Playwright is the best browser automation library in 2026. It's also the most fingerprinted, the most detected, and the most patched in anti-bot databases. If you're running default Playwright against any platform with serious anti-bot defenses, you're getting flagged.
We learned what's left of the cat-and-mouse game the hard way building HelperX. This article is what still trips up Playwright today — beyond the well-known navigator.webdriver flag, which everyone fixes in week one.
The detection surface has shifted dramatically since 2022. The classic tells (PhantomJS, missing plugins, undefined chrome object) are largely solved. The new battleground is more subtle: CDP protocol artifacts, behavioral inconsistencies, and side-effects of the Playwright runtime that aren't part of the public API.
What stopped working in 2024-2025
Detection on the platforms we monitor has gotten dramatically better in the last 18 months. A few things that worked in 2023 and stopped working since:
-
Generic
navigator.webdriver = undefinedpatches — detectable viaObject.getOwnPropertyDescriptorif you do it naively -
Patching
Notification.permission— modern detection cross-references withPermissions.query() -
Faking
window.chrome— the property structure changed; old fakes are missing newer subkeys - Setting a single User-Agent profile — detection now expects Client Hints to match
-
Empty
navigator.languages— flagged as suspicious; needs at least 2 entries
These were all "set it once, ship it" fixes. The current generation of detection requires ongoing engineering.
CDP artifacts: the deepest tell
The Chrome DevTools Protocol (CDP) is how Playwright controls the browser. The browser exposes signals that it's being controlled, and modern detection looks for them specifically.
Symptom: Runtime.evaluate artifacts
When you run await page.evaluate(() => ...), Playwright uses Runtime.evaluate under the hood. The evaluated script runs in a special isolated world. If the page can detect that an isolated world is being used at all, it knows automation is present.
The detection trick: schedule a function call to a Symbol-keyed property on window, then check whether it was called from the main world or an isolated one.
There's no clean fix in stock Playwright. The workaround is the playwright-extra ecosystem, particularly puppeteer-extra-plugin-stealth adapted for Playwright. It maintains a set of patches against CDP-leak vectors:
import { chromium } from 'playwright-extra';
import stealth from 'puppeteer-extra-plugin-stealth';
chromium.use(stealth());
const browser = await chromium.launch();
The stealth plugin handles dozens of known leaks. It's not perfect, but it closes the easy wins.
Symptom: Page.addScriptToEvaluateOnNewDocument is detectable
page.addInitScript calls this CDP method under the hood. The script runs before any page script — except very specifically: it runs after document is created but before DOMContentLoaded fires. There's a tiny window where a page-loaded script can observe state before init scripts run.
Some detection systems exploit this by reading navigator.webdriver immediately on script load, before init scripts have run. The fix is to set navigator.webdriver via Chromium launch arguments instead of init scripts:
const browser = await chromium.launch({
args: [
'--disable-blink-features=AutomationControlled',
],
});
This is the most important launch flag. It tells Chromium to suppress the automation indicators at the engine level, before any script can detect them.
Plugin and MIME-type subtleties
Real Chrome has 3-5 plugins. Default Playwright has 0. Most people patch navigator.plugins to have items, but they patch it wrong.
The naive patch fails
// WRONG: this fails plugin inspection
Object.defineProperty(navigator, 'plugins', {
get: () => [{ name: 'PDF Viewer' }],
});
The detection runs:
const p = navigator.plugins[0];
console.log(p.constructor.name); // expected 'Plugin', got 'Object'
console.log(p instanceof Plugin); // expected true, got false
Real plugins are Plugin instances. Plain objects aren't. The fix requires constructing actual Plugin instances:
await page.addInitScript(() => {
const makeFakePlugin = (name, filename, description) => {
const plugin = Object.create(Plugin.prototype);
Object.defineProperty(plugin, 'name', { value: name });
Object.defineProperty(plugin, 'filename', { value: filename });
Object.defineProperty(plugin, 'description', { value: description });
Object.defineProperty(plugin, 'length', { value: 1 });
// Add fake MIME type
const mime = Object.create(MimeType.prototype);
Object.defineProperty(mime, 'type', { value: 'application/pdf' });
Object.defineProperty(mime, 'suffixes', { value: 'pdf' });
Object.defineProperty(mime, 'description', { value: 'Portable Document Format' });
Object.defineProperty(mime, 'enabledPlugin', { value: plugin });
plugin[0] = mime;
plugin['application/pdf'] = mime;
return plugin;
};
const fakePlugins = [
makeFakePlugin('PDF Viewer', 'internal-pdf-viewer', 'Portable Document Format'),
makeFakePlugin('Chrome PDF Viewer', 'internal-pdf-viewer', 'Portable Document Format'),
makeFakePlugin('Chromium PDF Viewer', 'internal-pdf-viewer', 'Portable Document Format'),
];
Object.defineProperty(navigator, 'plugins', {
get: () => {
const plugins = Object.create(PluginArray.prototype);
fakePlugins.forEach((p, i) => { plugins[i] = p; });
Object.defineProperty(plugins, 'length', { value: fakePlugins.length });
plugins.item = (i) => fakePlugins[i] || null;
plugins.namedItem = (name) => fakePlugins.find(p => p.name === name) || null;
plugins.refresh = () => {};
return plugins;
},
});
});
The PluginArray needs proper item(), namedItem(), and refresh() methods. MimeType objects need to point back at their parent plugin via enabledPlugin. Both need to use the right prototype chains.
This is ugly. It's also necessary if you're going past surface-level checks.
