     [Blog](https://scrapfly.io/blog)   /  [blocking](https://scrapfly.io/blog/tag/blocking)   /  [How Anti-Bot Detection Works](https://scrapfly.io/blog/posts/how-anti-bot-detection-works)   # How Anti-Bot Detection Works

 by [Hisham Medhat](https://scrapfly.io/blog/author/hisham) Jul 07, 2026 17 min read [\#blocking](https://scrapfly.io/blog/tag/blocking) 

 [  ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fscrapfly.io%2Fblog%2Fposts%2Fhow-anti-bot-detection-works "Share on LinkedIn")    

 

 

         

   **Web Scraping API — Anti-Bot Bypass**Bypass any anti-scraper system and automatically resolve JavaScript and fingerprint challenges.

 

 [ Learn More  ](https://scrapfly.io/products/web-scraping-api#features) [  Docs ](https://scrapfly.io/docs/scrape-api/getting-started#features) 

 

 

Anti-bot systems silently evaluate every web request you send before you see a single byte of content. Each visitor gets a trust score based on dozens of signals collected across five detection layers. Score high enough, and the page loads normally. Score too low, and you face a CAPTCHA wall or an outright block.

In this guide, we'll explain the five detection layers anti-bot systems use: TLS fingerprinting, IP reputation analysis, HTTP fingerprinting, JavaScript fingerprinting, and behavior analysis. You'll learn how each layer contributes to a trust score and how Cloudflare, DataDome, and Akamai combine these layers differently. Let's get started.

[How to Know What Anti-Bot Service a Website is Using?In this article we'll take a look at two popular tools: WhatWaf and Wafw00f which can identify what WAF service is used.](https://scrapfly.io/blog/posts/how-to-know-what-anti-bot-website-uses)

## Key Takeaways

Anti-bot systems combine multiple detection layers into a probabilistic trust score rather than making binary bot-or-human decisions. Understanding each layer helps you build more resilient scrapers and debug why requests get blocked.

- Anti-bot systems compute a continuous trust score from multiple signals, not a simple yes/no bot check
- TLS/JA3 fingerprinting catches scrapers at the connection level before any HTTP data is exchanged
- IP reputation analysis classifies addresses by type (residential, datacenter, VPN) and checks historical behavior
- HTTP and HTTP/2 fingerprinting examines header order, pseudo-header order, and protocol settings that most HTTP libraries get wrong
- JavaScript fingerprinting collects canvas, WebGL, font, and navigator data to verify real browser environments
- Behavior analysis tracks mouse movements, scroll patterns, and timing to tell human interaction from automation
- Cloudflare, DataDome, and Akamai each weigh these layers differently, so bypassing one system doesn't guarantee success against another

**Get web scraping tips in your inbox**Trusted by 100K+ developers and 30K+ enterprises. Unsubscribe anytime.





## Introduction to Bot Detection

Anti-bot detection isn't a single test. Modern systems run multiple checks in parallel and combine the results into one trust score. Each detection layer examines a different aspect of the incoming connection and contributes a sub-score to the final result.

### What is a "Trust Score"?

Anti-bot systems don't make binary bot-or-human decisions. Instead, they compute a continuous trust score from multiple signals collected during a request. Each detection method contributes a positive or negative weight to the overall score.

A request with a legitimate TLS fingerprint, a residential IP, correct HTTP headers, and valid JavaScript responses scores high. A request from a datacenter IP with a Python TLS fingerprint but perfect HTTP headers scores in the middle. The trust score determines what happens next:

- **Pass**: The score exceeds the upper threshold. The visitor sees the page with no interruptions
- **Challenge**: The score falls in the gray zone. The visitor gets a CAPTCHA or JavaScript challenge to prove human presence
- **Block**: The score falls below the lower threshold. The visitor receives a 403 error or a block page

Different websites configure these thresholds based on their tolerance for risk. A news site might set loose thresholds to maximize traffic. An e-commerce checkout page sets tight thresholds to prevent fraud.

