Every website you automate is trying to detect that you are not human. Anti-bot systems have become sophisticated, using multiple signals to distinguish real browsers from automated ones. Understanding how detection works is the first step to defeating it.
This guide covers the detection techniques used by anti-bot systems and the stealth techniques that counter them.
How Bot Detection Works
Anti-bot systems operate on a principle of signal aggregation. No single signal definitively proves a browser is automated. Instead, detection systems collect dozens of signals and compute a risk score. When the score exceeds a threshold, the user is challenged (CAPTCHA) or blocked.
The main detection categories are: 1. Browser fingerprinting (checking browser properties for inconsistencies) 2. WebDriver detection (looking for automation-specific flags) 3. Behavioral analysis (detecting inhuman interaction patterns) 4. Network analysis (checking IP reputation and connection patterns)
A good stealth setup addresses all four categories.
Browser Fingerprinting
Real browsers have consistent, predictable properties. When you create a Chrome browser with Puppeteer, certain properties differ from a real Chrome browser. Anti-bot systems check these properties for inconsistencies.
Navigator properties. navigator.webdriver is true in automated browsers. navigator.plugins is empty. navigator.languages may be inconsistent with the Accept-Language header. navigator.hardwareConcurrency and navigator.deviceMemory may report unrealistic values for the claimed device.
WebGL fingerprint. Real GPUs produce distinctive WebGL rendering. Headless Chrome uses a software renderer that produces a different fingerprint. The WebGL vendor and renderer strings also differ.
Canvas fingerprint. Drawing to an HTML canvas and reading the pixel data produces a fingerprint that varies by GPU, OS, and browser version. Headless browsers produce fingerprints that do not match any real device.
Audio fingerprint. The AudioContext API produces a fingerprint based on the audio processing stack. Headless browsers have different audio characteristics than real browsers.
Screen properties. screen.width, screen.height, window.innerWidth, and window.outerWidth should be consistent with each other and with the claimed device. Headless browsers sometimes report 0 for outer dimensions.
Font enumeration. Real systems have predictable font sets based on the OS. Headless environments may have minimal or unusual font sets.
Anti-bot services like DataDome, Akamai Bot Manager, and Cloudflare check dozens of these properties simultaneously and cross-reference them for consistency.
WebDriver Detection
The simplest detection method checks for automation-specific flags:
navigator.webdriver. In standard Puppeteer and Playwright, navigator.webdriver returns true. Real browsers return false or undefined. This is the first thing anti-bot scripts check.
CDP artifacts. Chrome DevTools Protocol (CDP) adds runtime properties that can be detected. The __cdp_runtime__ property, the presence of Runtime.evaluate in the call stack, and other CDP-specific artifacts.
Automation extensions. Puppeteer and Playwright inject extension code that can be detected by examining chrome.runtime properties and the browser's extension list.
Window properties. Automation tools add properties to the window object: window.cdc_adoQpoasnfa76pfcZLmcfl_Array (ChromeDriver), window.__playwright_iframe_id__ (Playwright), and similar identifiers.
Behavioral Analysis
Even with perfect browser fingerprinting, behavioral analysis can catch automated browsers:
Mouse movement. Real humans produce smooth, curved mouse movements with acceleration and deceleration. Bots either do not move the mouse at all (jumping directly to click targets) or move it in perfectly straight lines.
Typing patterns. Humans type at variable speeds with natural pauses. Bots type at uniform speeds or insert text instantly via JavaScript.
Navigation patterns. Humans browse in non-linear patterns. They scroll, pause, go back, open new tabs. Bots follow predetermined paths at consistent speeds.
Timing. Humans have variable reaction times. They pause to read content, hesitate before clicking, and take breaks. Bots interact at machine speed with consistent timing.
Page interaction. Humans scroll before clicking elements that are below the fold. They move the mouse near a link before clicking it. They sometimes miss click targets and try again. Bots navigate with perfect precision.
