How to Bypass Cloudflare When Web Scraping in 2026

Cloudflare sits between your scraper and the data you need. It checks TLS fingerprints, runs JavaScript challenges, analyzes browsing behavior, and throws Turnstile CAPTCHAs at anything that looks automated. Your standard Playwright or Selenium script gets blocked within seconds. The most effective approach in 2026 combines stealth browser automation with residential proxy rotation.

In this guide, we'll cover every current bypass technique with working Python code, from Nodriver and SeleniumBase UC Mode to curl-impersonate and production scaling strategies. Let's get started!

How to Bypass Anti-Bot Protection When Web Scraping

Learn how anti-bot systems detect scrapers and 5 universal bypass techniques including proxy rotation, fingerprinting, and fortified headless browsers.

Key Takeaways

• Bypass Cloudflare by combining stealth browser automation with residential proxy rotation and fingerprint management
• Use Nodriver (2026 recommended), SeleniumBase UC Mode, or Camoufox, all actively maintained and effective against current Cloudflare detection
• Avoid deprecated tools: puppeteer-stealth (discontinued February 2025) and undetected-chromedriver (superseded by Nodriver)
• Bypass without a browser using curl-impersonate for TLS-only protected pages (10x faster than headless Chrome)
• Handle Cloudflare Turnstile challenges through CAPTCHA solver services or prevention via good stealth techniques
• Counter per-customer ML models with varied behavior patterns, random timing, and natural navigation flows
• Scale bypass operations with self-hosted browser fleets, Selenium Grid, or managed cloud browser APIs
• Use IPv6 proxies from residential ISP allocations to avoid well-catalogued IPv4 reputation databases

What Is Cloudflare Bot Management?

Cloudflare Bot Management is a service that detects and blocks web scrapers and other automated traffic from accessing protected websites. It combines multiple detection techniques (TLS fingerprinting, IP reputation scoring, JavaScript challenges, behavior analysis, and Turnstile CAPTCHAs) into an overall trust score for every incoming request.

Based on this trust score, each request is either allowed through to the origin server, presented with a challenge (JavaScript or Turnstile CAPTCHA), or blocked entirely. The system continuously adjusts scores based on ongoing behavior, so a scraper that bypasses initial checks can still get blocked after sustained activity.

Understanding what Cloudflare checks is useful context, but if you're here to bypass it, the techniques below are where to start. We'll cover the detection theory later in this guide.

How to Bypass Cloudflare Bot Protection?

To bypass Cloudflare bot protection, you need stealth browser automation combined with proxy rotation and fingerprint management. Cloudflare blocks web scrapers through five detection layers: TLS fingerprinting, IP reputation analysis, JavaScript environment checks, behavior profiling, and Turnstile CAPTCHA challenges. Each technique below targets specific detection vectors, from JA3 fingerprint spoofing to navigator.webdriver patching and residential IP rotation. While raw Playwright or Puppeteer scripts get blocked within seconds, the tools below modify browser behavior at the driver level to evade detection.

How do I bypass Cloudflare with Nodriver? (2026 Recommended)

Cloudflare detects standard Selenium and Playwright browsers through the navigator.webdriver property and Chrome DevTools Protocol signatures. Nodriver, created by the original author of undetected-chromedriver, patches these detection vectors at the driver level. This makes automated Chrome look the same as manual browsing.

