Datadome protection showing up where you least expect it? You're not alone. This anti-bot system has become one of the most sophisticated barriers standing between developers and the data they need.
Unlike simpler protections, Datadome uses multi-layered machine learning to analyze over a thousand signals—from TLS fingerprints to mouse movement patterns—making standard scraping techniques fail spectacularly.
But here's the thing: while Datadome is tough, it's not unbeatable. With the right combination of techniques, you can dramatically improve your success rate. This guide walks you through the actual methods that work in 2026, from lightweight HTTP approaches to full browser automation strategies.
What is Datadome and Why Does It Block You?
Datadome is a bot management platform used by over 1,200 companies to protect against scraping, credential stuffing, and DDoS attacks. Think of it as a bouncer that checks every visitor at multiple levels—it doesn't just look at your ID, it watches how you walk, talk, and behave.
The protection works in two stages:
Server-side detection happens before the HTML even loads. Datadome analyzes your TLS fingerprint, HTTP headers, IP reputation, and request patterns. If something looks off, you'll hit a CAPTCHA or get blocked entirely.
Client-side detection activates after the page loads. JavaScript executes in your browser, fingerprinting everything from your GPU to how you move your mouse. This data feeds back to Datadome's machine learning systems, which assign you a trust score.
Here's what makes Datadome particularly nasty: it's not a CDN you can bypass by finding the origin server. The protection integrates directly into the application layer, so there's no easy workaround.
Understanding Datadome's Detection Arsenal
Before jumping into bypasses, you need to understand what you're up against. Datadome checks dozens of signals, but these are the critical ones:
TLS Fingerprinting
When your client makes an HTTPS connection, it performs a TLS handshake that includes cipher suites, supported extensions, and protocol versions. This creates a unique fingerprint—a JA3 hash—that identifies your HTTP client.
Standard Python libraries like requests or httpx have TLS fingerprints that scream "I'm a bot." Datadome knows these fingerprints and blocks them instantly.
HTTP/2 Fingerprinting
Beyond TLS, Datadome analyzes HTTP/2 frame ordering, header compression patterns, and stream priorities. Browsers implement HTTP/2 differently than HTTP libraries, creating another detection vector.
Browser Fingerprinting
Once JavaScript loads, Datadome collects:
- Canvas and WebGL rendering signatures
- Available fonts and plugins
- Screen resolution and color depth
- navigator.webdriver property
- Browser timing patterns
A headless browser with default settings fails most of these checks.
Behavioral Analysis
This is where things get sophisticated. Datadome tracks:
- Mouse movement patterns (real humans have natural jitter)
- Scroll behavior and timing
- Keyboard input cadence
- Time spent on page before actions
Bots move in perfectly straight lines and execute actions with inhuman consistency.
IP Reputation Scoring
Your IP address matters. Datacenter IPs get penalized heavily, while residential IPs from major ISPs score better. Datadome maintains databases of known proxy services and hosting providers.
Method 1: Lightweight HTTP Bypass with curl_cffi
For simple GET requests without heavy JavaScript, you can bypass Datadome without spinning up a browser. The secret? Proper TLS fingerprinting.
Why curl_cffi Works
The curl_cffi library wraps curl-impersonate, which replicates real browser TLS handshakes down to the cipher suite order. This makes your HTTP requests indistinguishable from Chrome or Safari at the network level.
First, install the library:
pip install curl-cffi
Here's a basic example:
from curl_cffi import requests
# Impersonate Chrome 131 (latest as of this writing)
response = requests.get(
"https://example.com",
impersonate="chrome131"
)
print(response.status_code)
print(response.text)
That impersonate parameter is doing heavy lifting. It's not just setting a User-Agent header—it's modifying the entire TLS handshake to match Chrome's exact fingerprint.
