How to bypass Cloudflare with Selenium (2026 easy guide)

Your scraper works perfectly on test pages. Then you point it at a real website and hit the dreaded Cloudflare challenge page.

Cloudflare protects over 20% of all websites. If you're building any kind of automation or data collection tool, you'll encounter it constantly.

SeleniumBase UC Mode offers the most reliable free solution for bypassing Cloudflare's Turnstile CAPTCHA in 2026. Unlike deprecated tools like puppeteer-stealth, it's actively maintained and handles the tricky parts automatically.

In this guide, I'll show you how to use SeleniumBase UC Mode to bypass Cloudflare protection. You'll get working code examples, troubleshooting tips, and a ready-to-use tool from GitHub.

What is Cloudflare Turnstile and why does it block scrapers?

Cloudflare Turnstile is Cloudflare's CAPTCHA replacement introduced in 2022. It runs invisible challenges in the background to detect automated traffic without disrupting human users.

Unlike traditional image-based CAPTCHAs, Turnstile doesn't require users to identify traffic lights or crosswalks. Instead, it uses browser fingerprinting and behavioral analysis to determine if a visitor is human.

This makes Turnstile harder to bypass than older CAPTCHAs. You can't just send an image to a solving service. The system requires actual browser execution and realistic interaction patterns.

When you visit a Turnstile-protected site, Cloudflare analyzes multiple signals:

Browser fingerprinting. Cloudflare checks navigator properties, WebGL rendering, canvas fingerprints, and dozens of other browser characteristics. Headless browsers expose telltale signs like navigator.webdriver = true.

JavaScript execution. Turnstile runs cryptographic challenges that require real browser JavaScript execution. Simple HTTP requests fail immediately.

Behavioral analysis. Mouse movements, click patterns, and typing rhythms get analyzed. Bot-like behavior triggers challenges.

IP reputation. Datacenter IPs and known proxy ranges face stricter scrutiny than residential connections.

Standard Selenium fails these checks because ChromeDriver leaves detectable traces. The webdriver property gets set to true, automation-related console variables exist, and the browser fingerprint looks artificial.

Turnstile has three protection modes:

Non-interactive. Runs completely in the background. No checkbox appears if you pass the initial checks.

Invisible. Shows a brief "Verifying you are human" message for 1-2 seconds while running background checks.

Interactive. Requires clicking a checkbox when trust scores are low or suspicious patterns are detected.

What is SeleniumBase UC Mode?

SeleniumBase UC Mode (Undetected ChromeDriver Mode) patches Selenium to evade bot detection. It's built on top of undetected-chromedriver but adds critical improvements.

UC Mode works through three primary techniques:

First, it renames Chrome DevTools Console variables that anti-bot systems scan for. Standard Selenium exposes automation indicators that Cloudflare specifically looks for.

Second, UC Mode launches Chrome browsers before attaching ChromeDriver. Normal Selenium does the reverse, creating detectable browser configurations.

Third, it disconnects ChromeDriver during sensitive actions like page loads and button clicks. Websites typically check for automation during these specific events.

The result is a browser that passes most fingerprint checks and Turnstile challenges that would block standard Selenium.

SeleniumBase UC Mode vs alternatives

Why use SeleniumBase over other options?

vs raw undetected-chromedriver: SeleniumBase handles driver downloads and version matching automatically. It includes specialized CAPTCHA-handling methods that undetected-chromedriver lacks. The SB manager format provides context management and cleanup.

vs Puppeteer Stealth: As of February 2025, puppeteer-stealth is no longer maintained. The original maintainer stopped updates, and Cloudflare has adapted to detect it. SeleniumBase remains actively maintained with regular updates.

vs Nodriver: Nodriver offers slightly better evasion but less stability. SeleniumBase is more mature with better documentation. Choose Nodriver for maximum stealth, SeleniumBase for reliability.

vs Camoufox: Camoufox uses Firefox instead of Chrome, which can bypass Chrome-specific detection. However, some sites work better with Chrome. SeleniumBase offers broader compatibility.

