Don't sleep on viewport and screen dimensions because headless browsers literally default to 0x0, which is basically screaming I'm a bot to any halfway decent detection system. Next up, stick with one consistent User-Agent per session instead of constantly rotating them - sounds counterintuitive, but constant UA switching is literally a bot pattern that modern detection systems clock immediately. Playwright-stealth patches some of the JavaScript signals, but it's not catching everything - especially the deeper CDP-layer leaks and behavioral red flags - so if you're hitting harder targets, you might wanna check out CDP-minimal tools like rebrowser-patches or camoufox. TLS fingerprinting gets way more hype than it deserves with playwright; since it uses real chromium with boringSSL, your JA4 fingerprint is already legit. The actual gotchas are HTTP/2 SETTINGS frame ordering, how your requests behave over time, and JS-level detection tricks. So, throw residential proxy rotation and some smart pacing at it, and managed services can hit 98% success against Cloudflare and 89% against DataDome, while even DIY Playwright plus a residential proxy hits 31% sustained success over 24 hours against enterprise WAFs - way better than those outdated 1-5% numbers floating around
Don't sleep on viewport and screen dimensions because headless browsers literally default to 0x0, which is basically screaming I'm a bot to any halfway decent detection system. Next up, stick with one consistent User-Agent per session instead of constantly rotating them - sounds counterintuitive, but constant UA switching is literally a bot pattern that modern detection systems clock immediately. Playwright-stealth patches some of the JavaScript signals, but it's not catching everything - especially the deeper CDP-layer leaks and behavioral red flags - so if you're hitting harder targets, you might wanna check out CDP-minimal tools like rebrowser-patches or camoufox. TLS fingerprinting gets way more hype than it deserves with playwright; since it uses real chromium with boringSSL, your JA4 fingerprint is already legit. The actual gotchas are HTTP/2 SETTINGS frame ordering, how your requests behave over time, and JS-level detection tricks. So, throw residential proxy rotation and some smart pacing at it, and managed services can hit 98% success against Cloudflare and 89% against DataDome, while even DIY Playwright plus a residential proxy hits 31% sustained success over 24 hours against enterprise WAFs - way better than those outdated 1-5% numbers floating around