Traces what attaching a CDP client changes inside a running Chrome: the websocket transport, the domains it switches on, the side effects that reach the page, and why a debugged browser is observably different from a hand-driven one.
The biography of one bot-detection signal: how logging an Error object exposed a CDP-driven browser, how DataDome made the trick public in 2024, and the two V8 commits that quietly broke it in May 2025.
Traces the undetected-chromedriver lineage into its successor nodriver: the cdc_ binary patch, the navigator.webdriver flags, dropping the chromedriver binary and Selenium for raw CDP, and why each layer still gets caught.
Traces the specific tells of Page.addScriptToEvaluateOnNewDocument: the isolated-world versus main-world choice, when the injected init script actually runs, and the residue an anti-bot script can probe from inside the page.
Traces how anti-bot systems read the clock instead of the cursor: event-dispatch latency, requestAnimationFrame cadence, input-to-action gaps, and why synthetic interaction keeps a suspiciously clean beat.
Traces how pointer motion becomes a biometric for bot detection: Fitts's law, bell-shaped velocity profiles, the two-thirds power law, micro-jitter and overshoot, and why straight-line and Bezier synthetic paths get flagged.
How the window.chrome surface became a headless tell: what real Chrome exposes through chrome.runtime, chrome.app, csi and loadTimes, what stripped headless lacked, and why faked objects get caught on shape rather than presence.
Traces how anti-bot scripts re-read the browser fingerprint from nested iframes, about:blank/srcdoc frames, and web workers, the exact contexts where injected stealth code often never runs.
Traces the classic Notification.permission vs navigator.permissions.query('notifications') contradiction in headless Chrome: where the signal comes from, why the two APIs use different enums, and why patching it is harder than it looks.
How detectors spot a browser running in a VM or container: software WebGL renderers like SwiftShader and llvmpipe, default 800x600 screens, quantized device memory, and timing artifacts under virtualization.
![The wordmark navigator.plugins[] in white monospace with the brackets and an underline bar in orange](/navigator-plugins-fingerprint-cover.webp)
Traces navigator.plugins from a 15-bit fingerprinting signal to the five hard-coded PDF entries Chrome and Firefox ship today, the empty array that gave away old headless, and why fabricating a PluginArray still leaks.
Traces how a single browser-automation stealth patch moves through its life: a signal is found, the patch hides it, the patch itself becomes a fingerprint, and a new signal replaces the old one. With real examples and the economics of the treadmill.
A vendor-neutral comparison of the three proxy types: how each is sourced, how each gets detected at the ASN and reputation layer, what a gigabyte actually costs, and which job each one fits.
The strategic choice between holding one exit IP for a session and rotating per request: where statefulness forces stickiness, where rotation buys throughput, and how session-consistency checks punish the wrong call.
Traces how CAPTCHA solving is operationalized: the human-farm relay, the shift to ML and audio-transcription solvers, the per-solve price curve from 2010 to 2026, and the latency-accuracy-binding tradeoffs that decide whether a token is worth anything.
A field-by-field dissection of the TLS ClientHello, tracing exactly which bytes JA3 and JA4 read: version, cipher suites, compression, extensions, supported_groups, signature_algorithms, supported_versions, key_share, and ALPN.
How detectors catch tools that forge a perfect browser ClientHello: the mismatch between the TLS layer and the HTTP/2 frames above it, library-specific residue, header order, and version drift.
A reference for the HTTP/2 client fingerprint: the SETTINGS frame parameters, the WINDOW_UPDATE increment, the priority frames, the pseudo-header order, and the S|WU|P|PS string Akamai popularised in 2017.
How a forged TLS handshake plus a generic HTTP/2 library still contradicts itself at the frame level, and how anti-bot systems turn that cross-layer mismatch into a bot verdict.
Traces how HTTP/1.1 header order and field-name casing fingerprint a client, why every browser and library emits a fixed sequence, and how HTTP/2's mandatory lowercasing erased half the signal while keeping the rest.
Traces how the three Accept request headers, their exact default values, q-value syntax, and ordering form a per-browser signature, and how a missing or mismatched triad marks a request as a non-browser client.
How anti-bot systems catch a proxy by comparing the OS in the HTTP User-Agent against the OS inferred from the raw SYN packet, why the two disagree, and where the check breaks down.
How servers catch a proxy by comparing where an IP claims to be against how long packets actually take to arrive. The speed-of-light floor, TCP-handshake timing, the TCP-vs-TLS cross-layer split, and JA4L.
Traces how Intl.DateTimeFormat, getTimezoneOffset, Accept-Language and navigator.languages get read together against IP geolocation, and how the gaps between them catch proxies and spoofed browsers.