SeleniumBase includes specialized uc_*() methods for handling CAPTCHAs:

sb.uc_open_with_reconnect(url, reconnect_time)  # Opens URL with stealth
sb.uc_gui_click_captcha()  # Clicks Turnstile checkbox via PyAutoGUI
sb.uc_gui_handle_captcha()  # Auto-detects and handles CAPTCHA
sb.uc_click(selector)  # Stealthy element clicking

These methods time the ChromeDriver disconnection precisely to avoid triggering detection.

Quick start: Basic Cloudflare bypass

Let's start with the simplest working example.

Install SeleniumBase:

pip install seleniumbase

Create a basic bypass script:

from seleniumbase import SB

with SB(uc=True) as sb:
    url = "https://www.scrapingcourse.com/cloudflare-challenge"
    
    # Open URL with 4-second reconnect time
    sb.uc_open_with_reconnect(url, reconnect_time=4)
    
    # Handle Turnstile if it appears
    sb.uc_gui_click_captcha()
    
    # Wait for page content
    sb.sleep(2)
    
    # Now you can scrape
    print(sb.get_page_source())

The reconnect_time parameter controls how long ChromeDriver stays disconnected after navigating. This window lets the page load and run initial bot checks without ChromeDriver being attached.

Four seconds works for most sites. Increase it to 6-8 seconds for heavily protected pages.

Method 1: Simple bypass with Driver format

The Driver format gives you raw WebDriver access with UC Mode enabled.

from seleniumbase import Driver

# Initialize driver with UC Mode
driver = Driver(uc=True)

try:
    url = "https://example.com"
    
    # Navigate with stealth
    driver.uc_open_with_reconnect(url, 4)
    
    # Click CAPTCHA if present
    driver.uc_gui_click_captcha()
    
    # Your scraping logic here
    title = driver.title
    print(f"Page title: {title}")
    
finally:
    driver.quit()

Pros:

• Familiar Selenium syntax
• Minimal code changes from regular Selenium
• Full WebDriver access

Cons:

• No virtual display support on Linux servers
• Manual cleanup required
• Less error handling

Use the Driver format when you're prototyping or need direct WebDriver control.

Method 2: SB Manager format (recommended)

The SB Manager format provides context management and additional features.

from seleniumbase import SB

with SB(uc=True, test=True) as sb:
    url = "https://example.com"
    
    # Open with reconnect
    sb.uc_open_with_reconnect(url, reconnect_time=4)
    
    # Handle CAPTCHA
    sb.uc_gui_click_captcha()
    
    # Wait for content
    sb.sleep(2)
    
    # Scrape data
    content = sb.get_text("body")
    print(content[:500])

The test=True parameter enables additional logging and screenshots on failure.

Pros:

• Automatic resource cleanup
• Virtual display support for headless Linux
• Better error handling
• More utility methods

Cons:

• Slightly different syntax than raw Selenium
• Learning curve for advanced features

This is the recommended format for most use cases.

Method 3: Handling Turnstile on forms

Some sites show Turnstile after form submission, not on page load. This requires a different approach.

from seleniumbase import SB

with SB(uc=True, test=True, incognito=True, locale="en") as sb:
    url = "https://example.com/login"
    
    # Open the page
    sb.uc_open_with_reconnect(url)
    
    # Fill the form
    sb.type('input[name="username"]', "your_username")
    sb.type('input[name="password"]', "your_password")
    
    # Click submit with stealthy click and reconnect time
    sb.uc_click('button[type="submit"]', reconnect_time=3.25)
    
    # Handle the CAPTCHA that appears after submission
    sb.uc_gui_click_captcha()
    
    # Wait for redirect
    sb.sleep(2)

The uc_click() method schedules the click, disconnects ChromeDriver, waits, and reconnects. This prevents detection during the critical form submission moment.