Unlike traditional Selenium-based solutions, Nodriver uses a different approach:

• No WebDriver patches needed - Built from scratch to avoid automation detection
• Direct Chrome DevTools Protocol - Communicates directly with Chrome without leaving traces
• Native stealth capabilities - Designed to be undetectable
• Active development - Continuously updated to counter new detection methods
• Better performance - Lower overhead than patched Selenium drivers

Nodriver Example for Cloudflare Bypass

First, install Nodriver:

pip install nodriver

Then run the following script to visit Scrapfly's browser fingerprint tool, which shows how the browser appears to anti-bot systems:

import asyncio
import nodriver as uc

async def scrape_cloudflare_protected_site():
    # Launch undetected Chrome browser
    browser = await uc.start()

    # Navigate to fingerprint checker to verify stealth obfuscation
    page = await browser.get('https://scrapfly.io/web-scraping-tools/browser-fingerprint')

    # Wait for Cloudflare challenge to complete automatically
    await page.sleep(5)

    # Save screenshot to verify fingerprint obfuscation
    await page.save_screenshot("fingerprint.png", format="png")

    # Extract content after bypass
    content = await page.get_content()
    print(content[:500])

    browser.stop()

# Run the scraper
asyncio.run(scrape_cloudflare_protected_site())

Nodriver saves a screenshot of the fingerprint tool so you can verify what signals Cloudflare sees from your browser. Nodriver's async architecture and native stealth make it the top choice for new web scraping projects in 2026, especially when dealing with Cloudflare and Turnstile challenges.

How do I use SeleniumBase UC Mode for Cloudflare?

Teams with existing Selenium test suites can't easily migrate to new frameworks. SeleniumBase UC Mode wraps Selenium's familiar API with Cloudflare-specific evasion, including automatic patching of browser fingerprints and CDP leak prevention.

• Tested in production - Used by many companies
• Built-in CAPTCHA helpers - Methods for handling Turnstile and other challenges
• Good documentation - Extensive examples and tutorials
• Regular updates - Rapid response to Cloudflare changes
• Easy migration - Drop-in replacement for standard Selenium
• Additional features - Automatic retries, session management, proxy rotation

SeleniumBase Example

First, install SeleniumBase:

pip install seleniumbase

Then run the following script to visit Scrapfly's browser fingerprint tool and save a screenshot:

from seleniumbase import SB

with SB(uc=True) as sb:  # uc=True enables undetected mode
    # Open fingerprint checker to verify stealth obfuscation
    sb.uc_open_with_reconnect("https://scrapfly.io/web-scraping-tools/browser-fingerprint", 4)

    # SeleniumBase automatically handles Cloudflare challenges
    sb.sleep(3)

    # Extract data after bypass
    title = sb.get_page_title()
    content = sb.get_page_source()

    # Save screenshot to verify fingerprint obfuscation
    sb.save_screenshot("fingerprint.png")

SeleniumBase saves a screenshot of the fingerprint tool so you can inspect what signals Cloudflare sees. SeleniumBase UC Mode is a great fit for production scraping operations where reliability matters, especially for teams already using Selenium.

Can Camoufox bypass Cloudflare's fingerprint detection?

Most bypass tools target Chromium, but some Cloudflare configurations specifically profile Chrome-based automation. Camoufox uses a modified Firefox build with genuine fingerprints, avoiding Chrome-centric detection patterns entirely.

• Firefox-based - Different fingerprint than Chrome-based tools
• Python-native - Built specifically for Python automation
• Anti-fingerprinting - Patches Firefox to prevent detection
• Lightweight - Lower resource usage than Chrome
• Real browser profile - Uses actual Firefox user profiles

Camoufox Example

First, install Camoufox and download the browser binary:

pip install camoufox
python -m camoufox fetch

Then run the following script to visit Scrapfly's browser fingerprint tool and save a screenshot:

from camoufox.sync_api import Camoufox

# Launch Camoufox with stealth settings
with Camoufox(
    headless=False,  # Use False for better success with Cloudflare
    humanize=True    # Enable human-like behavior
) as browser:
    # Create a new page
    page = browser.new_page()

    # Navigate to fingerprint checker to verify stealth obfuscation
    page.goto('https://scrapfly.io/web-scraping-tools/browser-fingerprint')

    # Wait for Cloudflare challenge
    page.wait_for_timeout(5000)

    # Save screenshot to verify fingerprint obfuscation
    page.screenshot(path="fingerprint.png")

    # Extract content
    content = page.content()
    print(content[:500])

Camoufox saves a screenshot of the fingerprint tool so you can verify the Firefox-based fingerprint it presents. Camoufox is particularly useful when Cloudflare detects Chrome-based solutions, or when you want to diversify your browser fingerprints across multiple scrapers.