Choosing the Right Browser Version
curl_cffi supports multiple browser versions:
chrome131,chrome124,chrome120, etc.safari,safari_iosedge101,edge99
For maximum compatibility, use chrome without a version number. This automatically uses the latest Chrome fingerprint as curl_cffi updates:
response = requests.get(
"https://example.com",
impersonate="chrome" # Always latest
)
Adding Realistic Headers
TLS fingerprinting alone isn't enough. You need proper HTTP headers:
from curl_cffi import requests
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate, br",
"DNT": "1",
"Connection": "keep-alive",
"Upgrade-Insecure-Requests": "1",
"Sec-Fetch-Dest": "document",
"Sec-Fetch-Mode": "navigate",
"Sec-Fetch-Site": "none",
"Sec-Fetch-User": "?1",
"Cache-Control": "max-age=0"
}
response = requests.get(
"https://example.com",
headers=headers,
impersonate="chrome"
)
Notice the Sec-Fetch-* headers. These are security headers that real browsers send. Missing them is a red flag.
Handling Sessions and Cookies
Datadome often requires maintaining session state. Use curl_cffi's Session object:
from curl_cffi import requests
session = requests.Session(impersonate="chrome")
# Initial request to get cookies
response = session.get("https://example.com")
# Subsequent requests maintain cookies automatically
response2 = session.get("https://example.com/data")
When HTTP Requests Work vs. When They Don't
This lightweight approach works great when:
- The target page doesn't require JavaScript to load content
- You're making API requests that return JSON
- The site uses basic Datadome protection without heavy behavioral analysis
It fails when:
- Content loads dynamically via JavaScript
- Datadome requires solving CAPTCHA challenges
- The site implements advanced behavioral fingerprinting
For those cases, you need a headless browser.
Method 2: Browser Automation with Playwright Stealth
When HTTP requests aren't enough, headless browsers become necessary. But standard Playwright, Puppeteer, or Selenium all leak obvious bot signals. You need stealth plugins to patch these leaks.
Setting Up Playwright with Stealth
First, install the dependencies:
npm install playwright-extra puppeteer-extra-plugin-stealth
Here's the key insight: Playwright and Puppeteer share common origins, so we can use Puppeteer's stealth plugin with Playwright:
const { chromium } = require('playwright-extra');
const stealth = require('puppeteer-extra-plugin-stealth')();
chromium.use(stealth);
(async () => {
const browser = await chromium.launch({
headless: true
});
const page = await browser.newPage();
await page.goto('https://example.com', {
waitUntil: 'networkidle'
});
const content = await page.content();
console.log(content);
await browser.close();
})();
What Stealth Plugin Actually Fixes
The stealth plugin patches over 200 known headless browser leaks:
- Sets
navigator.webdriverto undefined (default is true in automated browsers) - Adds missing plugins like Chrome PDF Plugin
- Fixes Chrome runtime inconsistencies
- Patches canvas fingerprinting anomalies
- Corrects permissions API responses
- Fixes WebGL vendor strings
But it doesn't patch everything. Datadome can still detect stealth plugins through:
- CDP (Chrome DevTools Protocol) detection
- Timing inconsistencies
- Missing browser quirks that stealth doesn't know about
Improving Detection Resistance
Add these extra measures:
const { chromium } = require('playwright-extra');
const stealth = require('puppeteer-extra-plugin-stealth')();
chromium.use(stealth);
(async () => {
const browser = await chromium.launch({
headless: true,
args: [
'--disable-blink-features=AutomationControlled',
'--disable-features=IsolateOrigins,site-per-process',
'--disable-web-security'
]
});
const context = await browser.newContext({
viewport: { width: 1920, height: 1080 },
userAgent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36',
locale: 'en-US',
timezoneId: 'America/New_York',
permissions: ['geolocation']
});
const page = await context.newPage();
// Additional script to hide automation traces
await page.addInitScript(() => {
Object.defineProperty(navigator, 'platform', {
get: () => 'Win32'
});
Object.defineProperty(navigator, 'plugins', {
get: () => [1, 2, 3, 4, 5]
});
});
await page.goto('https://example.com', {
waitUntil: 'networkidle'
});
const content = await page.content();
console.log(content);
await browser.close();
})();
The addInitScript runs before any page JavaScript, letting you modify navigator properties before Datadome checks them.