### Why Detection is Probabilistic, Not Deterministic

No single signal is conclusive on its own. A datacenter IP might belong to a corporate VPN. A missing canvas fingerprint might come from a privacy-focused browser with hardware acceleration disabled. An unusual TLS fingerprint might be a niche browser or an outdated device.

Anti-bot systems optimize for two competing error rates. Blocking real users (false positives) costs the website revenue and frustrates customers. Letting bots through (false negatives) enables scraping, fraud, and abuse. Every system tunes these thresholds based on the website's priorities.

The probabilistic approach is why sophisticated scrapers can succeed. By staying within the "plausible human" range across all signals, a scraper can accumulate enough trust to pass. But falling short on even two or three layers often pushes the score below the challenge threshold.

Now let's examine each detection layer in detail, starting with the first check that happens before any HTTP data gets exchanged.

## TLS/JA3 Fingerprinting

TLS fingerprinting is the first detection layer a request hits. Before the client and server exchange any HTTP headers or page content, they perform a TLS handshake to establish an encrypted connection. The way a client performs the handshake creates a unique fingerprint that reveals what software made the request.

During the handshake, the client sends a "Client Hello" message with several configurable values:

- **Cipher suites**: The list of encryption algorithms the client supports, in priority order
- **TLS extensions**: Features the client supports, like server name indication (SNI) and application-layer protocol negotiation (ALPN)
- **Supported TLS versions**: Which protocol versions the client can use (TLS 1.2, 1.3)
- **Elliptic curves and point formats**: The cryptographic curves the client supports

### How JA3 Hashing Works

The JA3 fingerprinting technique hashes these values into a short string that uniquely identifies the TLS client configuration. Every HTTP client produces a distinct JA3 hash. Chrome on Windows produces one hash. Firefox on macOS produces another. Python's `requests` library produces yet another that doesn't match any real browser.

### Why TLS Fingerprinting Catches Scrapers

Here's why TLS fingerprinting catches so many scrapers: you can set perfect HTTP headers, use a real Chrome User-Agent string, and rotate residential proxies. But if the TLS fingerprint comes from Python's `ssl` module instead of a real browser, anti-bot systems flag the request instantly. The same scraper with identical headers works fine on sites without JA3 checks but gets blocked on sites that use JA3 validation.

Anti-bot systems maintain databases of known-good browser JA3 hashes and compare each incoming connection against them. A mismatch between the claimed User-Agent (Chrome 120) and the actual TLS fingerprint (Python/urllib3) sends a strong negative signal. Even headless browsers like vanilla Puppeteer produce slightly different TLS fingerprints than real Chrome installations.

### JA4: The Next Generation

JA4 is the next evolution of TLS fingerprinting. JA4 captures more detailed handshake information, including ALPN values and signature algorithms. JA4 fingerprints are harder to spoof because they encode more data points that vary between implementations.

For a detailed look at how [TLS fingerprinting blocks web scrapers](https://scrapfly.io/blog/posts/how-to-avoid-web-scraping-blocking-tls), see our dedicated guide. You can also [check your JA3/JA4 fingerprint](https://scrapfly.io/web-scraping-tools/ja3-fingerprint) with Scrapfly's free tool or explore [Curl Impersonate for TLS impersonation](https://scrapfly.io/blog/posts/curl-impersonate-scrape-chrome-firefox-tls-http2-fingerprint).

With TLS fingerprinting covered, let's look at the next signal anti-bot systems evaluate: the IP address itself.

## IP Reputation Analysis

IP reputation is one of the oldest and most reliable detection signals. Anti-bot systems classify every incoming IP address and check its history before evaluating any other request data.

IP addresses fall into several trust tiers:

- **Residential IPs**: Assigned by ISPs to home users. Carry the highest trust because real users browse from residential connections
- **Mobile IPs**: Assigned by cellular carriers. Also high trust, often shared across many users through carrier-grade NAT
- **Datacenter IPs**: Assigned by cloud providers like AWS, GCP, and Azure. Low trust because legitimate users rarely browse the web from a datacenter
- **VPN/proxy IPs**: Known VPN exit nodes and proxy services. Low to medium trust depending on the provider's reputation

### Blocklists and Rate Signals

Anti-bot systems maintain blocklists at multiple levels:

- **ASN-level blocks** target entire hosting providers
- **Subnet-level blocks** catch IP ranges tied to scraping activity
- **Individual IP blocks** target addresses with a history of abuse

These databases update continuously as new IPs get flagged and old ones rotate back into clean status.

