Skip to main content

Web Scraping Anti-Detection Techniques: The Definitive 2026 Reference

· 8 min read
Yassine El Haddad
Software Developer & Automation Specialist

I build production AI agents, web scrapers, and automation pipelines. Most of what I publish here comes from the actual problems they run into: proxies that get banned, anti-bot stacks that fingerprint your client, RAG that drifts when the underlying data moves. Stack: Python, TypeScript, Go, FastAPI, LangChain, Crawlee, Playwright, deployed on AWS, GCP, and Cloudflare.

Anti-bot systems in 2026 detect scrapers through IP reputation, TLS fingerprints, browser fingerprints, behavioral patterns, and CAPTCHAs. Bypassing them requires a layered approach: the right proxy type, a real browser TLS stack, fingerprint spoofing, human-like behavior, and CAPTCHA solving when needed. This guide explains how anti-bot works, five layers of defense, what no longer works, and a comparison of DIY vs managed solutions. For the toughest targets, Bright Data Scraping Browser bundles unblocking out of the box.

How Anti-Bot Systems Work

Modern WAFs and anti-bot vendors (Cloudflare, DataDome, PerimeterX, Akamai) analyze multiple signals:

SignalWhat They CheckExample
IP reputationIs the IP from a known datacenter, VPN, or proxy?AWS/GCP IPs flagged
TLS fingerprintJA3/JA4 fingerprint of the TLS handshakePython requests = distinct fingerprint
Browser fingerprintCanvas, WebGL, fonts, navigator propertiesHeadless Chrome detected by missing APIs
BehaviorRequest rate, mouse movement, scroll patternsBurst requests = bot
CAPTCHAHuman verification when risk score is highreCAPTCHA, hCaptcha

Bypassing one layer is rarely enough. A residential proxy with a Python requests fingerprint will still fail on TLS-aware targets. A real browser with a datacenter IP may pass TLS but get blocked on IP reputation.

Layer 1: IP Reputation and Proxy Rotation

Proxy rotation — use different IPs per request or per session. Residential proxies provide real ISP IPs; datacenter proxies are cheaper but more likely blocked. See proxy types explained.

Session management — for sites that require logged-in state, use sticky sessions (same IP for the duration). For stateless scraping, rotate per request.

Provider choice — Bright Data, IPRoyal, Oxylabs offer large residential pools. Configure in Apify proxy settings or via custom proxy URL in your crawler.

Layer 2: TLS Fingerprinting (JA3/JA4)

The TLS ClientHello reveals libraries. Python requests and Node axios have distinct JA3 signatures that WAFs fingerprint. Using a real browser (Playwright, Puppeteer) gives you Chrome's TLS stack.

Pythonrequests and httpx have detectable fingerprints. Use tls-client (mimics Chrome) or switch to Playwright for Python when TLS matters.

Node.js — Playwright and Puppeteer use the browser's TLS. No extra configuration needed when driving a real browser.

Key point: If you use an HTTP client, ensure it mimics a real browser's TLS. Otherwise, move to Playwright.

Layer 3: Browser Fingerprint (Canvas, WebGL, Navigator)

Headless Chrome can be detected via:

  • Canvas fingerprint (drawing produces unique hash)
  • WebGL vendor/renderer
  • navigator properties (platform, languages, hardware concurrency)
  • Missing or inconsistent fonts

Playwright-extra with stealth plugin — patches common detection vectors. Use puppeteer-extra-plugin-stealth or Playwright equivalents.

Camoufox — Firefox-based browser designed for anti-detection. Alternative to Chrome when fingerprint matters.

Bright Data Scraping Browser — managed browser with randomized fingerprints. No setup; connect via CDP and scrape. See Bright Data Scraping Browser guide.

Fingerprint spoofing — inject scripts or use page.addInitScript to override navigator and other globals. Advanced; stealth plugins often handle this.

Layer 4: Behavioral Patterns

Bots behave differently from humans. Mitigations:

  • Human-like delays — randomize wait times between requests (e.g., 1–5 seconds). Avoid fixed intervals.
  • Random mouse movements — simulate hover and scroll. Playwright can emit input events.
  • Scroll patterns — scroll down gradually instead of jumping. Some sites detect scroll behavior.
  • Session warming — visit a few pages before hitting the target endpoint. Mimics a user browsing.

Rate limiting alone is not enough; timing distribution and interaction patterns matter.

Layer 5: CAPTCHA Handling

When risk scores are high, sites serve CAPTCHAs. Options:

ServiceHow It WorksCost
2CaptchaAPI → solve reCAPTCHA, hCaptchaPer solve
CapsolverSame model, competitive pricingPer solve
Bright Data Scraping BrowserBuilt-in auto-solveIncluded in Scraping Browser

Bright Data Scraping Browser solves CAPTCHAs automatically—no external service. For DIY setups, integrate 2Captcha or Capsolver into your Playwright flow (inject solution token when CAPTCHA appears).