Simulating Human Behavior
Datadome watches for robotic behavior patterns. Add randomness:
async function humanDelay(min = 100, max = 300) {
const delay = Math.random() * (max - min) + min;
await new Promise(resolve => setTimeout(resolve, delay));
}
async function humanMouseMove(page) {
const viewport = page.viewportSize();
for (let i = 0; i < 5; i++) {
const x = Math.random() * viewport.width;
const y = Math.random() * viewport.height;
await page.mouse.move(x, y, { steps: 10 });
await humanDelay(50, 150);
}
}
// Use it in your scraping flow
await page.goto('https://example.com');
await humanDelay(1000, 2000);
await humanMouseMove(page);
await humanDelay(500, 1000);
This creates natural variation in your bot's behavior, making it harder to distinguish from humans.
Python Version with playwright-stealth
If you prefer Python:
pip install playwright playwright-stealth
Then:
from playwright.sync_api import sync_playwright
from playwright_stealth import stealth_sync
def scrape_with_stealth():
with sync_playwright() as p:
browser = p.chromium.launch(headless=True)
page = browser.new_page()
# Apply stealth patches
stealth_sync(page)
page.goto('https://example.com')
content = page.content()
print(content)
browser.close()
scrape_with_stealth()
The stealth_sync function applies all the same patches as the JavaScript version.
Method 3: Residential Proxies for IP Reputation
Even with perfect fingerprints and behavior, your IP address can give you away. Datacenter IPs get flagged immediately by Datadome's reputation scoring.
Why Residential Proxies Matter
Residential proxies route your traffic through real devices on residential ISPs. To Datadome, your requests look like they're coming from a home internet connection in Houston or London, not from an AWS datacenter.
Datadome's algorithm weighs IP reputation heavily—estimates suggest 25-30% of the trust score comes from IP analysis alone.
Implementing Proxy Rotation
Here's how to rotate residential proxies with curl_cffi:
from curl_cffi import requests
import random
PROXY_LIST = [
"http://user:pass@proxy1.example.com:8000",
"http://user:pass@proxy2.example.com:8000",
"http://user:pass@proxy3.example.com:8000",
]
def get_random_proxy():
return {"http": random.choice(PROXY_LIST), "https": random.choice(PROXY_LIST)}
response = requests.get(
"https://example.com",
proxies=get_random_proxy(),
impersonate="chrome"
)
With Playwright:
const { chromium } = require('playwright-extra');
const stealth = require('puppeteer-extra-plugin-stealth')();
chromium.use(stealth);
const PROXY_LIST = [
{ server: 'proxy1.example.com:8000', username: 'user', password: 'pass' },
{ server: 'proxy2.example.com:8000', username: 'user', password: 'pass' },
];
(async () => {
const proxy = PROXY_LIST[Math.floor(Math.random() * PROXY_LIST.length)];
const browser = await chromium.launch({
headless: true,
proxy: {
server: `http://${proxy.server}`,
username: proxy.username,
password: proxy.password
}
});
const page = await browser.newPage();
await page.goto('https://example.com');
const content = await page.content();
console.log(content);
await browser.close();
})();
Matching Geolocation to Proxy
One mistake people make: using a US proxy with UK timezone settings. Datadome catches these mismatches. Always align your browser settings with your proxy location:
const context = await browser.newContext({
viewport: { width: 1920, height: 1080 },
locale: 'en-GB', // UK locale
timezoneId: 'Europe/London', // UK timezone
geolocation: { latitude: 51.5074, longitude: -0.1278 }, // London coordinates
permissions: ['geolocation']
});
Smart Proxy Management
Instead of randomly rotating, track which proxies perform best:
class ProxyManager:
def __init__(self, proxy_list):
self.proxies = proxy_list
self.scores = {proxy: 0 for proxy in proxy_list}
self.sessions = {}
def get_best_proxy(self):
# Return proxy with highest success score
return max(self.scores.items(), key=lambda x: x[1])[0]
def record_success(self, proxy):
self.scores[proxy] += 1
def record_failure(self, proxy):
self.scores[proxy] -= 1
def make_request(self, url):
proxy = self.get_best_proxy()
try:
response = requests.get(
url,
proxies={"http": proxy, "https": proxy},
impersonate="chrome",
timeout=10
)
if response.status_code == 200:
self.record_success(proxy)
return response
else:
self.record_failure(proxy)
return None
except Exception as e:
self.record_failure(proxy)
print(f"Error with proxy {proxy}: {e}")
return None
This learns which proxies work best over time, reducing the number of blocked requests.