Rate-based signals add another dimension to IP analysis. Anti-bot systems track request frequency, burst patterns, and geographic consistency for each IP. A residential IP that sends 100 requests per minute triggers rate limiting even though the IP type carries high trust. An IP that appears to come from two different countries within seconds raises an immediate flag.

### Cross-Signal Correlation

Cross-signal correlation makes IP reputation even more powerful. A datacenter IP paired with a Chrome browser fingerprint is more suspicious than a residential IP with the same fingerprint. Real Chrome users don't browse from AWS instances. When the IP type contradicts the browser identity, anti-bot systems apply a large trust penalty.

For strategies on managing IP reputation while scraping, see our guide on [avoiding IP-based blocking](https://scrapfly.io/blog/posts/how-to-avoid-web-scraping-blocking-ip-addresses) and [rotating proxies for web scraping](https://scrapfly.io/blog/posts/how-to-rotate-proxies-in-web-scraping).

IP analysis happens alongside the next detection layer: HTTP fingerprinting.

## HTTP/HTTP2 Fingerprinting

HTTP fingerprinting examines the structure and content of HTTP requests for signals that reveal the client software. While most developers focus on setting the right headers, anti-bot systems look deeper at patterns that are harder to control.

### Header Order

Header order is one of the strongest HTTP fingerprinting signals. Real browsers send headers in a consistent, predictable order. Chrome always sends headers in one sequence, and Firefox in another. Most HTTP libraries send headers in a different order than any real browser, and many developers don't realize header order is even observable.

### HTTP/2 Settings and Pseudo-Headers

HTTP/2 adds several more fingerprinting opportunities. When a client establishes an HTTP/2 connection, it sends a settings frame that configures parameters like initial window size, max concurrent streams, and header table size. Each HTTP client uses different default values for these settings, and anti-bot systems catalog the expected values for real browsers.

HTTP/2 pseudo-headers (`:method`, `:authority`, `:scheme`, `:path`) appear before regular headers. The order of these pseudo-headers varies between implementations. Chrome sends them in one order, and curl sends them in another. Most HTTP libraries don't give developers control over pseudo-header ordering.

### Priority Frames

Priority frames in HTTP/2 also differ between clients. Real browsers use specific stream prioritization strategies that vary by browser vendor. Automation tools and HTTP libraries either skip priority frames entirely or use default values that don't match any real browser.

Together, these signals create an HTTP fingerprint that's difficult to fake. Even if you set every header correctly, the order, the HTTP/2 settings, and the pseudo-header sequence can still reveal the underlying HTTP client. Libraries like Curl Impersonate exist to replicate these low-level HTTP/2 behaviors.

[How Headers Are Used to Block Web Scrapers and How to Fix ItIntroduction to web scraping headers - what do they mean, how to configure them in web scrapers and how to avoid being blocked.](https://scrapfly.io/blog/posts/how-to-avoid-web-scraping-blocking-headers)

HTTP fingerprinting catches scrapers at the protocol level. The next layer moves into the browser itself.

## JavaScript Fingerprinting

JavaScript fingerprinting runs code in the browser to collect dozens of data points about the client. Unlike TLS and HTTP fingerprinting, JavaScript fingerprinting requires a browser (or something that behaves like one) to execute.

