Why does my headless browser get detected?

Headless browsers leak identity signals at multiple layers: navigator.webdriver returns true, Chrome DevTools Protocol injects cdc_ markers, browser plugins array is empty, canvas/WebGL fingerprints differ from real browsers, TLS handshake signatures (JA3/JA4) do not match, and HTTP/2 settings frames use default values instead of browser-specific ones.

How do I hide navigator.webdriver from anti-bot detection?

Override it before the page loads using an init script. In Playwright: page.add_init_script("Object.defineProperty(navigator, 'webdriver', {get: () => undefined})"). This must execute before any page JavaScript runs, otherwise the anti-bot check will read the true value first.

Is Playwright harder to detect than Selenium?

Yes. Selenium injects cdc_ variables into the page context that anti-bot systems scan for. Playwright connects via a different protocol (CDP) and does not inject these markers. Playwright also has better stealth plugin support and more realistic browser fingerprints out of the box.

What is TLS fingerprinting and can I bypass it?

TLS fingerprinting (JA3/JA4) identifies your client by the unique pattern of cipher suites, extensions, and elliptic curves in the TLS handshake. It happens before any JavaScript runs. Python requests, Node axios, and Go net/http all have completely different fingerprints from real browsers. Bypassing it requires using a real browser engine or a TLS library that mimics browser handshake patterns.

How many pages can I scrape before getting blocked?

It depends on the target site and your setup. With basic headless Chrome and no stealth measures, you may get blocked after 10-50 requests. With stealth plugins and proxy rotation, small-scale scraping (under 1,000 pages/day) is feasible. For medium scale (1K-50K/day) you need dedicated infrastructure or a scraping API. For large scale (50K+/day), a managed service like AlterLab handles fingerprinting, proxy rotation, and anti-bot bypass automatically.

Headless Browser Detected? 6 Signals That Give You Away

You launch headless Chrome, navigate to a page, and get a 403 or a CAPTCHA. The site knows you are a bot. But how?

Headless browsers leak identity signals at every layer. TLS handshake, HTTP headers, JavaScript APIs, rendering behavior - each one is a potential detection vector. Modern anti-bot systems like Cloudflare, DataDome, and PerimeterX check all of them.

The Detection Signals

navigator.webdriver

The most obvious one. When Chrome runs in automation mode, navigator.webdriver returns true. Every anti-bot system checks this first.

javascript

// What bots show
navigator.webdriver // true

// What real browsers show
navigator.webdriver // undefined or false

Fix: Override it before the page loads.

python

# Playwright
page.add_init_script("Object.defineProperty(navigator, 'webdriver', {get: () => undefined})")

Chrome DevTools Protocol Markers

ChromeDriver injects cdc_ variables into the page context. These are internal markers for the automation framework, and anti-bot systems scan for them.

javascript

// Detection check sites run
for (let key in document) {
  if (key.match(/cdc_|\$chrome_|\$cdc_/)) {
    // Bot detected
  }
}

Fix: Use Playwright instead of Selenium. Playwright connects via a different protocol and does not inject these markers.

Missing Browser Plugins

A real Chrome installation has plugins - PDF viewer, Chrome PDF Viewer, Native Client. Headless Chrome reports zero plugins by default.

javascript

// Real browser
navigator.plugins.length // 3-5

// Headless
navigator.plugins.length // 0

Fix: Inject fake plugin arrays via init scripts, or run in headed mode.

Canvas and WebGL Fingerprints

Headless browsers produce different canvas rendering output than headed ones. Anti-bot systems render a hidden canvas element and hash the result. Headless Chrome on Linux produces a distinctly different hash than Chrome on Windows or macOS.

This is hard to fake convincingly. The rendering differences come from the GPU drivers and font rendering stack, not from JavaScript.

TLS Fingerprint (JA3/JA4)

This happens before any JavaScript runs. Your HTTP client and browser version produce a unique TLS handshake signature. Headless Chrome has a different JA3 hash than regular Chrome because the cipher suite ordering differs slightly.

Python requests, Node axios, Go net/http - they all have completely different TLS fingerprints from any browser. This is often the first thing that gets you blocked.

HTTP/2 Settings

Real browsers use HTTP/2 with specific settings frames (SETTINGS_MAX_CONCURRENT_STREAMS, SETTINGS_INITIAL_WINDOW_SIZE, etc.). The values differ between Chrome, Firefox, and Safari. Most HTTP clients either do not support HTTP/2 or use default values that do not match any browser.

The Realistic Fix Strategy

For Small Scale (under 1K pages/day)

Run a patched Playwright instance with stealth plugins:

python

from playwright.sync_api import sync_playwright

def create_stealth_browser():
    p = sync_playwright().start()
    browser = p.chromium.launch(
        headless=False,  # headed mode avoids many detections
        args=[
            "--disable-blink-features=AutomationControlled",
            "--no-first-run",
            "--no-default-browser-check",
        ]
    )
    context = browser.new_context(
        viewport={"width": 1920, "height": 1080},
        locale="en-US",
    )
    return browser, context

Add random delays between actions. Real users do not click links at machine speed.

For Medium Scale (1K-50K pages/day)

Patched browsers get expensive at this scale. Each browser instance needs 200-500 MB of RAM. At 50K pages per day, you are running 10-20 concurrent instances.

This is where most teams either build custom infrastructure or switch to a scraping API. The infrastructure approach means managing proxy rotation, browser pools, session handling, and monitoring. That is a product in itself.

For Large Scale (50K+ pages/day)

At this volume, the only approaches that make economic sense are dedicated scraping infrastructure or API services that have already solved these problems. The per-page cost needs to be under $0.001 to make the unit economics work.

AlterLab handles the browser fingerprinting, proxy rotation, and anti-bot bypass at this tier automatically. You send a URL, you get back data. The hard targets with JS rendering and anti-bot bypass cost more per request, but you are not paying for the easy ones at the same rate.

Quick Detection Test

Want to see how detectable your setup is? Check these:

javascript

// Run these in your headless browser console
console.log("webdriver:", navigator.webdriver);
console.log("plugins:", navigator.plugins.length);
console.log("languages:", navigator.languages);
console.log("platform:", navigator.platform);
console.log("hardwareConcurrency:", navigator.hardwareConcurrency);

If webdriver is true, plugins is 0, or hardwareConcurrency is undefined, you are getting caught at the most basic level.

The goal is not perfect stealth. The goal is passing enough checks that the anti-bot system classifies you as a low-risk visitor rather than an obvious bot.

Why Your Headless Browser Gets Detected (and How to Fix It)

The Detection Signals

navigator.webdriver

Chrome DevTools Protocol Markers

Missing Browser Plugins

Canvas and WebGL Fingerprints

TLS Fingerprint (JA3/JA4)

HTTP/2 Settings

The Realistic Fix Strategy

For Small Scale (under 1K pages/day)

For Medium Scale (1K-50K pages/day)

For Large Scale (50K+ pages/day)

Quick Detection Test

Yash Dubey

Related Articles

Selenium Bot Detection: Why You Get Caught and How to Avoid It

Web Scraping with Node.js and Puppeteer: The Complete 2026 Guide

How to Bypass Cloudflare Bot Protection with Puppeteer in 2026