Key points for form handling:

• Use incognito=True to maximize anti-detection
• Set locale="en" for consistent behavior
• Adjust reconnect_time based on server response speed
• Call uc_gui_click_captcha() after the CAPTCHA appears

Method 4: CDP Mode for advanced protection

Some sites have detection that UC Mode alone can't bypass. CDP Mode (Chrome DevTools Protocol Mode) offers stronger evasion.

from seleniumbase import SB

with SB(uc=True, test=True, locale="en") as sb:
    url = "https://heavily-protected-site.com"
    
    # Activate CDP Mode
    sb.activate_cdp_mode(url)
    
    # Wait for page load
    sb.sleep(2)
    
    # Use CDP methods for interaction
    sb.cdp.gui_click_element("#turnstile-widget div")
    
    # Wait for verification
    sb.sleep(2)
    
    # Continue with scraping
    content = sb.cdp.get_text("body")

CDP Mode maintains a persistent connection to Chrome without the usual WebDriver attachment. This makes detection significantly harder.

For Turnstile challenges in CDP Mode, use sb.cdp.gui_click_element() with the parent selector above the shadow root:

# Find the Turnstile widget container
sb.cdp.gui_click_element("#turnstile-widget div")

Method 5: Using the cloudflare-bypass-2026 tool

The cloudflare-bypass-2026 repository provides a ready-to-use tool built on SeleniumBase UC Mode.

Installation

git clone https://github.com/1837620622/cloudflare-bypass-2026.git
cd cloudflare-bypass-2026
pip install -r requirements.txt

For Linux servers, run the install script:

sudo bash install_linux.sh

Basic usage

# Simple bypass
python bypass.py https://example.com

# With proxy
python bypass.py https://example.com -p http://127.0.0.1:7890

# With custom timeout
python bypass.py https://example.com -t 60

Parallel mode

For higher throughput, use parallel mode:

# Run 3 browsers simultaneously
python simple_bypass.py https://example.com -P -b 3 -t 60

# With proxy rotation
python simple_bypass.py https://example.com -P -c -b 3 -n 30 -f proxy.txt

Python API usage

from bypass import bypass_cloudflare

result = bypass_cloudflare("https://example.com")

if result["success"]:
    print(f"cf_clearance: {result['cf_clearance']}")
    print(f"User-Agent: {result['user_agent']}")

The tool exports cookies in both JSON and Netscape formats to the output/cookies/ directory.

Method 6: Using proxies for IP rotation

Cloudflare tracks IP reputation. Rotating proxies helps avoid IP-based blocking.

Best for: Large-scale scraping, avoiding rate limits
Difficulty: Medium
Success rate: Depends on proxy quality

from seleniumbase import SB

# Residential proxy (recommended)
proxy = "http://user:pass@residential-proxy.com:8080"

with SB(uc=True, proxy=proxy) as sb:
    sb.uc_open_with_reconnect("https://example.com", 4)
    sb.uc_gui_click_captcha()
    sb.sleep(2)

Proxy type matters significantly:

Datacenter proxies. Cheap but easily detected. Success rate around 30-50% against Cloudflare.

Residential proxies. Real ISP IPs with higher trust scores. Success rate 70-90%.

Mobile proxies. Highest trust but most expensive. Success rate 85-95%.

For the cloudflare-bypass-2026 tool, create a proxy.txt file:

http://127.0.0.1:7890
socks5://127.0.0.1:1080
http://user:pass@host:port

Then use proxy rotation:

python simple_bypass.py https://example.com -r -f proxy.txt

Handling cf_clearance cookies

Successful Cloudflare bypass generates a cf_clearance cookie. This cookie acts as a pass-through ticket for subsequent requests.

Cookie validity

The cf_clearance cookie typically remains valid for 15 minutes to several hours. Validity depends on:

• Site configuration
• Your behavioral patterns
• IP consistency
• Browser fingerprint consistency

Reusing cookies

Extract and reuse cookies to avoid repeated bypasses:

from seleniumbase import SB
import json

with SB(uc=True) as sb:
    sb.uc_open_with_reconnect("https://example.com", 4)
    sb.uc_gui_click_captcha()
    sb.sleep(2)
    
    # Extract cookies
    cookies = sb.get_cookies()
    
    # Find cf_clearance
    cf_clearance = None
    for cookie in cookies:
        if cookie['name'] == 'cf_clearance':
            cf_clearance = cookie['value']
            break
    
    # Save for later use
    with open('cookies.json', 'w') as f:
        json.dump(cookies, f)

Use saved cookies with requests:

import requests
import json

with open('cookies.json', 'r') as f:
    cookies_list = json.load(f)

# Convert to requests format
session = requests.Session()
for cookie in cookies_list:
    session.cookies.set(cookie['name'], cookie['value'])

# Add matching User-Agent
headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
}

response = session.get("https://example.com/api/data", headers=headers)

Linux server configuration

Running UC Mode on Linux servers requires special setup because GUI methods need a display.