Anti-bot systems inject JavaScript challenges that probe the browser environment and collect signals across several categories:

- **Canvas fingerprinting**: Draws hidden graphics and reads back pixel data. Different GPUs, drivers, and OS combinations produce unique rendering results
- **WebGL fingerprinting**: Queries the GPU renderer, vendor, and supported extensions. Each hardware and driver combination returns distinct values
- **Font enumeration**: Checks which system fonts are installed. Different operating systems and configurations have different font sets
- **Navigator properties**: Reads `navigator.webdriver`, `navigator.plugins`, `navigator.languages`, and other properties that differ between real browsers and automation tools
- **Screen and window properties**: Checks screen resolution, window dimensions, color depth, and device pixel ratio for consistency with the claimed User-Agent

### Cross-Referencing Signals

JavaScript fingerprinting becomes effective when cross-referencing these signals. A request claiming to be Chrome on Windows should return Windows-specific fonts, a DirectX-compatible WebGL renderer, and `navigator.platform` set to "Win32". If the canvas fingerprint matches a Linux GPU driver or `navigator.webdriver` returns `true`, the system applies a heavy trust penalty.

### Headless Browser Detection

Headless browsers present a specific challenge. Default Playwright, Puppeteer, and Selenium configurations leak dozens of automation markers. Properties like `navigator.webdriver`, missing plugin arrays, and absent Chrome runtime objects all signal automation. Stealth plugins exist to patch these leaks, but anti-bot systems continuously discover new detection vectors.

For a detailed look at what browser fingerprints reveal, see our guide on [browser fingerprinting with CreepJS](https://scrapfly.io/blog/posts/browser-fingerprinting-with-creepjs) and [avoiding JavaScript-based blocking](https://scrapfly.io/blog/posts/how-to-avoid-web-scraping-blocking-javascript).

JavaScript fingerprinting verifies that the browser environment is genuine. But even a real browser can be automated, which is where the final detection layer comes in.

## Behavior Analysis &amp; Machine Learning

Behavior analysis is the most advanced detection layer. Unlike fingerprinting methods that examine static properties, behavior analysis watches how a visitor interacts with the page over time. ML models trained on millions of real user sessions score each visitor's behavior against known patterns.

Anti-bot systems track several behavior signals:

- **Mouse movements**: Real users move the mouse in curved, variable-speed paths. Bots either skip mouse events entirely or generate suspiciously straight, uniform trajectories
- **Scroll patterns**: Humans scroll in irregular bursts with pauses. Automated scrolling tends to be smooth and constant
- **Click timing**: Real users show variable intervals between clicks. Automation frameworks produce consistent, machine-precise timing
- **Keystroke dynamics**: Typing speed, pauses between words, and error corrections create a rhythm that's difficult to simulate
- **Navigation flow**: Real users browse in unpredictable sequences. Bots follow systematic, depth-first crawling patterns that visit every link in order

### ML-Powered Scoring

Machine learning models combine these behavior signals with fingerprinting data from earlier layers. A visitor with a perfect browser fingerprint but robotic mouse movements gets a lower trust score than a visitor with a slightly unusual fingerprint but natural interaction patterns.

### Session-Level Analysis

Session-level analysis extends behavior detection beyond single requests. Anti-bot systems track how a visitor navigates across multiple pages, how long they spend on each page, and whether the browsing pattern matches typical human activity. A visitor that loads 50 product pages in 60 seconds without scrolling displays obvious bot behavior, regardless of how good the technical fingerprint looks.

The ML models that power behavior analysis improve continuously. They train on new bot patterns as they're discovered and adapt to changes in user behavior. This ongoing evolution makes behavior analysis the hardest detection layer to defeat consistently.

Now that we've covered all five detection layers individually, let's see how the major anti-bot systems combine them.

## How Each System Implements Detection

Each anti-bot vendor weighs the five detection layers differently based on their architecture and philosophy. Understanding these differences helps explain why a scraper might work against one system but fail against another.

### Cloudflare

Cloudflare processes more web traffic than any other anti-bot system, which gives the Cloudflare network an enormous dataset for training detection models. Cloudflare's bot management relies heavily on JavaScript challenges and machine learning. When a visitor hits a Cloudflare-protected site, the edge network evaluates TLS fingerprints and IP reputation before the request reaches the origin server.

For suspicious requests, Cloudflare serves a JavaScript challenge (the "Checking your browser" interstitial) that collects browser fingerprint data and behavior signals. Cloudflare's strength is scale. The network sees enough traffic to build detailed models of normal behavior for each protected site. Cloudflare also uses turnstile challenges as a progressive escalation when JavaScript challenges alone aren't conclusive.