Can I bypass Cloudflare without a browser?

Not every Cloudflare-protected page requires JavaScript execution. Some only check TLS fingerprints and HTTP headers. curl-impersonate reproduces exact TLS signatures of real browsers (JA3/JA4 hashes) at a fraction of the resource cost of running a full browser.

While curl-impersonate or similar clients like cURL limit the web scraping process due to the lack of parsing capabilities, it can be used to modify the TLS details of other HTTP clients in different programming languages. One such example is curl_cffi, an interface for curl-impersonate in Python.

Use Curl Impersonate to scrape as Chrome or Firefox

Learn how to prevent TLS fingerprinting by impersonating normal web browser configurations. We'll start by explaining what the Curl Impersonate is, how it works, how to install and use it. Finally, we'll explore using it with Python to avoid web scraping blocking.

How do I warm up a scraper to avoid Cloudflare blocks?

Cloudflare's behavior analysis flags scrapers that jump straight to target pages without natural browsing patterns. Warming up a session (visiting the homepage first, loading assets, accepting cookies) builds a legitimate browsing fingerprint before hitting protected endpoints.

In reality, most real users don't visit product URLs directly. They explore websites in steps like:

• Start with the homepage.
• Browse product categories.
• Search for a product.
• View the product page.

Prefixing scraping logic with this warmup behavior can make the scraper appear more human-like and boost trust scores with Cloudflare's behavior analysis.

Does rotating browser fingerprints help bypass Cloudflare?

Cloudflare tracks browser fingerprints across sessions. Reusing the same canvas hash, WebGL renderer, or screen resolution across hundreds of requests flags the session as automated. Rotating fingerprints from real-user datasets makes each session appear unique.

For sustained web scraping and Cloudflare bypass in 2026, headless browsers should constantly be blended with different, realistic fingerprint profiles: screen resolution, operating system, and browser type all play a key role in bypassing Cloudflare.

Each headless browser library can be configured to use different resolution and rendering capabilities. Distributing scraping through multiple realistic browser configurations can prevent Cloudflare from detecting the scraper.

For further details, see ScrapFly's browser fingerprint tool to observe how your browser looks to Cloudflare. It collects different details about the browser, which helps make web scrapers look like regular browsers.

Do IPv6 proxies work for bypassing Cloudflare?

Cloudflare's IP reputation databases are heavily weighted toward IPv4 addresses, where datacenter ranges are well-catalogued. IPv6 addresses from residential ISP allocations have minimal reputation history, making them less likely to trigger IP-based blocks.

Why IPv6 Works for Bypassing Cloudflare

• Less tracked by IP reputation systems - Many anti-bot systems focus on IPv4 reputation databases, while IPv6 tracking is less complete
• Large address space - IPv6's address space (340 undecillion addresses) makes building reputation databases and blocking individual IPs difficult
• Lower scrutiny - Some Cloudflare configurations don't monitor IPv6 traffic as strictly as IPv4
• Newer systems - IPv6 reputation scoring is less developed than IPv4 systems

Considerations When Using IPv6

While IPv6 can be advantageous, there are important limitations:

• Not universally supported - Not all proxy providers offer IPv6 addresses
• Target compatibility - The target website must support IPv6 connectivity (check with ping -6 example.com)
• Still requires other evasion - IPv6 alone isn't enough; combine with proper fingerprinting, headers, and behavior patterns
• Quality matters - Datacenter IPv6 addresses still have lower trust scores than residential ones

IPv6 Proxy Configuration Example

First, install httpx with HTTP/2 support:

pip install "httpx[http2]"

