Skip to main content
use-apify.com

Cloudflare: guides & tutorials

Cloudflare Turnstile, WAF, and bot scoring for scrapers—clean IPs, browser runs, and Apify proxy settings that keep challenge rates under control.

4 articles

View all tags

Cloudflare guards many sites with Turnstile challenges, a WAF, and bot scoring that block clumsy scrapers fast. These guides explain how its detection works and how to scrape protected pages without tripping every defense.

The reliable path uses clean IPs, real browser runs, and tuned proxy settings to keep challenge rates low. Apify proxy configuration and browser actors are built for this. Below you will find practical techniques for getting consistent data from Cloudflare-fronted targets.

Related topics

Anti Detection7 min read

How to Bypass Cloudflare When Web Scraping (2026): Every Method Ranked

· 7 min read
Yassine El Haddad
Software Developer & Automation Specialist

Cloudflare Bot Management (including Turnstile, Bot Score, and Managed Rules) is the most common blocker scrapers hit in 2026. It combines TLS fingerprinting, JavaScript challenges, behavioral analysis, and IP reputation scoring — none of which raw requests or fetch can handle.

This guide ranks every bypass method by effectiveness, complexity, and cost.

Legal note: Only scrape data you have a legitimate reason to access. Cloudflare protection is the site's choice; bypassing it may violate ToS and in some jurisdictions, the CFAA. Always check robots.txt and review terms before scraping.

AI5 min read

The 2026 Web Scraping Arms Race: Bypassing Advanced WAFs

· 5 min read
Yassine El Haddad
Software Developer & Automation Specialist

Extracting web data in 2026 is an escalating cryptographic arms race. Commercial Web Application Firewalls (WAFs)—engineered by Cloudflare, Akamai, and Datadome—have evolved far beyond simple IP rate-limiting. They deploy deeply integrated, multi-tiered inspection architectures that analyze network packets before a TLS connection is even fully established.

If a data engineering team deploys a standard Python requests script or an unpatched Headless Chromium instance against a protected target, the traffic is dropped with a 403 Forbidden or locked in an infinite Turnstile CAPTCHA loop.

This guide dissects the exact mechanics of modern WAF inspection engines and analyzes the infrastructural methods required to bypass them.

Cloudflare5 min read

Engineering Bypass Architecture for Deep-Packet WAFs (2026)

· 5 min read
Yassine El Haddad
Software Developer & Automation Specialist

A 403 from a big consumer site is rarely “you hit the rate limit.” Products like Cloudflare Turnstile, DataDome, and Akamai Bot Manager stack checks: IP reputation, TLS fingerprint, headers, JavaScript probes, then behavior. Fail early in that stack and you may never reach the HTML you wanted.

This post walks through those layers in order and what people actually do to pass them—without pretending any of it stays stable forever.

Anti Bot6 min read

How to Bypass Cloudflare When Web Scraping (2026 Playbook)

· 6 min read
Yassine El Haddad
Software Developer & Automation Specialist

A script that works on your laptop but returns 403, Blocked, or endless Checking your browser screens in production is usually hitting Cloudflare (or a similar edge bot manager). Cloudflare sits in front of millions of sites and scores every request before your scraper sees HTML.

This guide maps what Cloudflare actually checks, practical countermeasures for each layer, and when it is faster to use Apify—including pre-built Actors and Web Unlocker—instead of maintaining stealth stacks yourself.

Guides on this site

Frequently asked questions

Frequently Asked Questions

Cloudflare inspects TLS fingerprints, browser headers, IP reputation, behavioral mouse patterns, and JavaScript challenge completion. Residential proxies with real browser fingerprints bypass many checks, but Cloudflare tiers continuously update scoring. Expect bot management systems to evolve; budget for ongoing maintenance.

Use premium residential proxies with low concurrent requests per IP, a real browser, and stealth plugins like undetected-chromium or Playwright Extra stealth. Some Apify actors bundle these layers. Always verify legality under CFAA and target site terms before attempting to bypass challenge pages.

403 with Cloudflare branding, 503 under attack mode, or JS-injected challenge pages. Check for cf_clearance cookies - absence means the challenge failed. Rate 429s come from too-fast requests; rotate IPs and slow down. For 1020 Access Denied, the site owner has added custom firewall rules beyond defaults.

Whenever the target offers a paid or free API, prefer it: official APIs are legal, stable, and faster. Scraping Cloudflare-protected sites requires constant maintenance as vendor defenses update. Factor in engineering hours and proxy costs; official data often wins on total cost of ownership for commercial projects.