Anti-Detection & Stealth: Don't Let Websites Block Your Agent
Your agent is running. Chrome is rendering. The LLM is making good decisions. Then, out of nowhere, Cloudflare throws a challenge page. Or the site returns a 403. Or worse — it returns a 200 with a fake "success" page that contains none of the data you're trying to scrape. Welcome to bot detection, and it's no longer just about checking the User-Agent header.
Modern anti-bot systems operate on three layers. Layer one is JavaScript fingerprinting: the page runs a script that measures your WebGL renderer string, canvas hash, installed fonts, screen resolution, and audio context fingerprint. These values collectively form a "browser fingerprint" that is surprisingly unique — even two identical Chrome installs on the same OS will produce different canvas hashes if their GPU drivers differ. Layer two is CDP (Chrome DevTools Protocol) detection: when you connect to Chrome via Playwright or Puppeteer, the browser exposes a navigator.webdriver property set to true and adds a "Chrome is being controlled by automated test software" infobar. Any competent anti-bot system checks these. Layer three is behavioral: real humans don't click at pixel-perfect coordinates, don't type at a constant 0ms inter-key delay, and don't navigate between pages with zero mouse movement between clicks. Behavioral analysis is the hardest to spoof because it requires per-task randomization, not just a one-time configuration change.
Browser Use Cloud ships with a built-in stealth layer that handles layers one and two out of the box — it consistently scores in the 90-95% range on CreepJS, the standard browser fingerprinting test suite. For self-hosted setups, you need to configure this yourself. The minimum viable stealth config has four parts: disable the automation infobar via Chrome flags, strip navigator.webdriver via CDP on every new page, randomize the viewport to a common resolution (don't use the default 800x600 which screams "headless bot"), and inject a stealth JavaScript payload that overrides the most commonly fingerprinted APIs before any page scripts run.
Proxy rotation is the fourth piece that most guides skip. Even with perfect browser fingerprinting, if all your requests come from the same datacenter IP range (AWS, GCP, DigitalOcean), sites will rate-limit or block you based on IP reputation alone. Residential proxies route your traffic through real ISP-assigned IPs, making your agent indistinguishable from a real user on a home connection. The full chapter covers proxy rotation strategies — round-robin, sticky sessions for login flows, and automatic proxy switching on Cloudflare challenge detection.
from browser_use import Agent, Browser, BrowserConfig
# Minimum viable stealth configuration for self-hosted Browser Use
config = BrowserConfig(
headless=False,
disable_security=True,
extra_chromium_args=[
"--disable-blink-features=AutomationControlled",
"--disable-features=ChromeWhatsNewUI",
"--exclude-switches=enable-automation",
"--no-first-run --no-default-browser-check",
],
new_context_params={
"viewport": {"width": 1920, "height": 1080},
"user_agent": (
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) "
"AppleWebKit/537.36 (KHTML, like Gecko) "
"Chrome/131.0.0.0 Safari/537.36"
),
"locale": "en-US",
"timezone_id": "America/Chicago",
},
)
browser = Browser(config=config)
agent = Agent(task="...", llm=llm, browser=browser)
await agent.run()
Unlock the full chapter. Get the complete stealth config tested against Cloudflare, Datadome, and Akamai, residential proxy rotation with automatic failover, a CreepJS fingerprint testing script, and behavioral emulation strategies (mouse movement, typing cadence, scroll patterns).
Get the Production Guide — $39