Then configure your IPv6 proxy. Use your proxy provider's IPv6 address and credentials in the proxy URL:

import httpx

# Replace with your proxy provider's IPv6 address and credentials
# IPv6 addresses must be enclosed in brackets in the URL
proxies = {
    "http://": "http://username:password@[2001:db8::1]:8080",
    "https://": "http://username:password@[2001:db8::1]:8080"
}

client = httpx.Client(
    proxies=proxies,
    headers={
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
    },
    http2=True
)

response = client.get("https://web-scraping.dev/products")
print(response.status_code)

IPv6 proxies work best when combined with residential proxy pools and proper browser fingerprinting. They're particularly effective for distributing load across a larger IP space to avoid rate limiting.

Legacy Tools (2024 and earlier): undetected-chromedriver has been superseded by Nodriver (same author, actively maintained). puppeteer-stealth was deprecated in Feb 2025 and no longer bypasses current Cloudflare versions. FlareSolverr relies on undetected-chromedriver internally and faces the same limitations. If you're using any of these, migrate to Nodriver or SeleniumBase UC Mode.

Framework Comparison

These techniques work for individual scraping sessions, but running 100+ concurrent bypass sessions requires production setup.

How do I scale Cloudflare bypass to production?

Running a single stealth browser session is straightforward. Scaling to hundreds or thousands of concurrent sessions adds operational complexity that goes beyond bypass techniques.

Browser Fleet Challenges

Production-scale Cloudflare bypass requires managing:

• CPU and RAM density - Each headless Chrome instance consumes ~500 MB RAM and heavy CPU. Running 100 concurrent sessions requires dedicated servers with proper resource allocation
• Session isolation - Browser instances must be fully isolated to prevent fingerprint leakage between sessions. Shared cookies, cache, or storage defeat the purpose of fingerprint rotation
• Crash recovery - Browsers crash. At scale, automated restart logic, health checks, and session state recovery become necessary
• Browser version pinning - Cloudflare detection evolves with browser versions. Your setup needs coordinated browser updates across all instances without downtime
• Proxy management - Managing proxy pools, rotation schedules, health checks, and geographic distribution across hundreds of sessions
• Observability - Monitoring success rates, detecting when bypass techniques degrade, and alerting on Cloudflare detection pattern changes

Scaling Approaches

For self-hosted deployments, container orchestration (Kubernetes, ECS) provides the most flexibility. Each browser session runs in its own container with isolated filesystem, network, and process space. Auto-scaling policies can adjust capacity based on queue depth or success rates.

For teams using Selenium Grid or Selenoid, the WebDriver protocol provides a standard interface but lacks built-in stealth capabilities. You'll need to layer Nodriver or SeleniumBase UC Mode on top, which adds complexity.

Remote Browser Connection

Managed cloud browser APIs handle all the setup for you. The connection pattern is the same across providers: standard CDP WebSocket:

# Remote browser connection works with any CDP-compatible provider
# This pattern applies to Scrapfly Cloud Browser, Browserless, etc.
# Replace the WebSocket URL with your provider's endpoint
from playwright.sync_api import sync_playwright

with sync_playwright() as p:
    # Connect to remote browser via standard CDP WebSocket
    browser = p.chromium.connect_over_cdp("wss://your-provider.example.com/browser")
    page = browser.new_page()
    page.goto("https://web-scraping.dev/products")
    content = page.content()
    print(content[:500])

For teams that want to skip the setup overhead, Scrapfly's Cloud Browser API provides pre-configured stealth browsers with built-in anti-detection and proxy rotation. Self-hosted alternatives like Browserless and Selenium Grid offer more control but require managing the bypass layer yourself.

To understand why these bypass techniques work, it helps to know exactly what Cloudflare is checking on every request.

How Does Cloudflare Detect Web Scrapers?

To detect web scrapers, Cloudflare uses different technologies to determine whether traffic is coming from a real user or an automated script for data extraction.

