# Bypass Cloudflare with Scrapfly's Scraping API 98% success on Cloudflare-protected targets. One API parameter. ## Bot score under 30. `cf_clearance` minted. Page cleared. - **Real browser fingerprints.** [TLS](https://scrapfly.io/web-scraping-tools/ja3-fingerprint), [HTTP/2](https://scrapfly.io/web-scraping-tools/http2-fingerprint), [Canvas](https://scrapfly.io/web-scraping-tools/canvas-fingerprint), and [WebGL](https://scrapfly.io/web-scraping-tools/webgl-fingerprint) all match real Chrome on every request. - **Adaptive challenge solving.** [JavaScript execution](https://scrapfly.io/docs/scrape-api/javascript-rendering), CAPTCHAs, proof-of-work, handled without solver keys. - **Session intelligence.** Unblocked browser sessions reused across requests so Cloudflare sees a single coherent visitor. **One API parameter.** Add `asp=True`. See the [ASP docs](https://scrapfly.io/docs/scrape-api/anti-scraping-protection). [Get Free API Key](https://scrapfly.io/register) [Read ASP docs](https://scrapfly.io/docs/scrape-api/anti-scraping-protection) 1,000 free credits. No credit card required. FINGERPRINT DATA LIVE + 4,000 more datapoints... 4,000+ Fingerprint Datapoints 200M+ Proxy IPs 50+ Anti-Bots --- COVERAGE## Every Cloudflare Signal, Matched Bit-for-bit fingerprint parity with real Chrome. Not monkey-patching, not surface-level, engineered at the protocol and C++ layers. ##### Cloudflare Sees A Real Chrome. Score < 30. Cloudflare's Bot Score combines TLS fingerprint, HTTP/2 fingerprint, JavaScript challenge results, and behavioral signals into a 0–99 trust score. Scores above 30 get challenged or blocked. Scrapfly lands consistently under 30 because every layer is produced by a real patched Chrome, aligned to the same proxy exit region. **< 30**typical bot score achieved **98%**success rate on cloudflare **Turnstile**non-interactive + invisible + checkbox **cf\_clearance**cookie minted, reused, kept coherent ##### TLS Fingerprint, Byte-Perfect Chrome Cloudflare inspects the TLS ClientHello at the edge before your request ever hits the origin. A JA4 hash that doesn't match a known browser profile triggers the managed challenge path instantly. Curlium emits the exact Chrome ClientHello: cipher order, GREASE positions, ALPN, signature algorithms, HTTP/2 SETTINGS frame, WINDOW\_UPDATE delta. [JA4 / JA3 match](https://scrapfly.io/web-scraping-tools/ja3-fingerprint) [HTTP/2 SETTINGS](https://scrapfly.io/web-scraping-tools/http2-fingerprint) GREASE positions Cipher suite order ALPS extension ALPN list ##### Why DIY Bypasses Fail Most open-source Cloudflare bypass libraries break within weeks of a new Cloudflare edge deploy. | **curl-impersonate** | lags Chrome by months | |---|---| | **cloudscraper** | no Turnstile support | | **undetected-chromedriver** | JS-patched, detectable | | **Playwright + stealth** | Canvas leaks, Audio leaks | | **Scrapfly** | 98%, tracked daily | ##### 5s Wait Page The "Checking your browser" interstitial runs a proof-of-work puzzle and drops `cf_clearance`. Scrapfly solves it once, caches the cookie, and reuses across requests. **~2s** first-visit cleared ##### Browser Fingerprint, C++ Patches Cloudflare's collector script reads Canvas hash, WebGL vendor + renderer, AudioContext, Navigator plugins, screen dimensions, and font enumeration. Scrapium patches every one at the Chromium source level, not via JavaScript hooks that `toString()` inspection would expose. [Canvas hash](https://scrapfly.io/web-scraping-tools/canvas-fingerprint) [WebGL vendor](https://scrapfly.io/web-scraping-tools/webgl-fingerprint) [AudioContext](https://scrapfly.io/web-scraping-tools/audio-fingerprint) Navigator plugins Font enumeration Screen props ##### cf\_clearance Cookie Signed token minted after the challenge clears. Any subsequent request without a matching fingerprint invalidates it instantly. - Cached per-session - Reused with same JA4 - Refreshed on expiry ##### Cloudflare Detection Stack, Every Layer Matched Cloudflare chains TLS → HTTP/2 → JS challenge → behavioral signals → IP reputation → Bot Score. Break one layer and the whole chain collapses into a block. Scrapfly matches every layer simultaneously. **TLS + HTTP/2** JA4 + SETTINGS + WINDOW\_UPDATE = Chrome **JavaScript Challenge** Turnstile + 5s interstitial cleared under real Chrome **Browser Fingerprint** Canvas / WebGL / Audio / Navigator patched in C++ **IP Reputation + Geo** Residential / datacenter pools, country-aligned headers ##### Turnstile CAPTCHA, All Three Modes Turnstile does not rely on solving visual puzzles. It runs a JavaScript challenge, reads fingerprint + behavioral signals, and issues a token. Scrapium executes the challenge under authentic browser semantics so the token verifies server-side. - Non-interactive (invisible check) - Invisible (brief fingerprint scan) - Interactive checkbox - Managed