Method 4: The Google Cache Workaround
Here's a technique most guides won't tell you about: scraping from Google's cache instead of the live site.
Why This Works
When Google crawls the web, it caches page snapshots. Most Datadome-protected sites whitelist Google's crawler, so these cached pages are accessible without protection.
The trade-off? Cached data can be hours or days old, so this only works if you don't need real-time information.
Accessing Cached Pages
Prepend this to any URL:
https://webcache.googleusercontent.com/search?q=cache:
Example:
from curl_cffi import requests
target_url = "https://example.com/protected-page"
cache_url = f"https://webcache.googleusercontent.com/search?q=cache:{target_url}"
response = requests.get(cache_url, impersonate="chrome")
print(response.text)
Google's cache includes a timestamp showing when the page was last crawled. You can parse this to determine data freshness:
import re
from curl_cffi import requests
from datetime import datetime
def get_cached_page_with_timestamp(url):
cache_url = f"https://webcache.googleusercontent.com/search?q=cache:{url}"
response = requests.get(cache_url, impersonate="chrome")
# Extract cache timestamp
timestamp_match = re.search(r'It is a snapshot of the page as it appeared on (.+?)\.', response.text)
if timestamp_match:
cache_date = timestamp_match.group(1)
print(f"Page cached on: {cache_date}")
return response.text
content = get_cached_page_with_timestamp("https://example.com")
Limitations of Cache Scraping
This approach has several gotchas:
- Not all pages are cached (especially recently created ones)
- Dynamic content loaded via JavaScript won't be in the cache
- Images and some assets may be missing or broken
- Cache updates are unpredictable (could be daily or weekly)
Use this method for historical data or when real-time accuracy isn't critical.
Method 5: Solving Datadome CAPTCHAs
Sometimes you can't avoid the CAPTCHA. Datadome often uses GeeTest slider CAPTCHAs, which are notoriously difficult to solve programmatically.
Detecting When You Hit a CAPTCHA
Check for Datadome's CAPTCHA page:
from curl_cffi import requests
response = requests.get("https://example.com", impersonate="chrome")
if "datadome" in response.cookies:
if "captcha" in response.text.lower():
print("CAPTCHA detected!")
# Handle CAPTCHA solving
else:
print("Datadome protection detected but no CAPTCHA")
else:
print("No Datadome protection")
Manual CAPTCHA Solving Flow
If CAPTCHAs are infrequent, you can solve them manually:
const { chromium } = require('playwright-extra');
const stealth = require('puppeteer-extra-plugin-stealth')();
chromium.use(stealth);
(async () => {
const browser = await chromium.launch({
headless: false // Launch visible browser
});
const page = await browser.newPage();
await page.goto('https://example.com');
// Wait for user to solve CAPTCHA manually
console.log("Solve the CAPTCHA in the browser window...");
await page.waitForTimeout(30000); // 30 seconds
// Extract cookies after CAPTCHA is solved
const cookies = await page.context().cookies();
console.log("Cookies after CAPTCHA:", cookies);
// Now use these cookies for subsequent requests
await browser.close();
})();
Once you have valid cookies from a solved CAPTCHA, reuse them across requests:
from curl_cffi import requests
# Cookies obtained after solving CAPTCHA manually
cookies = {
"datadome": "YOUR_DATADOME_COOKIE_VALUE"
}
response = requests.get(
"https://example.com",
cookies=cookies,
impersonate="chrome"
)
These cookies typically remain valid for hours or even days, so one manual solve can support many automated requests.
