# Bypass Incapsula 96% success on Incapsula-protected targets. One API parameter. ## `reese84` signed. `incap_ses` minted. Chain coherent. - **Real browser fingerprints.** [TLS](https://scrapfly.io/web-scraping-tools/ja3-fingerprint), [HTTP/2](https://scrapfly.io/web-scraping-tools/http2-fingerprint), [Canvas](https://scrapfly.io/web-scraping-tools/canvas-fingerprint), and [WebGL](https://scrapfly.io/web-scraping-tools/webgl-fingerprint) all match real Chrome on every request. - **Adaptive challenge solving.** [JavaScript execution](https://scrapfly.io/docs/scrape-api/javascript-rendering), CAPTCHAs, proof-of-work, handled without solver keys. - **Session intelligence.** Unblocked browser sessions reused across requests so Incapsula sees a single coherent visitor. **One API parameter.** Add `asp=True`. See the [ASP docs](https://scrapfly.io/docs/scrape-api/anti-scraping-protection). [Get Free API Key](https://scrapfly.io/register) [Read ASP docs](https://scrapfly.io/docs/scrape-api/anti-scraping-protection) 1,000 free credits. No credit card required. FINGERPRINT DATA LIVE + 4,000 more datapoints... 4,000+ Fingerprint Datapoints 200M+ Proxy IPs 50+ Anti-Bots --- COVERAGE## Every Incapsula Signal, Matched Bit-for-bit fingerprint parity with real Chrome. Not monkey-patching, not surface-level, engineered at the protocol and C++ layers. ##### reese84 Token Signed. incap\_ses Cookie Valid. Imperva's reese84 challenge fingerprints the browser and mints a signed token. The token feeds the `incap_ses_*` cookie family along with `visid_incap_*` tracking and the `nlbi_*` load-balancer cookie. Without the matching token, every subsequent request is blocked. Scrapium executes the challenge under real Chrome semantics; Scrapfly caches the unblocked session. **96%**success on incapsula **reese84**token signed + replayed **incap\_ses**cookie chain coherent **6,200+**protected sites coverage ##### Cookie Chain, All Four Aligned Imperva inspects the full cookie chain on every request. A single missing or malformed cookie triggers re-challenge. Scrapfly keeps all four coherent across sessions. incap\_ses\_\* visid\_incap\_\* reese84 token nlbi\_\* LB ##### Why DIY Bypasses Fail reese84 rotates aggressively; static replay doesn't survive a single deploy. | **curl-impersonate** | no JS challenge | |---|---| | **incapsula-bypass (OSS)** | broken per reese84 rev | | **undetected-chromedriver** | cookie chain breaks | | **Playwright + stealth** | fingerprint mismatches | | **Scrapfly** | 96%, tracked daily | ##### TLS Match Curlium emits Chrome-exact TLS so the cookie chain is even allowed to be issued. **JA4** chrome-identical ##### Device Fingerprint, C++ Patches Imperva reads Canvas, WebGL, AudioContext, Navigator, and font enumeration. Every signal patched at Chromium source level so JS-hook detection sees native bindings. [Canvas](https://scrapfly.io/web-scraping-tools/canvas-fingerprint) [WebGL](https://scrapfly.io/web-scraping-tools/webgl-fingerprint) [Audio](https://scrapfly.io/web-scraping-tools/audio-fingerprint) Navigator Fonts Plugins ##### Enterprise + Banking Imperva is heavy in enterprise, banking, government, high-value targets with deep budgets. - Enterprise - Banking - Government ##### Imperva Detection Stack, Every Layer Matched Imperva chains TLS → reese84 challenge → cookie chain → JS validation → device fingerprint. All five must align. **TLS + HTTP/2**Chrome wire format at edge **reese84 Challenge**signed under Scrapium real Chrome **Cookie Chain**incap\_ses + visid\_incap + nlbi coherent **Device Fingerprint**Canvas / WebGL / Audio C++ patched ##### JavaScript Challenges Imperva ships `_Incapsula_Resource`, the `_Incapsula` object, `utmvc` validation, and an interstitial. All cleared inline. - \_Incapsula\_Resource handler - \_Incapsula object reads - utmvc validation - Interstitial cleared --- PROOF## One Parameter. Incapsula Cleared. Add `asp=True`. Scrapfly detects Incapsula and routes through the correct engine, Curlium for HTTP-layer targets, Scrapium for JS-heavy ones. Set `asp=True` and Scrapfly handles Incapsula automatically. Picks [Curlium](https://scrapfly.io/curlium) or [Scrapium](https://scrapfly.io/scrapium) per target. Python TypeScript Go Rust HTTP / cURL ``` from scrapfly import ScrapeConfig, ScrapflyClient, ScrapeApiResponse client = ScrapflyClient(key="API KEY") api_response: ScrapeApiResponse = client.scrape( ScrapeConfig( url='https://httpbin.dev/html', # bypass anti-scraping protection asp=True ) ) print(api_response.result) ``` ``` import { ScrapflyClient, ScrapeConfig } from 'jsr:@scrapfly/scrapfly-sdk'; const client = new ScrapflyClient({ key: "API KEY" }); let api_result = await client.scrape( new ScrapeConfig({ url: 'https://httpbin.dev/html', // bypass anti-scraping protection asp: true, }) ); console.log(api_result.result); ``` ``` package main import ( "fmt" "github.com/scrapfly/go-scrapfly" ) func main() { client, _ := scrapfly.New("API KEY") result, _ := client.Scrape(&scrapfly.ScrapeConfig{ URL: "https://httpbin.dev/html", // bypass anti-scraping protection ASP: true, }) fmt.Println(result.Result.Content) } ``` ``` use scrapfly_sdk::{Client, ScrapeConfig}; #[tokio::main] async fn main() -> Result<(), Box> { let client = Client::builder().api_key("API KEY").build()?; let cfg = ScrapeConfig::builder("https://httpbin.dev/html") // bypass anti-scraping protection .asp(true) .build()?; let result = client.scrape(&cfg).await?; println!("{}", result.result.content); Ok(()) } ``` ``` http https://api.scrapfly.io/scrape \ key==$SCRAPFLY_KEY \ url==https://httpbin.dev/html \ asp==true ``` // RESPONSE json ``` { "result": { "status_code": 200, "success": true, "url": "https://httpbin.dev/html", "content": "...", "content_format": "raw", "content_type": "text/html; charset=utf-8", "response_headers": { "content-type": "text/html; charset=utf-8", "server": "cloudflare" }, "cookies": [], "duration": 1842, "log_url": "https://scrapfly.io/dashboard/monitoring/log/01J...", "asp_cost": 30 }, "context": { "asp": true, "proxy": { "country": "us", "type": "datacenter" } } } ``` [ Python SDK docs → ](https://scrapfly.io/docs/sdk/python) [ TypeScript SDK docs → ](https://scrapfly.io/docs/sdk/typescript) [ Go SDK docs → ](https://scrapfly.io/docs/sdk/golang) [ Rust SDK docs → ](https://scrapfly.io/docs/sdk/rust) [ HTTP API docs → ](https://scrapfly.io/docs) [ Get Free API Key ](https://scrapfly.io/register) [ Read the Bypass Guide → ](https://scrapfly.io/blog/posts/how-to-bypass-imperva-incapsula-anti-scraping) --- FAQ## Frequently Asked Questions ### Can I test on my specific Incapsula targets? Yes. The free plan includes 1,000 API credits with no credit card required. Enable `asp=True` and test your exact targets before committing. Scrapfly achieves 96% success on Incapsula-protected sites; failed requests are not charged. ### How much does ASP cost? ASP starts at 30+ credits per request, scaling with target complexity. You pay for what a specific target needs, not a flat premium. See [pricing](https://scrapfly.io/pricing). ### What is the reese84 challenge? reese84 is Imperva's JavaScript challenge that fingerprints the browser and mints a signed token. The token goes into the incap\_ses\_ cookie family. Without the right token, every subsequent request is blocked. Scrapium runs the challenge under real Chrome semantics; Scrapfly caches the unblocked session. DIY guide: [bypassing Incapsula](https://scrapfly.io/blog/posts/how-to-bypass-imperva-incapsula-anti-scraping). --- // SEE ALSO### Bypass every other major anti-bot vendor too. ASP handles every major anti-bot stack with the same flag. Switch targets, keep the parameter. [Cloudflare](https://scrapfly.io/bypass/cloudflare) [Akamai](https://scrapfly.io/bypass/akamai) [DataDome](https://scrapfly.io/bypass/datadome) [PerimeterX](https://scrapfly.io/bypass/perimeterx) [Kasada](https://scrapfly.io/bypass/kasada) [F5](https://scrapfly.io/bypass/f5) [AWS WAF](https://scrapfly.io/bypass/aws-waf) [Get Free API Key](https://scrapfly.io/register) [View all anti-bot bypasses](https://scrapfly.io/bypass)