Install dependencies

# Install Xvfb for virtual display
sudo apt-get update
sudo apt-get install -y xvfb

# Install Chrome dependencies
sudo apt-get install -y \
    libglib2.0-0 libnss3 libatk1.0-0 libatk-bridge2.0-0 \
    libcups2 libdrm2 libxkbcommon0 libgbm1 libasound2

# Install Chrome
wget -q https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
sudo dpkg -i google-chrome-stable_current_amd64.deb
sudo apt-get install -f -y

# Install Python dependencies
pip install seleniumbase pyvirtualdisplay

Using xvfb mode

SeleniumBase automatically handles virtual display with the xvfb parameter:

from seleniumbase import SB

with SB(uc=True, xvfb=True) as sb:
    sb.uc_open_with_reconnect("https://example.com", 4)
    sb.uc_gui_click_captcha()

The xvfb=True parameter creates a virtual display that allows PyAutoGUI to function on headless servers.

Set display resolution:

with SB(uc=True, xvfb=True, xvfb_metrics="1920,1080") as sb:
    sb.set_window_size(1920, 1080)
    # ...

Troubleshooting common issues

CAPTCHA not clicking

Symptom: uc_gui_click_captcha() runs but the checkbox isn't clicked.

Fixes:

1. Update SeleniumBase to the latest version:

pip install --upgrade seleniumbase

2. Use uc_gui_click_captcha() instead of uc_gui_handle_captcha() for stricter implementations.
3. Try explicit coordinates if auto-detection fails:

sb.uc_gui_click_x_y(x, y)

4. Check if the CAPTCHA is in a different position. Some sites right-align the checkbox:

# Debug: take a screenshot to see CAPTCHA position
sb.save_screenshot("debug.png")

"X11 display failed" error

Symptom: Error about display or X11 on Linux.

Fix: Install Xvfb and use xvfb=True:

sudo apt-get install -y xvfb

with SB(uc=True, xvfb=True) as sb:
    # ...

PyAutoGUI screen size mismatch

Symptom: Error like "PyAutoGUI cannot click on point (x, y) outside screen"

Fix: Set explicit xvfb metrics:

with SB(uc=True, xvfb=True, xvfb_metrics="1920,1080") as sb:
    sb.set_window_size(1920, 1080)
    # ...

Blocked after first request

Symptom: First request works, subsequent requests get blocked.

Fixes:

1. Reuse the same browser session instead of creating new ones.
2. Maintain consistent User-Agent and cookies across requests.
3. Add delays between requests:

sb.sleep(2)  # Wait between actions

4. Avoid rapid-fire clicking. Add small delays between interactions:

sb.sleep(random.uniform(0.3, 0.8))

Turnstile loops endlessly

Symptom: Turnstile keeps showing "Verifying..." but never completes.

Fixes:

1. Don't use headless mode. UC Mode is detectable in headless mode.
2. Use incognito mode:

with SB(uc=True, incognito=True) as sb:
    # ...

3. Switch to CDP Mode for better evasion:

sb.activate_cdp_mode(url)

4. Check your IP reputation. Try a different network or proxy.

Proxy not working

Symptom: Connection errors or immediate blocking with proxy.

Fixes:

1. Test proxy connectivity first:

curl -x http://proxy:port https://httpbin.org/ip

2. Use residential proxies. Most public proxies don't support HTTPS tunneling.
3. Ensure proxy format is correct:

proxy = "http://user:pass@host:port"  # Correct
proxy = "host:port"  # May not work

4. Try SOCKS5 format for better compatibility:

proxy = "socks5://host:port"

WebDriver detected despite UC Mode

Symptom: Site shows "Automated browser detected" or similar.

Fixes:

1. Enable incognito mode:

with SB(uc=True, incognito=True) as sb:

2. Switch to CDP Mode:

sb.activate_cdp_mode(url)

3. Verify no other extensions or flags are leaking automation signals.
4. Try a fresh Chrome profile:

with SB(uc=True, user_data_dir=None) as sb:

Which method should you use?

