# Bypass AWS WAF

 96% success on AWS WAF-protected targets. One API parameter.

##  `challenge.js` cleared. `aws-waf-token` minted. /verify skipped. 

- **Real browser fingerprints.** [TLS](https://scrapfly.io/web-scraping-tools/ja3-fingerprint), [HTTP/2](https://scrapfly.io/web-scraping-tools/http2-fingerprint), [Canvas](https://scrapfly.io/web-scraping-tools/canvas-fingerprint), and [WebGL](https://scrapfly.io/web-scraping-tools/webgl-fingerprint) all match real Chrome on every request.
- **Adaptive challenge solving.** [JavaScript execution](https://scrapfly.io/docs/scrape-api/javascript-rendering), CAPTCHAs, proof-of-work, handled without solver keys.
- **Session intelligence.** Unblocked browser sessions reused across requests so AWS WAF sees a single coherent visitor.
 
**One API parameter.** Add `asp=True`. See the [ASP docs](https://scrapfly.io/docs/scrape-api/anti-scraping-protection).

 [Get Free API Key](https://scrapfly.io/register) [Read ASP docs](https://scrapfly.io/docs/scrape-api/anti-scraping-protection) 

 1,000 free credits. No credit card required. 

 

   

 FINGERPRINT DATA  LIVE  

















 

 

 + 4,000 more datapoints... 

 

 4,000+

 Fingerprint Datapoints 

200M+

 Proxy IPs 

50+

 Anti-Bots 

 



 

 

 

 

 

---

 COVERAGE## Every AWS WAF Signal, Matched

Bit-for-bit fingerprint parity with real Chrome. Not monkey-patching, not surface-level, engineered at the protocol and C++ layers.

 

 ##### aws-waf-token Minted. challenge.js Cleared.

AWS WAF Bot Control mints a signed `aws-waf-token` cookie after the visitor clears `challenge.js`. The token expires fast and must be refreshed via telemetry handling. Scrapfly runs `challenge.js` inside Scrapium, captures the token, and replays it across follow-up requests so AWS WAF sees a single coherent visitor.

**96%**success on aws waf

**aws-waf-token**cookie minted + replayed

**challenge.js**script cleared inline

**100,000+**protected sites coverage

 





 

 

 ##### Token Lifecycle, Issued, Refreshed, Replayed

AWS WAF cycles the `aws-waf-token` on a tight TTL plus telemetry signals. Stale token = fresh challenge. Scrapfly tracks issuance, refreshes via telemetry, and replays coherently.

aws-waf-token

awswaf\* cookies

Token refresh

Telemetry signals

 

 





 ##### Why DIY Bypasses Fail

AWS WAF rules are per-customer, generic bypass libraries can't track every Bot Control config.

 | **curl-impersonate** | no challenge.js |
|---|---|
| **aws-waf-bypass (OSS)** | broken per token rev |
| **Playwright + stealth** | fingerprint leaks |
| **Selenium** | telemetry off |
| **Scrapfly** | 96%, tracked daily |

 





 

 ##### TLS Match

Curlium emits Chrome-exact TLS so the AWS edge skips Bot Control escalation.

 **JA4** chrome-identical 

 





 ##### Device Fingerprint, C++ Patches

AWS WAF reads Canvas, WebGL, AudioContext, Navigator, and screen metrics through challenge.js. Scrapium patches every signal at Chromium source level, JS-hook detection sees native bindings.

[Canvas](https://scrapfly.io/web-scraping-tools/canvas-fingerprint)

[WebGL](https://scrapfly.io/web-scraping-tools/webgl-fingerprint)

[Audio](https://scrapfly.io/web-scraping-tools/audio-fingerprint)

Navigator

Screen

WebRTC

 

 





 ##### Internet-Scale

AWS WAF guards a huge chunk of the public web, every AWS-fronted SaaS, every CloudFront-served app.

- SaaS
- E-commerce
- Enterprise APIs
 
 





 

 ##### AWS WAF Detection Stack, Every Layer Matched

AWS WAF Bot Control chains TLS → challenge.js → telemetry → aws-waf-token → optional /verify CAPTCHA. All layers must align.

 **TLS + HTTP/2**Chrome wire format at AWS edge

 

 **challenge.js**script run under Scrapium real Chrome

 

 **aws-waf-token**signed cookie minted, refreshed, replayed

 

 **/verify CAPTCHA**solved inline only when forced

 

 

 





 ##### /verify CAPTCHA Path

When challenge.js signals fail, AWS escalates to /verify CAPTCHA. Scrapfly stays in the no-CAPTCHA path whenever possible, solves automatically when forced.

- challenge.js executed inline
- /verify endpoint handled
- AWS CAPTCHA solved auto
- Telemetry replay coherent
 
 





 

 

---

 PROOF## One Parameter. AWS WAF Cleared.

Add `asp=True`. Scrapfly detects AWS WAF and routes through the correct engine, Curlium for HTTP-layer targets, Scrapium for JS-heavy ones.