Anti-bot systems like Cloudflare combine the results of many different analyses and fingerprinting methods into an overall trust score. This score determines whether the HTTP requests are allowed to visit to the target web pages.

Based on the final trust score, the request has three possible fates:

• Proceed to the resource origin behind the firewall.
• Solve a CAPTCHA or computational JavaScript challenge.
• Get blocked entirely.

In addition to the above analyses, Cloudflare continuously tracks the HTTP requests' behavior and compares them with real users using machine learning and statistical models. This means the request may bypass Cloudflare a few times before getting blocked, as the trust score is likely to change.

TLS Fingerprinting

The TLS handshake is the initial procedure when a request is sent to a web server with an SSL certificate over the HTTPS protocol. During this process, the client and server negotiate the encrypted data to create a fingerprint called JA3.

Since HTTP clients differ in their capabilities and configuration, they create a unique JA3 fingerprint, which anti-bot solutions use to tell apart automated clients like web scrapers from real users using web browsers.

It's important to use HTTP clients performing TLS handshake similar to normal browsers and avoid those with easy-to-distinguish TLS patterns, as they can be instantly detected. For this, refer to ScrapFly's JA3 tool to calculate and adjust your TLS fingerprint.

For further details on TLS fingerprinting, refer to our dedicated guide.

How TLS Fingerprint is Used to Block Web Scrapers?

TLS fingeprinting is a popular way to identify web scrapers that not many developers are aware of. What is it and how can we fortify our scrapers to avoid being detected?

IP Address Fingerprinting

There are different factors affecting the IP address analysis process. This process starts with the IP address type, which can be either of the following:

• Residential
  Represents IP addresses assigned by ISPs for consumers browsing from home networks. Residential IP addresses have a positive trust score, as they are mostly associated with real users and expensive to acquire.

• Mobile
  Mobile IP addresses are assigned by cellular network towers. They have a positive trust score since they are associated with human traffic. Also, mobile IP addresses are automatically rotated to new ones during specified intervals, making them harder for anti-bot services to detect.

• Datacenter
  Represents IP addresses assigned by data centers, such as AWS, Google Cloud, and Azure. Data center IPs have a strong negative trust score, as they are mostly associated with automated scripts.

With IP address fingerprinting, Cloudflare can estimate the likelihood of the connecting client being a genuine real user. For example, human users rarely browse the internet through data center proxies. So web scrapers using such IPs are very likely to get blocked.

Another aspect of IP address analysis is the request rate. Anti-bot systems can detect IP addresses that exceed the defined threshold of requests and block them.

So, rotate residential or mobile proxies to prevent IP address fingerprinting from trusted proxy providers. For further details on IP addresses and their trust score calculation process, refer to our dedicated guide.

How to Avoid Web Scraper IP Blocking?

How IP addresses are used in web scraping blocking. Understanding IP metadata and fingerprinting techniques to avoid web scraper blocks.

HTTP Details

Most users browse the internet web pages through a few popular browsers, such as Chrome, Firefox, or Edge. These browsers expose their configuration through requests. So the HTTP requests' details become repeated, making it easy for anti-bot solutions to spot any outliers.

Headers

Request headers are a key part of any HTTP request details. Anti-bot systems use them to separate web scraping requests from those of normal browsers. So it's necessary to reverse engineer and replicate browser headers to avoid being blocked by Cloudflare protection. Here are common request headers to observe with HTTP requests.

Accept

Represents the response data type accepted by the HTTP client on the given request. It should match a common headless browser when scraping HTML pages. In other cases, it should match the resource's data type, such as application/json when scraping hidden APIs or text/xml for sitemaps:

# Chrome/Safari
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
# Firefox
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Match the Accept header to the browser you're impersonating. Chrome and Firefox use slightly different values.