For system-specific bypass strategies, see our guide on [bypassing Cloudflare's anti-scraping](https://scrapfly.io/blog/posts/how-to-bypass-cloudflare-anti-scraping).

### DataDome

DataDome focuses on real-time behavior analysis more than most competitors. DataDome's detection engine processes each request in under 2 milliseconds and makes blocking decisions at the edge. DataDome places heavy weight on TLS/JA3 fingerprinting and JavaScript challenges that collect detailed browser environment data.

DataDome's standout feature is the depth of behavior analysis the system performs. DataDome tracks mouse dynamics, scroll behavior, and interaction patterns in detail. DataDome also correlates signals across sessions, so a bot that rotates IPs but keeps the same browser fingerprint and behavior patterns still gets flagged.

Learn more in our [DataDome bypass guide](https://scrapfly.io/blog/posts/how-to-bypass-datadome-anti-scraping).

### Akamai

Akamai's Bot Manager uses sensor data collected by a client-side JavaScript SDK. The Akamai sensor script generates an encrypted payload containing dozens of browser and behavior data points. Akamai decrypts and analyzes the payload server-side to compute a trust score.

Akamai's detection relies heavily on the integrity of the sensor payload. Tampering with or replaying old sensor data triggers an immediate block. Akamai also maintains extensive IP reputation databases drawn from the company's massive CDN network.

See our [Akamai bypass guide](https://scrapfly.io/blog/posts/how-to-bypass-akamai-anti-scraping) for detailed strategies.

[How to Bypass Anti-Bot Protection When Web ScrapingLearn how anti-bot systems detect scrapers and 5 universal bypass techniques including proxy rotation, fingerprinting, and fortified headless browsers.](https://scrapfly.io/blog/posts/how-to-bypass-anti-bot-protection-when-web-scraping)

## Evolution of Detection (2020-2026)

Anti-bot detection has evolved rapidly. Each year brings new techniques that raise the bar for scraper sophistication.

**2020-2021: The TLS fingerprinting era.** JA3 fingerprinting moved from academic research to production deployment across major anti-bot vendors. Before JA3 adoption, most detection relied on IP reputation and basic header analysis. JA3 fingerprinting closed the gap for HTTP-library-based scrapers that could set headers correctly but couldn't control TLS behavior.

**2022: HTTP/2 fingerprinting becomes standard.** Anti-bot systems started examining HTTP/2 settings frames, pseudo-header order, and priority signals in addition to TLS fingerprints. Tools like Curl Impersonate emerged to help scrapers match both TLS and HTTP/2 fingerprints of real browsers. Detection also became more detailed, with systems tracking specific browser version fingerprints rather than only browser family.

**2023: Behavior analysis goes mainstream.** DataDome, PerimeterX (now HUMAN Security), and Cloudflare all expanded their behavior analysis capabilities. Mouse movement tracking, keystroke dynamics, and session-level behavior modeling became standard features. Stealth browser projects like Camoufox and undetected-chromedriver gained popularity in response.

**2024: Machine learning models mature.** Anti-bot systems deployed larger ML models trained on years of bot and human behavior data. These models could identify subtle patterns like consistent TCP window sizes and specific JavaScript execution timing. The JA3 creators introduced JA4 fingerprinting as a more detailed successor.

**2025-2026: Cross-layer correlation and AI-driven detection.** Modern anti-bot systems correlate signals across all five layers at once. A minor anomaly in any single layer doesn't trigger a block, but minor anomalies across TLS, HTTP, and JavaScript layers add up. AI models now score the overall consistency of a visitor's profile rather than checking each layer independently.

The pace of evolution shows no signs of slowing. Each new detection technique pushes the scraping ecosystem to develop more sophisticated tools, which in turn drives the next generation of detection.