challenge escalation --- PROOF## One Parameter. Cloudflare Cleared. Add `asp=True`. Scrapfly detects Cloudflare and routes through the correct engine, Curlium for HTTP-layer targets, Scrapium for JS-heavy ones. Set `asp=True` and Scrapfly handles Cloudflare automatically. Picks [Curlium](https://scrapfly.io/curlium) or [Scrapium](https://scrapfly.io/scrapium) per target. Python TypeScript Go Rust HTTP / cURL ``` from scrapfly import ScrapeConfig, ScrapflyClient, ScrapeApiResponse client = ScrapflyClient(key="API KEY") api_response: ScrapeApiResponse = client.scrape( ScrapeConfig( url='https://httpbin.dev/html', # bypass anti-scraping protection asp=True ) ) print(api_response.result) ``` ``` import { ScrapflyClient, ScrapeConfig } from 'jsr:@scrapfly/scrapfly-sdk'; const client = new ScrapflyClient({ key: "API KEY" }); let api_result = await client.scrape( new ScrapeConfig({ url: 'https://httpbin.dev/html', // bypass anti-scraping protection asp: true, }) ); console.log(api_result.result); ``` ``` package main import ( "fmt" "github.com/scrapfly/go-scrapfly" ) func main() { client, _ := scrapfly.New("API KEY") result, _ := client.Scrape(&scrapfly.ScrapeConfig{ URL: "https://httpbin.dev/html", // bypass anti-scraping protection ASP: true, }) fmt.Println(result.Result.Content) } ``` ``` use scrapfly_sdk::{Client, ScrapeConfig}; #[tokio::main] async fn main() -> Result<(), Box> { let client = Client::builder().api_key("API KEY").build()?; let cfg = ScrapeConfig::builder("https://httpbin.dev/html") // bypass anti-scraping protection .asp(true) .build()?; let result = client.scrape(&cfg).await?; println!("{}", result.result.content); Ok(()) } ``` ``` http https://api.scrapfly.io/scrape \ key==$SCRAPFLY_KEY \ url==https://httpbin.dev/html \ asp==true ``` // RESPONSE json ``` { "result": { "status_code": 200, "success": true, "url": "https://httpbin.dev/html", "content": "...", "content_format": "raw", "content_type": "text/html; charset=utf-8", "response_headers": { "content-type": "text/html; charset=utf-8", "server": "cloudflare" }, "cookies": [], "duration": 1842, "log_url": "https://scrapfly.io/dashboard/monitoring/log/01J...", "asp_cost": 30 }, "context": { "asp": true, "proxy": { "country": "us", "type": "datacenter" } } } ``` [ Python SDK docs → ](https://scrapfly.io/docs/sdk/python) [ TypeScript SDK docs → ](https://scrapfly.io/docs/sdk/typescript) [ Go SDK docs → ](https://scrapfly.io/docs/sdk/golang) [ Rust SDK docs → ](https://scrapfly.io/docs/sdk/rust) [ HTTP API docs → ](https://scrapfly.io/docs) [ Get Free API Key ](https://scrapfly.io/register) [ Read the Bypass Guide → ](https://scrapfly.io/blog/posts/how-to-bypass-cloudflare-anti-scraping) --- FAQ## Frequently Asked Questions ### Can I test on my specific Cloudflare targets? Yes. The free plan includes 1,000 API credits with no credit card required. Enable `asp=True` and test your exact targets before committing. Scrapfly achieves 98% success on Cloudflare-protected sites; failed requests are not charged. ### How much does ASP cost? ASP starts at 30+ credits per request, scaling with target complexity. You pay for what a specific target needs, not a flat premium. See [pricing](https://scrapfly.io/pricing). ### What is Cloudflare Turnstile? Turnstile is Cloudflare's CAPTCHA replacement, introduced in 2022. Unlike image CAPTCHAs, Turnstile usually runs in the background using browser fingerprinting and behavioral signals. It ships in three modes: non-interactive, invisible, and interactive checkbox. Scrapfly handles all three automatically via Scrapium's JS execution + Canvas/WebGL patches. ### How does Cloudflare detect bots? Cloudflare combines four signals into a trust score: TLS fingerprinting (JA3/JA4), browser fingerprinting (Canvas, WebGL, Audio), behavioral analysis (mouse, clicks, timing), and IP reputation. The score decides whether to allow, challenge, or block. Scrapfly matches every signal. DIY: [how to bypass Cloudflare](https://scrapfly.io/blog/posts/how-to-bypass-cloudflare-anti-scraping). ### Can I use Scrapfly for Cloudflare-protected e-commerce? Yes. Scrapfly achieves 98%+ success on Cloudflare-protected e-commerce sites including large marketplaces. ASP handles Bot Management, Turnstile, and custom Cloudflare rules together. --- // SEE ALSO### Bypass every other major anti-bot vendor too. ASP handles every major anti-bot stack with the same flag. Switch targets, keep the parameter. [Akamai](https://scrapfly.io/bypass/akamai) [DataDome](https://scrapfly.io/bypass/datadome) [PerimeterX](https://scrapfly.io/bypass/perimeterx) [Kasada](https://scrapfly.io/bypass/kasada) [Incapsula](https://scrapfly.io/bypass/incapsula) [F5](https://scrapfly.io/bypass/f5) [AWS WAF](https://scrapfly.io/bypass/aws-waf) [Get Free API Key](https://scrapfly.io/register) [View all anti-bot bypasses](https://scrapfly.io/bypass)