Accept-Language

Indicates the supported browser language. Setting this header not only helps mimic real browser configuration but also helps set the web scraper localization settings:

# Firefox
en-US,en;q=0.5
# Chrome
en-US,en;q=0.9

Set this to match the locale of your target site. It also affects content localization.

User-Agent

The most popular header for web scrapers. It represents the client's rendering capabilities, including the device type, operating system, browser name, and version. This header is prone to identification, and it's important to rotate the User-Agent header for further scraper obfuscation:

# Chrome
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
# Firefox
Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0

Rotate User-Agent strings across requests and keep them consistent with the TLS fingerprint you're using.

Cookie

The cookie header represents the cookie values sent by the request to the web server. While cookies in web scraping don't play a major role in HTTP fingerprinting, they keep the same website behavior of browser navigation when scraping. It can also contain specific values to authorize the requests:

Cookie: key=value; key2=value2; key3=key3

Cookies carry session state between requests. Reuse cookies from earlier page visits to maintain a consistent browsing session.

HTTP2

Another aspect of the HTTP details to observe is the protocol used. Most current websites and browsers operate over the HTTP2 protocol, while many HTTP clients are still tied to HTTP1.1, marking their sent requests as suspicious.

That being said, HTTP2 is provided in many HTTP clients, such as httpx and cURL, but it's not turned on by default. Use the HTTP2 fingerprint testing tool to make sure the data extraction requests use HTTP2.

So, turn on HTTP2 and make sure that the headers used match a common web browser to bypass Cloudflare while web scraping. For further details on HTTP headers and their role, refer to our dedicated guide.

How Headers Are Used to Block Web Scrapers and How to Fix It

Introduction to web scraping headers - what do they mean, how to configure them in web scrapers and how to avoid being blocked.

JavaScript Fingerprinting

JavaScript provides detailed information about connecting clients, which Cloudflare uses in its fingerprinting mechanisms. Since JavaScript allows arbitrary code to be executed on the client side, it can be used to extract different details about the client, such as:

• Javascript runtime details.
• Hardware details and capabilities.
• Operating system details.
• Web browser details.

Anti-bot services collect a lot of data about their clients from these signals.
Fortunately, JavaScript execution is time-consuming and prone to false positives. This means that a Cloudflare bot protection doesn't heavily count on JavaScript fingerprinting.

Theoretically, it's possible to reverse engineer the computational JavaScript challenges and solve them using scripts. However, such a solution requires many debugging hours, even for experienced developers. Plus, any modifications to the challenge algorithms will make the solving script outdated.

On the other hand, a much more accessible and common solution is to use a real web browser for web scraping. This can be approached using browser automation libraries, such as Selenium, Puppeteer, or Playwright.

So, introduce browser automation for the scraping pipeline to increase the trust score for a higher chance of Cloudflare bypass.

More advanced scraping tools can combine the capabilities of HTTP clients and web browsers to bypass Cloudflare. First, the browser requests the target web page to retrieve its session values and establish a trust score. Then, session values are reused with regular HTTP clients, such as httpx in Python and ScrapFly sessions feature.

For a more in-depth look, see our guide on JavaScript fingerprint role in terms of web scraping blocking.

How Javascript is Used to Block Web Scrapers? In-Depth Guide

Introduction to how javascript is used to detect web scrapers. What's in javascript fingerprint and how to correctly spoof it for web scraping.

Behavior Analysis & Machine Learning (2026 Update)

With all the different Cloudflare anti-bot detection techniques, the trust score is not a constant number and will be constantly adjusted with ongoing connection.

For example, a client can start the connection with a Cloudflare protected website with a trust score of 80. Then, the client requests 100 pages in just a few seconds. This will decrease the trust score, as it's not likely for normal users to request at such a high rate.

On the other hand, bots with human-like behavior can get a high trust score that can remain steady or even increase.