## Scraping Anti-Bot Protected Websites with Scrapfly



scrapfly middlewareScrapfly handles all five detection layers automatically. Scrapfly's Anti-Scraping Protection (ASP) manages TLS fingerprint matching, IP rotation with residential proxies, HTTP/2 fingerprint alignment, JavaScript rendering with fortified browsers, and behavior simulation. You send a standard API request, and Scrapfly handles the bypass behind the scenes.

Scrapfly supports all major anti-bot systems including Cloudflare, DataDome, Akamai, PerimeterX, and Kasada. The API identifies the protection system on the target website and applies the right bypass strategy. No manual configuration or fingerprint tuning needed.

For production scraping at scale, Scrapfly eliminates the ongoing maintenance burden of keeping up with detection evolution. As anti-bot systems update their detection methods, Scrapfly updates its bypass techniques so your scrapers don't break.

### Power your scraping with Scrapfly

Forget about getting blocked. Scrapfly handles anti-bot bypasses, browser rendering, and proxy rotation so you can focus on the data.



[Try for FREE!](https://scrapfly.io/register)





## FAQ

What is the most effective bot detection method?No single method is most effective on its own. Modern anti-bot systems combine TLS fingerprinting, IP reputation, HTTP analysis, JavaScript challenges, and behaviour tracking into a layered trust score. The combination of all five layers is far more effective than any individual method.







Can anti-bot systems detect headless browsers?Yes. Default headless browser configurations leak automation markers through properties like `navigator.webdriver`, missing plugins, and inconsistent canvas fingerprints. Stealth plugins patch many of these markers, but anti-bot systems continuously discover new detection vectors.







Why does my scraper work on some sites but not others?Different sites use different anti-bot systems with different detection thresholds. Your scraper might pass sites that only check IP reputation and headers, but fail on sites that also validate TLS fingerprints or run JavaScript challenges.









## Summary

Anti-bot detection works by combining five layers into a probabilistic trust score. TLS fingerprinting catches scrapers at the connection level. IP reputation analysis evaluates the source address. HTTP fingerprinting examines protocol-level details that most libraries get wrong. JavaScript fingerprinting verifies the browser environment. Behavior analysis watches how visitors interact with the page.

Each major anti-bot system weighs these layers differently. Cloudflare uses its massive network for ML-driven detection. DataDome prioritizes real-time behavior analysis. Akamai relies on encrypted sensor payloads. Understanding which layers each system emphasizes helps you focus your bypass efforts.

Detection has evolved from simple IP blocklists to AI-driven cross-layer correlation. The five detection layers described in this guide remain the foundation, but the sophistication of how systems combine and score these signals continues to increase every year.

Legal Disclaimer and PrecautionsThis tutorial covers popular web scraping techniques for education. Interacting with public servers requires diligence and respect:

- Do not scrape at rates that could damage the website.
- Do not scrape data that's not available publicly.
- Do not store PII of EU citizens protected by GDPR.
- Do not repurpose *entire* public datasets which can be illegal in some countries.

Scrapfly does not offer legal advice but these are good general rules to follow. For more you should consult a lawyer.



 

   Table of Contents















 

  Table of Contents- [Key Takeaways](#key-takeaways)
- [Introduction to Bot Detection](#introduction-to-bot-detection)
- [What is a "Trust Score"?](#what-is-a-trust-score)
- [Why Detection is Probabilistic, Not Deterministic](#why-detection-is-probabilistic-not-deterministic)
- [TLS/JA3 Fingerprinting](#tls-ja3-fingerprinting)
- [How JA3 Hashing Works](#how-ja3-hashing-works)
- [Why TLS Fingerprinting Catches Scrapers](#why-tls-fingerprinting-catches-scrapers)
- [JA4: The Next Generation](#ja4-the-next-generation)
- [IP Reputation Analysis](#ip-reputation-analysis)
- [Blocklists and Rate Signals](#blocklists-and-rate-signals)
- [Cross-Signal Correlation](#cross-signal-correlation)
- [HTTP/HTTP2 Fingerprinting](#http-http2-fingerprinting)
- [Header Order](#header-order)
- [HTTP/2 Settings and Pseudo-Headers](#http-2-settings-and-pseudo-headers)
- [Priority Frames](#priority-frames)
- [JavaScript Fingerprinting](#javascript-fingerprinting)
- [Cross-Referencing Signals](#cross-referencing-signals)
- [Headless Browser Detection](#headless-browser-detection)
- [Behavior Analysis &amp;amp; Machine Learning](#behavior-analysis-amp-machine-learning)
- [ML-Powered Scoring](#ml-powered-scoring)
- [Session-Level Analysis](#session-level-analysis)
- [How Each System Implements Detection](#how-each-system-implements-detection)
- [Cloudflare](#cloudflare)
- [DataDome](#datadome)
- [Akamai](#akamai)
- [Evolution of Detection (2020-2026)](#evolution-of-detection-2020-2026)
- [Scraping Anti-Bot Protected Websites with Scrapfly](#scraping-anti-bot-protected-websites-with-scrapfly)
- [Power your scraping with Scrapfly](#power-your-scraping-with-scrapfly)
- [FAQ](#faq)
- [Summary](#summary)
 