Stealth Techniques
Stealth tools counter detection signals at each level:
Fingerprint spoofing. Override navigator properties to match a real browser profile. Set navigator.webdriver to undefined. Populate navigator.plugins with realistic values. Ensure all properties (languages, platform, user agent, device memory, hardware concurrency) are internally consistent.
WebGL spoofing. Override WebGL vendor and renderer strings to match a real GPU. Inject noise into canvas and WebGL rendering to produce realistic fingerprints.
CDP masking. Remove or mask CDP-specific artifacts. Delete automation properties from the window object. Patch the JavaScript runtime to hide evaluate call stack frames.
Header management. Ensure HTTP headers (Accept, Accept-Language, Accept-Encoding, Sec-CH-UA) are consistent with the claimed browser and match the fingerprint profile.
Timezone matching. Set the browser's timezone to match the proxy IP's geographic location. Inconsistencies between IP geolocation and browser timezone are a strong bot signal.
The most widely used stealth library is puppeteer-extra-plugin-stealth, which patches 15+ detection vectors. BrowseFleet's stealth mode applies these patches and more.
Proxy Rotation Strategies
Network-level stealth is equally important:
IP rotation. Anti-bot systems track IP addresses. An IP that sends 1,000 requests in an hour is suspicious. Rotate IPs per session or per batch of requests.
Proxy types and their detection resistance:
Datacenter proxies ($1-5/GB) are the cheapest but most easily detected. Anti-bot services maintain lists of datacenter IP ranges.
Residential proxies ($5-15/GB) use real consumer IP addresses from ISPs. They are much harder to detect because they look like normal user traffic.
ISP proxies ($3-10/GB) are datacenter IPs registered with ISPs, offering a balance of cost and stealth.
Mobile proxies ($15-30/GB) use mobile carrier IP addresses. They have the best reputation because mobile IPs are shared among many users, making it impractical to block them.
Geographic consistency. The proxy IP's location should match the browser's timezone, language, and locale settings. A browser claiming to be in New York but connecting from a Russian IP is suspicious.
Session-level rotation. Assign each BrowseFleet session its own proxy. This prevents cross-request correlation. Anti-bot systems cannot link multiple requests from different sessions.
const session = await bf.sessions.create({
stealth: 'full',
proxy: 'socks5://user:pass@residential-proxy:1080',
timezone: 'America/New_York',
locale: 'en-US',
});Testing Your Stealth Setup
Before running your automation against target sites, test your stealth configuration:
Bot detection test sites:
- bot.sannysoft.com - Tests for common automation flags
- browserleaks.com - Full fingerprint analysis
- pixelscan.net - Cross-references multiple fingerprint signals
- nowsecure.nl - Tests specifically for Chrome DevTools Protocol detection
Manual verification. Navigate to your target site and visually inspect whether CAPTCHAs appear, content loads correctly, and the site behaves normally.
A/B testing. Run the same scraping job with stealth enabled and disabled. Compare success rates to verify that stealth is making a difference.
BrowseFleet's Stealth Implementation
BrowseFleet's stealth mode applies a thorough set of patches that address all detection categories:
Full mode (stealth: 'full') applies all available stealth patches: - navigator.webdriver set to undefined - navigator.plugins populated with realistic data - navigator.languages matched to locale settings - WebGL vendor and renderer spoofed - Canvas fingerprint noise injected - Chrome runtime properties masked - CDP artifacts removed - User-Agent consistent with all other properties - Timezone matched to proxy geolocation - Screen properties set to realistic values
Basic mode (stealth: 'basic') applies essential patches only: - navigator.webdriver masking - User-Agent normalization - Basic CDP artifact removal
Basic mode is faster (less JavaScript injection) but less effective against sophisticated detection. Use full mode for any site with serious anti-bot measures.
In our testing, BrowseFleet's full stealth mode passes all common bot detection tests and successfully accesses sites protected by Cloudflare, DataDome, and Akamai Bot Manager. No stealth solution is 100% effective against all detection systems, but full mode handles the vast majority of cases.