Per-Customer Machine Learning Models (2026)

As of 2025-2026, Cloudflare introduced per-customer defense systems for Enterprise Bot Management customers. These systems use machine learning models that automatically tune detection based on each website's specific traffic patterns:

• Custom Trust Scores - Each domain gets its own baseline of "normal" traffic, making generic bypass techniques less effective
• Adaptive Thresholds - The system learns what constitutes suspicious behavior for each specific website
• Residential Proxy Detection - Traffic pattern analysis can detect residential proxies used by scrapers, even if they have good IP reputation
• Session Consistency Checks - Cloudflare tracks behavior consistency across requests within the same session
• Pattern Recognition - Machine learning models continuously update to detect new evasion techniques

Traffic Pattern Analysis

Modern Cloudflare protection analyzes:

• Request sequencing - Do requests follow logical navigation patterns?
• Timing consistency - Are delays between requests perfectly regular (bot-like) or naturally variable?
• Resource loading patterns - Does the client load CSS, images, and fonts like a real browser?
• Mouse and keyboard interaction - Are there natural pauses, movements, and interaction patterns?
• Session behavior - Does the session exhibit exploration behavior or targeted data extraction?

Evading Advanced Behavior Detection

To bypass 2026 behavior analysis, you need to distribute web scraper traffic through multiple agents and techniques:

• Add random timeouts between requests (2-5 seconds with ±500 ms randomness)
• Rotate User-Agent headers with matching TLS/HTTP fingerprints
• Randomize viewport and browser settings across sessions
• Mimic mouse moves and keyboard clicks when using headless browsers
• Follow natural navigation flows (homepage → category → search → product)
• Maintain session consistency - don't change fingerprints mid-session
• Load page resources naturally - fetch CSS, JS, images like a real browser
• Vary request timing - avoid perfectly regular intervals

When Cloudflare's detection catches your scraper, you'll encounter one of these specific error codes.

Common Cloudflare Errors When Scraping

When your scraper hits Cloudflare, you'll encounter specific error codes. Here's what each means and which bypass technique addresses it.

For a detailed explanation of the 1015 error code, see our guide on Error 1015.

Troubleshooting

If your Cloudflare bypass isn't working, use this decision tree to diagnose the issue. Each symptom maps to a specific cause and solution.

General Debugging Steps

1. Check your TLS fingerprint first - Use ScrapFly's JA3 tool to verify your client's TLS signature matches a real browser. A mismatched JA3 hash gets blocked before any other check runs.

2. Verify HTTP2 is active - Many HTTP clients default to HTTP1.1. Cloudflare flags HTTP1.1 traffic as suspicious since all modern browsers use HTTP2. Check with the HTTP2 fingerprint tool.

3. Test with a single request first - Before scaling, confirm your bypass works for one request. If a single request fails, scaling won't help. Fix the fingerprint or tool configuration first.

4. Monitor success rates over time - Cloudflare pushes detection updates continuously. A working bypass can break without code changes on your side. Track success rates and alert when they drop below a threshold.

5. Check for Cloudflare trace headers - Look for cf-ray, server: cloudflare, and __cfuid cookies in responses. Their presence confirms Cloudflare is active on the target site.

If you'd rather skip this complexity, managed bypass services handle detection evasion automatically.

Bypass Cloudflare with ScrapFly

Bypassing Cloudflare protection is difficult. Let Scrapfly do it for you.

It takes Scrapfly several full-time engineers to maintain this system, so you don't have to.

