ScrapeBadger's auto-escalation engine identifies which Cloudflare protection layer is active and selects the right bypass method — WAF rules, JS challenges, Turnstile CAPTCHA, and Under Attack Mode. You configure nothing.
Cloudflare sits between every request and the websites it protects — covering over 27 million web properties. Every request that passes through Cloudflare receives a bot score from 1 to 99, calculated in under 50 microseconds using machine learning, TLS fingerprinting, HTTP/2 frame analysis, JavaScript challenge results, behavioral signals, and IP reputation. Scores below 30 are associated with bot traffic and trigger blocking or challenges automatically.
Standard scrapers fail immediately. A Python requests call reveals a non-browser User-Agent and a datacenter IP — both immediate red flags. Even a standard Playwright or Selenium script exposes automation through navigator.webdriver, CDP timing artifacts, missing browser API values, and TLS signatures that don't match any real browser.
Bypassing Cloudflare requires passing all detection layers simultaneously — not just one. ScrapeBadger's auto-escalation engine handles this automatically, selecting the right combination of stealth browser, proxy type, TLS fingerprint, and challenge solver for each target.
# Cloudflare bot score breakdown
# 1-99: lower = more likely bot
cf.bot_management.score = 4
# ↑ plain requests lib = instant block
cf.tls.client.ja4 = "t13d..."
# ↑ TLS fingerprint mismatch detected
cf.bot_management.js_detection.passed = false
# ↑ JS challenge not executed
cf.verified_bot = false
# ↑ not a known good bot
# Result:
action = "block"
# HTTP 403 — Error 1020
Cloudflare applies all of these simultaneously. Bypassing one layer while failing another still results in a block.
Every TLS handshake produces a JA4 fingerprint — a hash of cipher suites, extensions, and elliptic curves in a specific order. HTTP/2 frame parameters add a second fingerprint layer. Cloudflare compares both against a database of known browsers. A requests call or curl produces signatures that match no real browser and are blocked immediately — before any page content is evaluated.
Cloudflare runs CatBoost machine learning models on every request — scoring in under 50 microseconds using behavioural signals, request pattern analysis, and global threat intelligence from 27M+ protected sites. Requests below a score of 30 are automatically associated with bot traffic. Site owners can configure WAF custom rules to block, challenge, or log any score threshold they choose.
Cloudflare injects a JavaScript snippet into HTML responses that runs proof-of-work puzzles, probes browser APIs (Canvas, WebGL, AudioContext), and detects automation artefacts like navigator.webdriver and CDP timing leaks. The result populates cf.bot_management.js_detection.passed, which WAF rules act on. Failing the JS challenge while other signals look suspicious triggers a managed challenge or block.
Turnstile is Cloudflare's CAPTCHA replacement — an invisible or minimal widget embedded by site owners on login forms, checkout pages, and other sensitive endpoints. It runs proof-of-work, proof-of-space, and browser-quirk detection challenges silently in the background. A Turnstile token must be validated via the Siteverify API before form submission is accepted. Standard scrapers cannot pass this without a fully instrumented browser environment.
Cloudflare maintains reputation scores for every IP range on the internet. Datacenter IPs — AWS, GCP, DigitalOcean, Azure — receive low reputation scores by default because the vast majority of malicious bot traffic originates there. Even a brand-new datacenter IP may be pre-flagged. Cloudflare also rates requests higher risk when origin country doesn't match the site's expected audience geography.
When a site owner enables Under Attack Mode (I'm Under Attack), every visitor — including apparent humans — is presented with a full-page interstitial that runs a JavaScript challenge before granting access via a cf_clearance session cookie. This mode layers on top of all other protections. Scrapers that cannot execute the challenge and obtain a valid cf_clearance cookie are blocked on every request.
ScrapeBadger identifies which Cloudflare protection layer is active on each request and applies the appropriate bypass method without any configuration from you.
Every request is sent with a TLS signature and HTTP/2 frame configuration that matches a real browser's JA4 fingerprint. ScrapeBadger cycles through current browser profiles — Chrome, Edge, Safari — so the TLS handshake passes Cloudflare's fingerprint database check.