Your choice depends on your specific situation.

Start with Method 2 (SB Manager format). It works for most sites and handles cleanup automatically.

If you're getting blocked, try Method 4 (CDP Mode) before adding proxies. CDP Mode has stronger evasion capabilities and often succeeds where regular UC Mode fails.

For production deployments, combine Method 2 with Method 6 (proxy rotation) for best results. Residential proxies significantly improve success rates.

Decision flowchart

Is the site Cloudflare-protected?
├── No → Use regular Selenium
└── Yes → Does basic UC Mode work?
    ├── Yes → Use Method 2 (SB Manager)
    └── No → Does CDP Mode work?
        ├── Yes → Use Method 4
        └── No → Add proxy rotation (Method 6)
            └── Still blocked? → Try residential proxies

Performance considerations

Each method has different resource requirements:

UC Mode (Methods 1-3): Uses approximately 200-400MB RAM per browser instance. Suitable for moderate-scale scraping.

CDP Mode (Method 4): Slightly lower memory usage but requires more careful session management.

Parallel mode (Method 5): Memory scales linearly with browser count. Three browsers need approximately 600-1200MB.

For high-volume scraping, consider harvesting cf_clearance cookies with browser methods, then using them with lightweight HTTP requests.

Best practices for reliable bypass

Following these practices improves your success rate significantly.

Timing and delays

Don't rush through pages. Real users don't click instantly after page load.

from seleniumbase import SB
import random

with SB(uc=True) as sb:
    sb.uc_open_with_reconnect(url, 4)
    
    # Random delay mimics human behavior
    sb.sleep(random.uniform(1.5, 3.0))
    
    sb.uc_gui_click_captcha()
    
    # Wait between actions
    sb.sleep(random.uniform(0.5, 1.5))

Randomized delays between 1-3 seconds make your automation less predictable.

Session consistency

Keep fingerprints consistent within a session. Changing User-Agent or other browser properties mid-session raises red flags.

# Use the same browser instance for related requests
with SB(uc=True) as sb:
    sb.uc_open_with_reconnect("https://example.com", 4)
    sb.uc_gui_click_captcha()
    
    # Stay in the same session
    sb.click("a.next-page")  # Internal navigation
    sb.sleep(2)
    
    sb.click("a.next-page")  # Same session

Error handling

Cloudflare bypass isn't 100% reliable. Build retry logic into your scripts.

from seleniumbase import SB
import time

def bypass_with_retry(url, max_attempts=3):
    for attempt in range(max_attempts):
        try:
            with SB(uc=True) as sb:
                sb.uc_open_with_reconnect(url, 4)
                sb.uc_gui_click_captcha()
                sb.sleep(2)
                
                # Verify we passed the challenge
                if "challenge" not in sb.get_current_url().lower():
                    return sb.get_page_source()
                    
        except Exception as e:
            print(f"Attempt {attempt + 1} failed: {e}")
            time.sleep(5)  # Wait before retry
    
    raise Exception("Failed after all attempts")

Rate limiting yourself

Even successful bypasses can lead to blocks if you scrape too aggressively.

import time
from collections import deque

class RateLimiter:
    def __init__(self, requests_per_minute=10):
        self.requests_per_minute = requests_per_minute
        self.timestamps = deque()
    
    def wait(self):
        now = time.time()
        
        # Remove timestamps older than 1 minute
        while self.timestamps and now - self.timestamps[0] > 60:
            self.timestamps.popleft()
        
        if len(self.timestamps) >= self.requests_per_minute:
            sleep_time = 60 - (now - self.timestamps[0])
            time.sleep(sleep_time)
        
        self.timestamps.append(time.time())

# Usage
limiter = RateLimiter(requests_per_minute=10)

for url in urls:
    limiter.wait()
    # Make request...

Ethical considerations

Bypassing Cloudflare protection should be done responsibly.