Here's how to scrape Cloudflare-protected pages using ScrapFly. Set the asp parameter and select a proxy pool and country:

ScrapFly Example

First, install the ScrapFly SDK:

pip install scrapfly-sdk

Then swap your HTTP client for ScrapFly to bypass Cloudflare automatically:

# standard web scraping code
import httpx
from parsel import Selector

response = httpx.get("https://web-scraping.dev/products")
selector = Selector(response.text)

# with ScrapFly, it becomes:
from scrapfly import ScrapeConfig, ScrapflyClient

# replaces your HTTP client (httpx in this case)
scrapfly = ScrapflyClient(key="YOUR_SCRAPFLY_API_KEY")

response = scrapfly.scrape(ScrapeConfig(
    url="https://web-scraping.dev/products",
    asp=True,  # enable anti-scraping protection bypass
    country="US",  # set the proxy location to a specific country
    proxy_pool="public_residential_pool",  # select a proxy pool
    render_js=True  # enable JavaScript rendering for dynamic content
))

# use the built-in Parsel selector
selector = response.selector
# access the HTML content
html = response.scrape_result['content']
print(html[:500])

Scrapfly is easily accessible using Python and Typescript SDKs.

FAQ

How do I bypass the Cloudflare rule when scraping?

Combine a stealth browser (Nodriver or SeleniumBase UC Mode) with residential proxy rotation. This covers all five detection layers: TLS fingerprinting, IP reputation, JavaScript checks, behavior analysis, and Turnstile challenges.

How do I stop being blocked by Cloudflare?

Each error code has a specific fix: residential proxies for 1020 (IP blocks), random delays for 1015 (rate limiting), and stealth browsers like Nodriver for 1010 (fingerprint detection).

Which tool should I use for Cloudflare bypass in 2026?

Nodriver for general Python scraping, SeleniumBase UC Mode for existing Selenium teams, Camoufox for Firefox-based fingerprinting, and curl-impersonate for TLS-only bypass without JavaScript execution.

Why did my Puppeteer-stealth script stop working?

puppeteer-stealth was deprecated in February 2025 and no longer bypasses current Cloudflare detection. Migrate to Nodriver (Python) or Playwright with an actively-maintained stealth plugin.

Does Cloudflare detect headless browsers?

Yes. Cloudflare checks navigator.webdriver, probes for missing browser APIs, and runs fingerprint consistency tests. Tools like Nodriver and SeleniumBase UC Mode patch these detection vectors to make headless browsers look like manual browsing.

What is the best free Cloudflare bypass tool?

Nodriver for Python and rebrowser-patches for Node.js. Both are free, open-source, and actively maintained. They cover the majority of Cloudflare-protected sites.

Can I bypass Cloudflare without a browser?

For some sites, yes. curl-impersonate replicates real browser TLS fingerprints (JA3/JA4 hashes) at ~50 MB RAM vs ~500 MB for headless Chrome. It works when Cloudflare only checks TLS, but fails against JavaScript challenges or Turnstile.

How often does Cloudflare update its bot detection?

Cloudflare pushes detection updates continuously. Major changes happen roughly quarterly, minor tuning weekly. If your scraper stops working, check for tool updates before debugging your code.

Summary

In this article, we've covered how to bypass Cloudflare anti-bot protection when web scraping in 2026. We've explored the five detection layers (TLS fingerprinting, IP reputation analysis, JavaScript challenges, behavior profiling, and Turnstile CAPTCHAs) and how each bypass technique targets specific detection vectors.

Key bypass strategies covered:

• Using stealth browsers like Nodriver (recommended), SeleniumBase UC Mode, and Camoufox that patch automation signatures at the driver level
• Bypassing without a browser using curl-impersonate for TLS-only protected pages at 10x the speed
• Rotating residential and IPv6 proxies to avoid IP-based blocking and distribute load effectively
• Warming up scrapers with natural browsing patterns to defeat behavior analysis
• Rotating browser fingerprints across sessions to prevent cross-session tracking
• Scaling to production with self-hosted browser fleets or managed cloud browser APIs
• Avoiding deprecated tools like puppeteer-stealth and undetected-chromedriver in favor of actively maintained alternatives
• Using managed services like ScrapFly that handle all bypass logic automatically, including Turnstile challenges

The Cloudflare bypass space continues to evolve with per-customer ML models and improved behavior analysis. Stay updated with the latest tool releases and monitor your scraper success rates to catch detection changes early.