    Join the Newsletter  Get monthly web scraping insights 

 

  



Scale Your Web Scraping

Anti-bot bypass, browser rendering, and rotating proxies, all in one API. Start with 1,000 free credits.

  No credit card required  1,000 free API credits  Anti-bot bypass included 

 [Start Free](https://scrapfly.io/register) [View Docs](https://scrapfly.io/docs/onboarding) 

 Not ready? Get our newsletter instead. 

 

## Explore this Article with AI

 [ ChatGPT ](https://chat.openai.com/?q=Summarize%20this%20page%3A%20https%3A%2F%2Fscrapfly.io%2Fblog%2Fposts%2Fhow-anti-bot-detection-works) [ Gemini ](https://www.google.com/search?udm=50&aep=11&q=Summarize%20this%20page%3A%20https%3A%2F%2Fscrapfly.io%2Fblog%2Fposts%2Fhow-anti-bot-detection-works) [ Grok ](https://x.com/i/grok?text=Summarize%20this%20page%3A%20https%3A%2F%2Fscrapfly.io%2Fblog%2Fposts%2Fhow-anti-bot-detection-works) [ Perplexity ](https://www.perplexity.ai/search/new?q=Summarize%20this%20page%3A%20https%3A%2F%2Fscrapfly.io%2Fblog%2Fposts%2Fhow-anti-bot-detection-works) [ Claude ](https://claude.ai/new?q=Summarize%20this%20page%3A%20https%3A%2F%2Fscrapfly.io%2Fblog%2Fposts%2Fhow-anti-bot-detection-works) 



 ## Related Articles

 [  

 blocking 

### How to Bypass Cloudflare When Web Scraping in 2026

Cloudflare offers one of the most popular anti scraping service, so in this article we'll take a look how it works and h...

 

 ](https://scrapfly.io/blog/posts/how-to-bypass-cloudflare-anti-scraping) [     

 python blocking 

### How Cloudflare Detects Bots: TLS, HTTP/2, Canvas, and Turnstile Explained

Learn how Cloudflare detects bots using TLS, HTTP/2, Canvas, WebGL, behavioral analysis, and Turnstile, plus how to scra...

 

 ](https://scrapfly.io/blog/posts/how-cloudflare-detects-bots) [     

### TLS Cipher Suites in Web Scraping

Learn how TLS cipher suites affect both transport security and scraper detection, with practical JA3/JA4 guidance, refer...

 

 ](https://scrapfly.io/blog/posts/tls-cipher-suites-in-web-scraping) 

  ## Related Questions

- [ Q Web scraping - what is HTTP 429 status code? ](https://scrapfly.io/blog/answers/429-status-code)
- [ Q What is Cloudflare Error 1020? ](https://scrapfly.io/blog/answers/cloudflare-error-1020-access-denied)
- [ Q How to add headers to every or some scrapy requests? ](https://scrapfly.io/blog/answers/how-to-add-headers-to-every-or-some-scrapy-requests)
 
  



   



 Bypass anti-bot protection automatically, **1,000 free credits** [Start Free](https://scrapfly.io/register)