Automated CAPTCHA Solving (Advanced)
For high-volume operations, you might consider CAPTCHA solving services, but be aware:
- They add significant latency (5-30 seconds per solve)
- They cost money per solve
- Success rates vary (70-90% typically)
- You're still violating the site's terms of service
If you go this route, you're better off focusing on not triggering CAPTCHAs in the first place through better fingerprinting and behavioral mimicry.
Method 6: Avoiding Honeypot Traps
Datadome plants invisible traps in pages to catch bots. These honeypots are HTML elements hidden with CSS that real users never interact with, but naive scrapers will.
Recognizing Honeypots
Look for elements with these characteristics:
<!-- Common honeypot patterns -->
<div style="display:none">
<a href="/trap-link">Click here</a>
</div>
<input type="text" style="position:absolute;left:-9999px" name="trap_field" />
<a href="/fake-page" style="opacity:0">Invisible link</a>
Avoiding Honeypot Triggers
When scraping, only interact with visible elements:
// Check if element is visible before clicking
async function isVisible(element) {
const box = await element.boundingBox();
if (!box) return false;
const style = await element.evaluate(el => {
const computed = window.getComputedStyle(el);
return {
display: computed.display,
visibility: computed.visibility,
opacity: computed.opacity
};
});
return style.display !== 'none'
&& style.visibility !== 'hidden'
&& parseFloat(style.opacity) > 0;
}
// Only click visible links
const links = await page.$$('a');
for (const link of links) {
if (await isVisible(link)) {
// Safe to interact with this link
await link.click();
}
}
With BeautifulSoup in Python, filter out hidden elements:
from bs4 import BeautifulSoup
import re
def is_hidden(element):
"""Check if element has hiding styles"""
style = element.get('style', '')
# Check for common hiding patterns
hiding_patterns = [
'display:none',
'display: none',
'visibility:hidden',
'visibility: hidden',
'opacity:0',
'opacity: 0',
'left:-9999',
'position:absolute;left:-'
]
return any(pattern in style.lower() for pattern in hiding_patterns)
# Parse HTML
soup = BeautifulSoup(html, 'html.parser')
# Get only visible links
visible_links = [
link for link in soup.find_all('a')
if not is_hidden(link)
]
The key principle: if a real user couldn't see or interact with it, your bot shouldn't either.
Putting It All Together: A Complete Bypass Strategy
Here's how to combine these techniques for maximum effectiveness:
Approach 1: Lightweight HTTP for Simple Cases
Use this when pages don't require JavaScript:
from curl_cffi import requests
import random
import time
class DatadomeBypass:
def __init__(self, proxies=None):
self.proxies = proxies or []
self.session = None
def create_session(self):
"""Create new session with randomized settings"""
self.session = requests.Session(impersonate="chrome")
# Randomize headers slightly
self.session.headers.update({
"Accept-Language": random.choice([
"en-US,en;q=0.9",
"en-GB,en;q=0.9",
"en-US,en;q=0.5"
])
})
def get_with_retry(self, url, max_retries=3):
"""Make request with retry logic"""
self.create_session()
for attempt in range(max_retries):
try:
proxy = random.choice(self.proxies) if self.proxies else None
response = self.session.get(
url,
proxies={"http": proxy, "https": proxy} if proxy else None,
timeout=10
)
# Check for Datadome block
if "datadome" in response.cookies:
print(f"Datadome detected on attempt {attempt + 1}")
time.sleep(random.uniform(5, 10))
continue
return response
except Exception as e:
print(f"Error on attempt {attempt + 1}: {e}")
time.sleep(random.uniform(2, 5))
return None
# Usage
bypass = DatadomeBypass(proxies=[
"http://user:pass@proxy1.example.com:8000",
"http://user:pass@proxy2.example.com:8000"
])
response = bypass.get_with_retry("https://example.com")
if response:
print(response.text)
Approach 2: Full Browser for Complex Cases
When JavaScript is required:
const { chromium } = require('playwright-extra');
const stealth = require('puppeteer-extra-plugin-stealth')();
chromium.use(stealth);
class DatadomeBypassBrowser {
constructor(proxies = []) {
this.proxies = proxies;
this.browser = null;
}
async launch() {