 

Set `asp=True` and Scrapfly handles AWS WAF automatically. Picks [Curlium](https://scrapfly.io/curlium) or [Scrapium](https://scrapfly.io/scrapium) per target.

     Python TypeScript Go Rust HTTP / cURL  

      

 ```
from scrapfly import ScrapeConfig, ScrapflyClient, ScrapeApiResponse
client = ScrapflyClient(key="API KEY")

api_response: ScrapeApiResponse = client.scrape(
    ScrapeConfig(
        url='https://httpbin.dev/html',
        # bypass anti-scraping protection
        asp=True
    )
)
print(api_response.result)
```

 ```
import { 
    ScrapflyClient, ScrapeConfig 
} from 'jsr:@scrapfly/scrapfly-sdk';

const client = new ScrapflyClient({ key: "API KEY" });
let api_result = await client.scrape(
    new ScrapeConfig({
        url: 'https://httpbin.dev/html',
        // bypass anti-scraping protection
        asp: true,
    })
);
console.log(api_result.result);
```

 ```
package main

import (
	"fmt"
	"github.com/scrapfly/go-scrapfly"
)

func main() {
	client, _ := scrapfly.New("API KEY")
	result, _ := client.Scrape(&scrapfly.ScrapeConfig{
		URL: "https://httpbin.dev/html",
		// bypass anti-scraping protection
		ASP: true,
	})
	fmt.Println(result.Result.Content)
}
```

 ```
use scrapfly_sdk::{Client, ScrapeConfig};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let client = Client::builder().api_key("API KEY").build()?;

    let cfg = ScrapeConfig::builder("https://httpbin.dev/html")
        // bypass anti-scraping protection
        .asp(true)
        .build()?;

    let result = client.scrape(&cfg).await?;
    println!("{}", result.result.content);
    Ok(())
}
```

 ```
http https://api.scrapfly.io/scrape \
key==$SCRAPFLY_KEY \
url==https://httpbin.dev/html \
asp==true
```

 

 

 // RESPONSE    json  

 ```
{
  "result": {
    "status_code": 200,
    "success": true,
    "url": "https://httpbin.dev/html",
    "content": "<html>...</html>",
    "content_format": "raw",
    "content_type": "text/html; charset=utf-8",
    "response_headers": {
      "content-type": "text/html; charset=utf-8",
      "server": "cloudflare"
    },
    "cookies": [],
    "duration": 1842,
    "log_url": "https://scrapfly.io/dashboard/monitoring/log/01J...",
    "asp_cost": 30
  },
  "context": {
    "asp": true,
    "proxy": {
      "country": "us",
      "type": "datacenter"
    }
  }
}
```

 

 

 

 [ Python SDK docs → ](https://scrapfly.io/docs/sdk/python) [ TypeScript SDK docs → ](https://scrapfly.io/docs/sdk/typescript) [ Go SDK docs → ](https://scrapfly.io/docs/sdk/golang) [ Rust SDK docs → ](https://scrapfly.io/docs/sdk/rust) [ HTTP API docs → ](https://scrapfly.io/docs) 

 

 

 [ Get Free API Key ](https://scrapfly.io/register) [ ASP Documentation → ](https://scrapfly.io/docs/scrape-api/anti-scraping-protection) 

 

---

  FAQ## Frequently Asked Questions

 

  ### Can I test on my specific AWS WAF targets?

 Yes. The free plan includes 1,000 API credits with no credit card required. Enable `asp=True` and test your exact targets before committing. Scrapfly achieves 96% success on AWS WAF-protected sites; failed requests are not charged.

 

   ### How much does ASP cost?

 ASP starts at 30+ credits per request, scaling with target complexity. You pay for what a specific target needs, not a flat premium. See [pricing](https://scrapfly.io/pricing).

 

   ### What is aws-waf-token?

 AWS WAF mints a signed aws-waf-token cookie after the visitor clears challenge.js. The token expires quickly and must be refreshed via telemetry handling. Scrapfly runs challenge.js inside Scrapium, captures the token, and replays it with every follow-up request.

 

   ### Is CAPTCHA always triggered?

 No. AWS WAF escalates to the /verify CAPTCHA only when the challenge.js signals fail. A clean first request usually skips CAPTCHA entirely; Scrapfly stays in that path whenever possible and solves the CAPTCHA automatically when forced.

 

  

 

  ---

 // SEE ALSO### Bypass every other major anti-bot vendor too.

ASP handles every major anti-bot stack with the same flag. Switch targets, keep the parameter.

 [Cloudflare](https://scrapfly.io/bypass/cloudflare) 

 [Akamai](https://scrapfly.io/bypass/akamai) 

 [DataDome](https://scrapfly.io/bypass/datadome) 

 [PerimeterX](https://scrapfly.io/bypass/perimeterx) 

 [Kasada](https://scrapfly.io/bypass/kasada) 

 [Incapsula](https://scrapfly.io/bypass/incapsula) 

 [F5](https://scrapfly.io/bypass/f5) 

 

 

 [Get Free API Key](https://scrapfly.io/register) [View all anti-bot bypasses](https://scrapfly.io/bypass)