Bypass Cloudflare

98% success on Cloudflare-protected targets. One API parameter.

Bot score under 30. cf_clearance minted. Page cleared.

  • Real browser fingerprints. TLS, HTTP/2, Canvas, and WebGL all match real Chrome on every request.
  • Adaptive challenge solving. JavaScript execution, CAPTCHAs, proof-of-work — handled without solver keys.
  • Session intelligence. Unblocked browser sessions reused across requests so Cloudflare sees a single coherent visitor.

One API parameter. Add asp=True. See the ASP docs.

Get Free API Key Read ASP docs
1,000 free credits. No credit card required.
SCANNING
FINGERPRINT DATA LIVE
+ 4,000 more datapoints...
4,000+
Fingerprint Datapoints
200M+
Proxy IPs
50+
Anti-Bots
COVERAGE

Every Cloudflare Signal, Matched

Bit-for-bit fingerprint parity with real Chrome. Not monkey-patching, not surface-level — engineered at the protocol and C++ layers.

Cloudflare Sees A Real Chrome. Score < 30.

Cloudflare's Bot Score combines TLS fingerprint, HTTP/2 fingerprint, JavaScript challenge results, and behavioral signals into a 0–99 trust score. Scores above 30 get challenged or blocked. Scrapfly lands consistently under 30 because every layer is produced by a real patched Chrome, aligned to the same proxy exit region.

< 30typical bot score achieved
98%success rate on cloudflare
Turnstilenon-interactive + invisible + checkbox
cf_clearancecookie minted, reused, kept coherent
TLS Fingerprint — Byte-Perfect Chrome

Cloudflare inspects the TLS ClientHello at the edge before your request ever hits the origin. A JA4 hash that doesn't match a known browser profile triggers the managed challenge path instantly. Curlium emits the exact Chrome ClientHello: cipher order, GREASE positions, ALPN, signature algorithms, HTTP/2 SETTINGS frame, WINDOW_UPDATE delta.

JA4 / JA3 match
HTTP/2 SETTINGS
GREASE positions
Cipher suite order
ALPS extension
ALPN list
Why DIY Bypasses Fail

Most open-source Cloudflare bypass libraries break within weeks of a new Cloudflare edge deploy.

curl-impersonatelags Chrome by months
cloudscraperno Turnstile support
undetected-chromedriverJS-patched, detectable
Playwright + stealthCanvas leaks, Audio leaks
Scrapfly98%, tracked daily
5s Wait Page

The "Checking your browser" interstitial runs a proof-of-work puzzle and drops cf_clearance. Scrapfly solves it once, caches the cookie, and reuses across requests.

~2s first-visit cleared
Browser Fingerprint — C++ Patches

Cloudflare's collector script reads Canvas hash, WebGL vendor + renderer, AudioContext, Navigator plugins, screen dimensions, and font enumeration. Scrapium patches every one at the Chromium source level, not via JavaScript hooks that toString() inspection would expose.

Canvas hash
WebGL vendor
AudioContext
Navigator plugins
Font enumeration
Screen props
cf_clearance Cookie

Signed token minted after the challenge clears. Any subsequent request without a matching fingerprint invalidates it instantly.

  • Cached per-session
  • Reused with same JA4
  • Refreshed on expiry
Cloudflare Detection Stack — Every Layer Matched

Cloudflare chains TLS → HTTP/2 → JS challenge → behavioral signals → IP reputation → Bot Score. Break one layer and the whole chain collapses into a block. Scrapfly matches every layer simultaneously.

TLS + HTTP/2 JA4 + SETTINGS + WINDOW_UPDATE = Chrome
JavaScript Challenge Turnstile + 5s interstitial cleared under real Chrome
Browser Fingerprint Canvas / WebGL / Audio / Navigator patched in C++
IP Reputation + Geo Residential / datacenter pools, country-aligned headers
Turnstile CAPTCHA — All Three Modes

Turnstile does not rely on solving visual puzzles. It runs a JavaScript challenge, reads fingerprint + behavioral signals, and issues a token. Scrapium executes the challenge under authentic browser semantics so the token verifies server-side.

  • Non-interactive (invisible check)
  • Invisible (brief fingerprint scan)
  • Interactive checkbox
  • Managed challenge escalation
PROOF

One Parameter. Cloudflare Cleared.

Add asp=True. Scrapfly detects Cloudflare and routes through the correct engine — Curlium for HTTP-layer targets, Scrapium for JS-heavy ones.

