Traces what DataDome evaluates on the very first request, before any JavaScript runs: the TLS/JA4 fingerprint, the HTTP/2 frame profile, the header set, and IP and ASN reputation, and how those signals stack into one decision.
A reference on the network-layer fingerprints DataDome reads: HTTP/2 SETTINGS frames, flow control, pseudo-header order, and how a mismatch between the claimed user agent and the wire profile flags a client.
A field-by-field tour of the sensor_data payload Akamai Bot Manager POSTs from the browser: what telemetry it carries, how the numeric field markers are laid out, and how the obfuscation and encryption have changed across v1, v2, and v3.
A client-side tour of PerimeterX (now HUMAN): the VID visitor identifier, the bello/PX sensor payload and its per-load obfuscation, and the press-and-hold challenge flow with its PX-numbered fields and signed solution.
How Cloudflare turns every request into a single 1-99 bot score: the heuristics, machine-learning, behavioral, and JS-detection engines behind it, the verified-bots allowlist, and how the number reaches a WAF rule.
A reference on Cloudflare's network-layer fingerprinting: how JA3, JA4, and the HTTP/2 frame profile are computed at the edge, what cf.bot_management exposes, and how those signals feed the 1-99 bot score.
A walk through Imperva's reese84 client sensor: the obfuscated JavaScript, the device and environment telemetry the payload gathers, the interrogation endpoint it POSTs to, and how the signed token is minted and renewed.
How Arkose Labs' FunCaptcha works: why it ships interactive games instead of text, the encrypted bda fingerprint that decides difficulty, the gt2/gfct/verify token flow, and the economic model behind the challenge design.
How F5 Shape Defense works: the obfuscated JavaScript agent and its rotating virtual machine, the client signals it collects, the Defense Engine that routes telemetry, and the AI cloud behind it, tracing the heritage back to Shape Security in 2011.
![A V8-style error stack trace with an orange underline and the caption 'Function.prototype.toString() // [native code]'](/javascript-runtime-fingerprinting-cover.webp)
A reference on the JS-runtime fingerprinting surface: error stack formats, Function.prototype.toString, feature and timing probes, property enumeration order, and the engine quirks that betray a patched or automated browser.
What a ClientHello actually contains, why JA3 worked for six years and then stopped, and what JA4 fixes, with a Python reference you can run against your own packet captures.
A reference on the architectural split in bot detection: which signals a server can read from the network alone, which need JavaScript running in the client, the tradeoffs of each, and why modern stacks run both at once.
How device fingerprinting works in anti-bot stacks, traced through FingerprintJS open-source and Pro: the signal set, the entropy budget that makes a visitor ID unique, why client-side hashes drift, and how it differs from bot detection.
Traces how anti-bot systems classify an IP at the network layer: ASN reputation, datacenter-versus-residential-versus-mobile labelling, IP-quality scoring, known-proxy feeds, and why even a clean home IP still leaks.
A reference catalog of the signals that give headless Chrome away: the webdriver flag, empty plugin lists, the permissions contradiction, missing proprietary codecs, software WebGL renderers, and what --headless=new actually fixed.
Traces the HeadlessChrome user-agent token from its 2017 origin through the 2023 --headless=new rewrite, and the second-order tells that survive a clean UA: permissions inconsistencies, software WebGL, missing codecs, and CDP side effects.
A walkthrough of the individual evasions in puppeteer-extra-plugin-stealth: the webdriver flag, chrome.runtime, the permissions contradiction, plugins and mimeTypes, the WebGL vendor, and iframe.contentWindow, with what each patch fixes and where it leaks.
Traces the automation fingerprint each driver leaves behind: WebDriver's HTTP wire protocol and cdc_ globals versus the shared CDP transport that Puppeteer and Playwright ride, and which leaks belong to which framework.
Traces what attaching a CDP client changes inside a running Chrome: the websocket transport, the domains it switches on, the side effects that reach the page, and why a debugged browser is observably different from a hand-driven one.
A technical comparison of the major anti-detect browsers: which browser each forks, how profiles and fingerprints are managed at the engine level, and where the spoofing leaves detectable seams.
Traces how anti-detect browsers patch the browser's C++ source to spoof canvas, WebGL, audio, navigator, fonts, and WebRTC, why those native edits survive detection that JavaScript injection does not, and where the approach still leaks.
Traces how Camoufox patches Firefox at the C++ level to inject fingerprints, why it rides Juggler instead of CDP, how config flows from Python into the engine through environment variables, and where the Firefox base still leaks.
Traces the specific tells of Page.addScriptToEvaluateOnNewDocument: the isolated-world versus main-world choice, when the injected init script actually runs, and the residue an anti-bot script can probe from inside the page.
How the window.chrome surface became a headless tell: what real Chrome exposes through chrome.runtime, chrome.app, csi and loadTimes, what stripped headless lacked, and why faked objects get caught on shape rather than presence.