Do:

• Scrape public data for legitimate purposes
• Respect rate limits even when you can bypass them
• Cache data to minimize requests
• Identify yourself with a contact email when appropriate

Don't:

• Scrape personal or private data without consent
• Overload servers with requests
• Bypass protections on sensitive sites (financial, healthcare, government)
• Resell scraped data without proper rights

Check the website's robots.txt and Terms of Service. Many sites allow scraping of public data but prohibit automated access.

Frequently asked questions

Can SeleniumBase bypass all Cloudflare protection?

No tool bypasses Cloudflare 100% of the time. SeleniumBase UC Mode works reliably against basic and intermediate Cloudflare protection. For enterprise-level protection with per-customer ML models, you may need to combine it with residential proxies or try CDP Mode.

Success rates depend on the specific site configuration, your IP reputation, and Cloudflare's current detection methods. Expect 70-90% success on most sites.

Does SeleniumBase work in headless mode?

UC Mode is detectable in true headless mode. Cloudflare specifically checks for headless browser indicators.

Instead, use xvfb=True on Linux servers to run a headed browser in a virtual display. This maintains the stealth benefits while running without a physical screen.

# Correct approach for servers
with SB(uc=True, xvfb=True) as sb:
    # ...

How long does cf_clearance cookie last?

The cf_clearance cookie validity varies from 15 minutes to several hours. Most commonly, it lasts 30 minutes to 2 hours.

Factors affecting validity:

• Site configuration
• Your behavioral patterns
• IP consistency
• Session activity

For long-running scrapers, implement cookie refresh logic that re-bypasses before expiration.

Is bypassing Cloudflare legal?

The legality depends on your jurisdiction, the website's terms of service, and what you do with the data.

Generally, scraping publicly available data for personal use, research, or journalism is legal in most jurisdictions. However, violating a website's Terms of Service could have civil consequences even if not criminal.

Key legal considerations:

• CFAA in the United States
• GDPR in Europe for personal data
• Local computer access laws

Consult legal counsel for commercial applications.

Why doesn't simple HTTP requests work against Cloudflare?

Cloudflare requires JavaScript execution to verify visitors. Simple HTTP libraries like requests or curl can't execute JavaScript.

The Turnstile challenge runs cryptographic proofs in the browser. Without executing that JavaScript, you can't generate the valid response token.

Browser automation tools like SeleniumBase execute JavaScript, allowing them to complete these challenges.

SeleniumBase vs undetected-chromedriver: Which is better?

SeleniumBase is generally better for most use cases.

SeleniumBase advantages:

• Automatic driver management
• Built-in CAPTCHA handling methods
• Context management (SB manager)
• Virtual display support
• Better documentation
• Active maintenance

undetected-chromedriver advantages:

• Lighter weight
• Simpler if you need raw control
• No extra abstractions

Use SeleniumBase unless you have specific reasons to need raw undetected-chromedriver.

How do I handle multiple Cloudflare challenges on one site?

Some sites have Turnstile on both the landing page and after form submission.

from seleniumbase import SB

with SB(uc=True) as sb:
    # First challenge on page load
    sb.uc_open_with_reconnect(url, 4)
    sb.uc_gui_click_captcha()
    sb.sleep(2)
    
    # Fill and submit form
    sb.type('input[name="email"]', "test@example.com")
    sb.uc_click('button[type="submit"]', reconnect_time=3)
    
    # Second challenge after submission
    sb.uc_gui_click_captcha()
    sb.sleep(2)

Call uc_gui_click_captcha() after each point where a challenge might appear.

Conclusion

SeleniumBase UC Mode provides the most reliable free method for bypassing Cloudflare Turnstile in 2026. The combination of ChromeDriver patching, strategic disconnection, and PyAutoGUI-based CAPTCHA clicking handles most protection levels.

Quick summary:

1. Install SeleniumBase: pip install seleniumbase
2. Use SB(uc=True) for UC Mode
3. Open pages with uc_open_with_reconnect(url, 4)
4. Handle CAPTCHAs with uc_gui_click_captcha()
5. Switch to CDP Mode for tough cases

For a ready-to-use solution, check out the cloudflare-bypass-2026 repository on GitHub.

Remember that Cloudflare continuously updates their detection. Keep SeleniumBase updated and monitor for changes in bypass effectiveness.