const proxy = this.getRandomProxy();
this.browser = await chromium.launch({
headless: true,
proxy: proxy ? {
server: `http://${proxy.server}`,
username: proxy.username,
password: proxy.password
} : undefined,
args: [
'--disable-blink-features=AutomationControlled',
]
});
}
getRandomProxy() {
if (this.proxies.length === 0) return null;
return this.proxies[Math.floor(Math.random() * this.proxies.length)];
}
async scrape(url) {
if (!this.browser) await this.launch();
const context = await this.browser.newContext({
viewport: { width: 1920, height: 1080 },
locale: 'en-US',
timezoneId: 'America/New_York'
});
const page = await context.newPage();
// Add behavior simulation
await this.simulateHumanBehavior(page);
await page.goto(url, { waitUntil: 'networkidle' });
// Random delay
await this.randomDelay(1000, 3000);
const content = await page.content();
await context.close();
return content;
}
async simulateHumanBehavior(page) {
await page.addInitScript(() => {
// Mask automation signals
Object.defineProperty(navigator, 'platform', {
get: () => 'Win32'
});
});
}
randomDelay(min, max) {
const delay = Math.random() * (max - min) + min;
return new Promise(resolve => setTimeout(resolve, delay));
}
async close() {
if (this.browser) await this.browser.close();
}
}
// Usage
(async () => {
const bypass = new DatadomeBypassBrowser([
{ server: 'proxy1.example.com:8000', username: 'user', password: 'pass' }
]);
const content = await bypass.scrape('https://example.com');
console.log(content);
await bypass.close();
})();
What About Reverse Engineering Datadome?
You might wonder: why not just reverse engineer Datadome's JavaScript and forge valid sensors?
The short answer: it's possible in theory but extremely difficult in practice.
Datadome uses aggressive JavaScript obfuscation with:
- Multi-pass compression
- Dynamic code generation
- Time-bounded execution
- Anti-debugging traps
Even if you successfully deobfuscate the code, you'd need to:
- Understand the sensor generation algorithm
- Replicate all the fingerprinting logic
- Generate valid cryptographic signatures
- Maintain your implementation as Datadome updates
This cat-and-mouse game requires constant maintenance. Unless you're a security researcher or have very specific needs, your time is better spent on the techniques above.
Legal and Ethical Considerations
Let's address the elephant in the room: bypassing bot protection exists in a legal gray area.
Scraping public data is generally legal in the US (see hiQ Labs v. LinkedIn), but:
- Bypassing security measures may violate the Computer Fraud and Abuse Act (CFAA)
- You're almost certainly violating the site's Terms of Service
- Commercial resale of scraped data raises additional concerns
Before implementing these techniques:
- Review the target site's robots.txt and Terms of Service
- Consider whether you could obtain the data through official APIs
- Respect rate limits and don't overload servers
- Use scraped data ethically (research, analysis, price comparison)
If you're scraping for competitive intelligence or commercial purposes, consult a lawyer familiar with digital rights law.
When Bypassing Datadome Isn't Worth It
Sometimes the smartest move is not to bypass Datadome at all. Consider alternatives when:
- The site offers a public API (even paid ones are often cheaper than complex bypasses)
- You only need occasional data snapshots (manual collection might suffice)
- The legal risks outweigh the benefits
- Maintenance time exceeds the value of the data
There's also the arms race factor. Datadome constantly evolves, and techniques that work today might fail tomorrow. If you're building a business on scraped data, that's a fragile foundation.
Final Thoughts
Getting through DataDome isn’t about cheating the system—it’s about avoiding unnecessary blocks when you’re behaving like a real, ethical user (or building tools that do the same).
To wrap things up:
- Look and act like a real user
- Rotate your proxies and TLS setups
- Handle challenges using APIs—not hacks
- Don’t blast the server—keep your traffic smooth and slow
With the right approach, you can avoid most of the friction, reduce false flags, and keep your sessions clean.