Cloudflare Bypass Approaches

Cloudflare challenges (JS check, turnstile, CAPTCHA) block non-browser traffic. What works:

ApproachEffortSuccess Rate
Bright Data Scraping BrowserLowHigh
Playwright + stealth pluginMediumMedium–High
undetected-chromedriver (Selenium)MediumMedium
Bare requests/httpxLowVery low

What doesn't work: Simple fake User-Agent with requests. Cloudflare fingerprints TLS and JS execution; you need a real browser. For maximum reliability, Bright Data Scraping Browser is the fastest path.

Comparison: DIY vs Managed vs Scraping Browser

FactorDIY (Playwright + proxies + stealth)Managed Proxy (Bright Data proxy)Scraping Browser
DifficultyHighMediumLow
Setup timeDaysHoursMinutes
CAPTCHAExternal (2Captcha)May still hit CAPTCHAAuto-solved
FingerprintYour responsibilityProxy onlyManaged
CostLower (if you succeed)ModerateHigher per GB
Best forLearning, custom logicModerate anti-botHard targets (LinkedIn, Cloudflare)

Choose DIY when you have time to tune and targets are moderate. Choose Scraping Browser when LinkedIn, Cloudflare, or Amazon-level anti-bot is blocking you.

Summary: Layered Defense

  1. IP — Use residential proxies, rotate per request or session.
  2. TLS — Use real browser (Playwright) or tls-client; avoid bare requests on TLS-aware targets.
  3. Fingerprint — Stealth plugin, Camoufox, or Scraping Browser.
  4. Behavior — Random delays, scroll, session warming.
  5. CAPTCHA — 2Captcha/Capsolver or Scraping Browser auto-solve.

Testing Your Anti-Detection Setup

Before scaling, validate your stack. Use sites like bot.sannysoft.com or browserleaks.com to check fingerprint consistency. If TLS or fingerprint checks fail, iterate on Layer 2 or 3. For CAPTCHA testing, some targets serve CAPTCHA only after N requests—run a small batch and observe. Log block reasons (403, challenge page) to tune proxies, delays, or fingerprint spoofing. A/B test: same target, different proxy types (datacenter vs residential) to quantify block rate improvement.

Cost-Benefit by Target Difficulty

Target DifficultyRecommended StackEstimated Cost/1K pages
Easy (docs, blogs)requests + BeautifulSoup, no proxy$0 (self-host)
Medium (e-commerce, some anti-bot)Playwright + residential proxy$3–10
Hard (LinkedIn, Cloudflare)Scraping Browser or Playwright + stealth + residential$8–20
Very hard (Amazon, captcha-heavy)Scraping Browser$15–30

Invest in stronger stacks only when necessary. Many sites work with Playwright + residential proxy; reserve Scraping Browser for confirmed blocks.

Undetected Chromedriver and Selenium

For teams entrenched in Selenium, undetected-chromedriver patches Chromedriver to reduce detection. It's a middle ground between raw Selenium and Playwright—easier migration, less robust than Playwright + stealth or Scraping Browser. Use when refactoring from Selenium is costly; otherwise, prefer Playwright for new projects.

Summary Checklist

Before launching a scraper against a protected target: (1) Use residential or ISP proxies, (2) Drive a real browser (Playwright) not requests, (3) Add stealth or Scraping Browser if fingerprint matters, (4) Randomize delays and avoid burst patterns, (5) Have a CAPTCHA solver or Scraping Browser if challenges appear. Layer defenses incrementally; start minimal and add only what the target requires. For proxy selection and session types, the proxy types guide covers residential, datacenter, ISP, and mobile proxies with use-case mapping.

Apify Affiliate Banner 728x90Apify Affiliate Banner 728x90Apify Affiliate Banner 300x50Apify Affiliate Banner 300x50
Start simple, add layers

Begin with residential proxies + Playwright. If blocked, add stealth. If CAPTCHAs appear, add 2Captcha or switch to Scraping Browser. Don't over-invest in DIY for one-off targets.



Bright Data Scraping Browser | Apify + Proxies

Frequently Asked Questions

TLS fingerprinting. Requests and httpx have distinct JA3/JA4 signatures. WAFs detect them. Use Playwright (real browser TLS) or tls-client for Python.

Stealth plugin patches your local Playwright browser. Scraping Browser is a managed cloud browser with built-in fingerprint randomization, CAPTCHA solving, and proxy. Zero config; connect and scrape.

No. Cloudflare requires JavaScript execution and a real browser TLS stack. You need Playwright, Puppeteer, or Scraping Browser. Proxy alone is not sufficient.

Use Scraping Browser for hard anti-bot (LinkedIn, Cloudflare, Amazon). Use Apify + residential proxies for moderate targets—cheaper and sufficient for many sites.

No. Modern WAFs fingerprint TLS and browser APIs. A fake User-Agent with requests is trivially detected. Real browser + correct User-Agent is the baseline.

Common mistakes and fixes

Still blocked with residential proxies

Check TLS fingerprint matches User-Agent. Use real browser (Playwright) not requests. Add stealth plugin or Scraping Browser for fingerprint bypass.

CAPTCHAs appear frequently

Use Bright Data Scraping Browser (auto-solve) or integrate 2Captcha/Capsolver. Reduce request rate; add human-like delays.

Cloudflare challenge never completes

Bare requests library fails against Cloudflare. Use Playwright with stealth, Camoufox, or Bright Data Scraping Browser.