Set asp=True and Scrapfly handles Cloudflare automatically. Picks Curlium or Scrapium per target.

from scrapfly import ScrapeConfig, ScrapflyClient, ScrapeApiResponse
client = ScrapflyClient(key="API KEY")

api_response: ScrapeApiResponse = client.scrape(
    ScrapeConfig(
        url='https://httpbin.dev/html',
        # bypass anti-scraping protection
        asp=True
    )
)
print(api_response.result)
import { 
    ScrapflyClient, ScrapeConfig 
} from 'jsr:@scrapfly/scrapfly-sdk';

const client = new ScrapflyClient({ key: "API KEY" });
let api_result = await client.scrape(
    new ScrapeConfig({
        url: 'https://httpbin.dev/html',
        // bypass anti-scraping protection
        asp: true,
    })
);
console.log(api_result.result);
package main

import (
	"fmt"
	"github.com/scrapfly/go-scrapfly"
)

func main() {
	client, _ := scrapfly.New("API KEY")
	result, _ := client.Scrape(&scrapfly.ScrapeConfig{
		URL: "https://httpbin.dev/html",
		// bypass anti-scraping protection
		ASP: true,
	})
	fmt.Println(result.Result.Content)
}
use scrapfly_sdk::{Client, ScrapeConfig};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let client = Client::builder().api_key("API KEY").build()?;

    let cfg = ScrapeConfig::builder("https://httpbin.dev/html")
        // bypass anti-scraping protection
        .asp(true)
        .build()?;

    let result = client.scrape(&cfg).await?;
    println!("{}", result.result.content);
    Ok(())
}
http https://api.scrapfly.io/scrape \
key==$SCRAPFLY_KEY \
url==https://httpbin.dev/html \
asp==true
// RESPONSE
json 
{
  "result": {
    "status_code": 200,
    "success": true,
    "url": "https://httpbin.dev/html",
    "content": "<!DOCTYPE html><html>...</html>",
    "content_format": "raw",
    "content_type": "text/html; charset=utf-8",
    "response_headers": {
      "content-type": "text/html; charset=utf-8",
      "server": "cloudflare"
    },
    "cookies": [],
    "duration": 1842,
    "log_url": "https://scrapfly.io/dashboard/monitoring/log/01J...",
    "asp_cost": 30
  },
  "context": {
    "asp": true,
    "proxy": {
      "country": "us",
      "type": "datacenter"
    }
  }
}
Python SDK docs → TypeScript SDK docs → Go SDK docs → Rust SDK docs → HTTP API docs →
Get Free API Key Read the Bypass Guide →
FAQ

Frequently Asked Questions

Can I test on my specific Cloudflare targets?

Yes. The free plan includes 1,000 API credits with no credit card required. Enable asp=True and test your exact targets before committing. Scrapfly achieves 98% success on Cloudflare-protected sites; failed requests are not charged.

How much does ASP cost?

ASP starts at 30+ credits per request, scaling with target complexity. You pay for what a specific target needs, not a flat premium. See pricing.

What is Cloudflare Turnstile?

Turnstile is Cloudflare's CAPTCHA replacement, introduced in 2022. Unlike image CAPTCHAs, Turnstile usually runs in the background using browser fingerprinting and behavioral signals. It ships in three modes: non-interactive, invisible, and interactive checkbox. Scrapfly handles all three automatically via Scrapium's JS execution + Canvas/WebGL patches.

How does Cloudflare detect bots?

Cloudflare combines four signals into a trust score: TLS fingerprinting (JA3/JA4), browser fingerprinting (Canvas, WebGL, Audio), behavioral analysis (mouse, clicks, timing), and IP reputation. The score decides whether to allow, challenge, or block. Scrapfly matches every signal. DIY: how to bypass Cloudflare.

Can I use Scrapfly for Cloudflare-protected e-commerce?

Yes. Scrapfly achieves 98%+ success on Cloudflare-protected e-commerce sites including large marketplaces. ASP handles Bot Management, Turnstile, and custom Cloudflare rules together.

// SEE ALSO

Bypass every other major anti-bot vendor too.

ASP handles every major anti-bot stack with the same flag. Switch targets, keep the parameter.

Akamai
DataDome
PerimeterX
Kasada
Incapsula
F5
AWS WAF
Get Free API Key View all anti-bot bypasses