For JS challenges, Turnstile, and Under Attack Mode, ScrapeBadger uses Patchright — the leading open-source stealth Chromium — which removes CDP timing leaks, sets navigator.webdriver to false, corrects canvas and WebGL fingerprints, and patches execution context exposures. The browser environment is indistinguishable from a real user's Chrome session.
All requests are routed through residential IPs from real consumer ISPs across 150+ countries. Residential IPs carry genuine reputation scores that pass Cloudflare's IP reputation layer. Datacenter IPs — which virtually all basic scrapers use — are pre-flagged. ScrapeBadger never uses datacenter IPs for Cloudflare-protected targets.
When a JS challenge or Turnstile is encountered, ScrapeBadger's browser environment executes the challenge, obtains the cf_clearance session cookie, and reuses it across subsequent requests. Turnstile tokens are generated and validated automatically. Session state is maintained so challenges don't need to be re-solved on every request.
One API call. ScrapeBadger handles TLS fingerprinting, JS challenges, Turnstile, and proxy rotation automatically.
# pip install scrapebadger
from scrapebadger import ScrapeBadger
client = ScrapeBadger("sb_live_your_api_key")
# ScrapeBadger auto-detects Cloudflare and applies the right bypass.
# No extra parameters needed — WAF, Turnstile, UAM all handled automatically.
result = client.scrape(
url="https://cloudflare-protected-site.com/products",
country="us", # route through US residential IP
render_js=True, # use Patchright stealth browser
bypass_cloudflare=True, # auto-escalation enabled
)
print(result.html) # page HTML after Cloudflare is bypassed
print(result.status_code) # 200 — not 403Why rolling your own Cloudflare bypass doesn't scale.
| Method | ScrapeBadger | requests / httpx | Playwright / Selenium | Patchright (self-hosted) | FlareSolverr |
|---|---|---|---|---|---|
| Bypasses WAF rules | Yes — auto | No | No | Partial | Partial |
| Bypasses Turnstile | Yes — auto | No | No | Limited | No |
| Bypasses Under Attack Mode | Yes — auto | No | No | Sometimes | Sometimes |
| TLS fingerprint impersonation | Yes — all plans | No | No | Yes | No |
| Residential proxies included | Yes — 150+ countries | No | No | No — extra cost | No — extra cost |
| Maintenance when Cloudflare updates | Zero — handled by us | Manual re-work | Manual re-work | Manual re-work | Manual re-work |
| Scales to 1M+ requests | Yes — cloud infrastructure | Technically yes | Costly — 500MB/instance | Costly — 500MB/instance | Not designed for scale |
| Pay for failed requests | Never | N/A | N/A | N/A | N/A |
FlareSolverr relies on undetected-chromedriver, deprecated February 2025. Standard Playwright/Selenium are detected immediately by current Cloudflare Bot Management.
Cloudflare updates its detection models continuously. Most bypass tools break within weeks. ScrapeBadger is maintained infrastructure, not a one-time script.
ScrapeBadger's engine detects which Cloudflare layer is active — WAF, Bot Management, Turnstile, Under Attack Mode — and applies the right bypass method automatically. You pass a URL and get back HTML. You don't need to know which Cloudflare product is deployed on the target site.
Cloudflare updates its bot detection models, TLS fingerprint databases, and challenge mechanisms continuously. Every time Cloudflare ships an update, DIY tools break and developers spend days debugging. ScrapeBadger's engineering team tracks Cloudflare updates and deploys countermeasures — your integration keeps working without any changes on your end.
Cloudflare's IP reputation layer blocks datacenter IPs by default. ScrapeBadger routes all Cloudflare bypass requests through residential IPs from real consumer ISPs in 150+ countries — included on every plan, with no tier upgrades. Country targeting lets you match the geographic expectation of the target site.
Failed requests — challenges not solved, timeouts, blocked responses — are never charged. Credits deduct only when ScrapeBadger returns a successful, data-containing response. At scale, where Cloudflare blocks some percentage of requests regardless of the bypass method, you only pay for the data you actually received.
