when it succeeds.

AI5 min read

The 2026 Web Scraping Arms Race: Bypassing Advanced WAFs

· 5 min read
Yassine El Haddad
Software Developer & Automation Specialist

Extracting web data in 2026 is an escalating cryptographic arms race. Commercial Web Application Firewalls (WAFs)—engineered by Cloudflare, Akamai, and Datadome—have evolved far beyond simple IP rate-limiting. They deploy deeply integrated, multi-tiered inspection architectures that analyze network packets before a TLS connection is even fully established.

If a data engineering team deploys a standard Python requests script or an unpatched Headless Chromium instance against a protected target, the traffic is dropped with a 403 Forbidden or locked in an infinite Turnstile CAPTCHA loop.

This guide dissects the exact mechanics of modern WAF inspection engines and analyzes the infrastructural methods required to bypass them.

Anti Bot6 min read

How to Bypass Cloudflare When Web Scraping (2026 Playbook)

· 6 min read
Yassine El Haddad
Software Developer & Automation Specialist

A script that works on your laptop but returns 403, Blocked, or endless Checking your browser screens in production is usually hitting Cloudflare (or a similar edge bot manager). Cloudflare sits in front of millions of sites and scores every request before your scraper sees HTML.

This guide maps what Cloudflare actually checks, practical countermeasures for each layer, and when it is faster to use Apify—including pre-built Actors and Web Unlocker—instead of maintaining stealth stacks yourself.

Guides on this site

Frequently asked questions

Frequently Asked Questions

Anti-bot systems protect websites from automated traffic — scrapers, spam bots, and credential stuffers. They analyze request patterns, browser fingerprints, JavaScript behavior, and timing to distinguish humans from bots. Common vendors include Cloudflare, Akamai, and PerimeterX. Most e-commerce, travel, and social media sites use some form of anti-bot protection.

The most reliable approach: use a real browser (Playwright or Puppeteer via Apify) instead of plain HTTP requests, add residential proxies to spread requests across different IPs, and pace requests with realistic timing (200–800ms between actions). For sites with strong Cloudflare protection, specialized anti-detect browsers and CAPTCHA-solving services may be needed. Apify's platform-level browser actors handle most common anti-bot scenarios automatically.

Scraping publicly available data does not typically violate computer access laws, but bypassing access controls explicitly designed to prevent automation can create legal exposure under the CFAA in the US or similar laws elsewhere. Bypassing a CAPTCHA on a public pricing page is different from brute-forcing authentication. When in doubt — especially for high-volume commercial scraping — get a legal review of your specific use case.

Proxies solve IP blocking, but modern anti-bot systems also check browser fingerprints (TLS signature, JavaScript execution environment, canvas rendering), behavior patterns (mouse movement, scroll events), and session history. If requests still get blocked, the issue is likely fingerprinting rather than IP reputation. Solutions: switch to a headless browser with stealth patches, use Apify's pre-built actors that already handle common fingerprint leaks, or try a different proxy type.