Start free with 1,000 credits. Pay-as-you-go credits never expire. Subscription plans available at lower per-credit rates.
Start anytime — credits never expire
Best for small teams and steady workloads
For growing projects — save vs PAYG
For professionals and high-volume usage
Maximum scale at the lowest per-credit rate
Custom credit volumes, dedicated infrastructure, SLA guarantees, invoice billing, and a dedicated account manager.
A Cloudflare bypass is a technique or service that allows automated requests to pass through Cloudflare's multi-layer bot protection — including WAF rules, JS challenges, Turnstile CAPTCHA, TLS fingerprinting, and IP reputation checks — without being blocked. ScrapeBadger handles this automatically using a stealth browser engine (Patchright), residential proxies, and TLS fingerprint impersonation.
Cloudflare's Bot Management assigns every request a bot score from 1 to 99 based on TLS fingerprinting, HTTP/2 frame analysis, JavaScript challenge results, behavioral signals, and IP reputation. Requests from datacenter IPs, headless browsers, or scripts with automation-revealing signals score below 30 — the threshold at which WAF rules can block or challenge them automatically. Standard scrapers fail immediately because they expose automation through navigator.webdriver = true, CDP timing artefacts, datacenter IP ranges, non-browser TLS signatures, and missing browser API values. Bypassing Cloudflare requires passing all detection layers simultaneously.
The Cloudflare WAF blocks or challenges entire requests based on firewall rules — IP reputation, bot scores, rate limits, and custom rule expressions. A WAF block typically returns a 403 error (Error 1020) before any page content is served. Cloudflare Turnstile is a CAPTCHA-replacement widget embedded by site owners on specific forms or page elements. It doesn't block page access — it blocks form submission. You can view the page but can't log in, submit, or interact until Turnstile is solved. A website can deploy both simultaneously: WAF protects page access, Turnstile protects form actions. ScrapeBadger handles both automatically.
Cloudflare Turnstile runs proof-of-work puzzles, browser API probes, and behavioral verification silently in the background of a page. It generates a token that must be validated via Siteverify before form submission is accepted. ScrapeBadger's Patchright stealth browser presents a complete, genuine browser fingerprint — correct TLS signatures, real canvas/WebGL values, proper browser API presence, and human-like behavioral signals — that passes Turnstile's invisible verification. The token is extracted and submitted automatically as part of the form interaction.
Yes, for reliable bypass at scale. Cloudflare assigns low reputation scores to datacenter IP ranges (AWS, GCP, DigitalOcean, Azure) because the vast majority of malicious bot traffic originates there. Even a brand-new datacenter IP may already be pre-flagged. Residential IPs — real connections from consumer ISPs like BT, Comcast, or Deutsche Telekom — carry genuine reputation scores and are far less likely to trigger Cloudflare's IP reputation blocking layer. ScrapeBadger includes residential proxies across 150+ countries on all plans, including the free tier. No additional proxy service is required.
Under Attack Mode (I'm Under Attack) is a Cloudflare configuration that presents every visitor — including apparent humans — with a full-page JavaScript challenge interstitial before granting access. Successfully completing it issues a cf_clearance session cookie. Without a valid cookie, every subsequent request to the site returns a challenge page. ScrapeBadger's auto-escalation engine detects Under Attack Mode and routes the request through the Patchright stealth browser, which executes the JS challenge, obtains the cf_clearance cookie, and reuses it across subsequent requests to the same domain — so the challenge only needs to be solved once per session.
ScrapeBadger starts free with 1,000 credits — no credit card required. Pay-as-you-go credit packs start at $10 and credits never expire. Subscription plans start at $49/month with lower per-credit rates and monthly rollover. You are only charged for successful responses — blocked, timed-out, or failed requests are always free. Cloudflare bypass (residential proxy, stealth browser, challenge solving) is included in your existing credit balance — there is no extra per-request charge for anti-bot bypass features.
1,000 free credits, no credit card required. Pass WAF rules, Turnstile, and Under Attack Mode with a single API call.
Get 1,000 free creditsNo subscription · Credits never expire · 14-day money-back guarantee