The Permissions API consistency trap
Notification.permission is famously trivial to spoof. But the value has to be consistent with Permissions.query():
// Detection check:
const notifPerm = Notification.permission;
const queryResult = await navigator.permissions.query({ name: 'notifications' });
if (notifPerm !== queryResult.state) {
// INCONSISTENT — automation suspected
}
Real browsers always have these match. Patches that only spoof one create the inconsistency.
The fix:
await page.addInitScript(() => {
Object.defineProperty(Notification, 'permission', {
get: () => 'default',
});
const originalQuery = navigator.permissions.query.bind(navigator.permissions);
navigator.permissions.query = (parameters) => {
if (parameters.name === 'notifications') {
return Promise.resolve({ state: 'default', name: 'notifications', onchange: null });
}
return originalQuery(parameters);
};
});
Both the direct property and the API query return the same value.
Mouse and keyboard timing fingerprints
Behavioral detection is the newest and hardest to defeat. The platforms increasingly look at:
- Mouse path linearity — humans don't move in straight lines
- Click timing distribution — humans have variance; bots have suspicious consistency
- Scroll velocity profiles — humans accelerate, plateau, and decelerate
- Typing cadence — humans have non-uniform inter-keystroke timing
Stock Playwright mouse.move(x, y) instant-jumps the cursor. mouse.click() happens at machine speed. This is a behavioral fingerprint.
Humanized mouse paths
For any meaningful interaction, we wrap Playwright's mouse with a path interpolator:
async function humanMove(page, fromX, fromY, toX, toY) {
const distance = Math.hypot(toX - fromX, toY - fromY);
const steps = Math.max(15, Math.min(60, Math.floor(distance / 5)));
const path = bezierPath(fromX, fromY, toX, toY, steps);
for (let i = 0; i < path.length; i++) {
const { x, y } = path[i];
await page.mouse.move(x, y);
// Variable delay — fast in the middle, slow at the start/end
const t = i / path.length;
const baseDelay = 8 + Math.sin(t * Math.PI) * 12;
const jitter = Math.random() * 6 - 3;
await sleep(baseDelay + jitter);
}
}
function bezierPath(x1, y1, x2, y2, steps) {
// Random control points that bow the curve slightly
const cx1 = x1 + (x2 - x1) * 0.3 + (Math.random() - 0.5) * 80;
const cy1 = y1 + (y2 - y1) * 0.3 + (Math.random() - 0.5) * 80;
const cx2 = x1 + (x2 - x1) * 0.7 + (Math.random() - 0.5) * 80;
const cy2 = y1 + (y2 - y1) * 0.7 + (Math.random() - 0.5) * 80;
const points = [];
for (let i = 0; i <= steps; i++) {
const t = i / steps;
const mt = 1 - t;
const x = mt*mt*mt*x1 + 3*mt*mt*t*cx1 + 3*mt*t*t*cx2 + t*t*t*x2;
const y = mt*mt*mt*y1 + 3*mt*mt*t*cy1 + 3*mt*t*t*cy2 + t*t*t*y2;
points.push({ x, y });
}
return points;
}
The cubic Bezier path produces a natural curve. The variable delay simulates human acceleration patterns. The random control point offsets ensure no two movements look identical.
Click timing
Real human clicks have ~80-180ms between mousedown and mouseup, with variance. Playwright's mouse.click() happens in ~10ms by default. Patch it:
async function humanClick(page, x, y) {
await humanMove(page, await getCurrentPos(page), x, y);
await page.mouse.down();
await sleep(70 + Math.random() * 110);
await page.mouse.up();
}
Typing cadence
Default page.keyboard.type('hello', { delay: 50 }) gives uniform 50ms delays. Real typing is bursty:
async function humanType(page, text) {
for (const char of text) {
await page.keyboard.type(char);
// Burst typing with occasional pauses
let delay;
if (Math.random() < 0.03) {
delay = 300 + Math.random() * 400; // thinking pause
} else if (Math.random() < 0.15) {
delay = 150 + Math.random() * 100; // brief hesitation
} else {
delay = 30 + Math.random() * 60; // fast typing
}
await sleep(delay);
// Occasional typo + correction
if (Math.random() < 0.012) {
await page.keyboard.type(String.fromCharCode(97 + Math.floor(Math.random() * 26)));
await sleep(100 + Math.random() * 200);
await page.keyboard.press('Backspace');
await sleep(50 + Math.random() * 80);
}
}
}
The typo-and-correct pattern is what real humans actually do. Bots that never make typos are detectable through statistical analysis of input streams over many sessions.
Headless detection specifically
The --headless flag is itself a detection target. Several mechanisms expose headless mode:
-
navigator.userAgentcontains "HeadlessChrome" — fixed by setting a different UA, but you have to also fix the others -
screen.widthandscreen.heightare smaller than the launch viewport — headless reports smaller logical screens -
window.outerHeightandwindow.outerWidthare 0 — they have non-zero values in real Chrome -
document.elementFromPoint(0, 0)returns<html>— in real Chrome, scrollbar can affect this
The aggregated fix is to launch with --headless=new (the newer Chrome headless mode) and patch the screen-related properties:
const browser = await chromium.launch({
args: [
'--headless=new',
'--disable-blink-features=AutomationControlled',
'--no-first-run',
'--no-default-browser-check',
'--no-sandbox',
'--disable-dev-shm-usage',
],
});
const context = await browser.newContext({
viewport: { width: 1920, height: 1080 },
screen: { width: 1920, height: 1080 },
deviceScaleFactor: 1,
});
await context.addInitScript(() => {
Object.defineProperty(window, 'outerWidth', { get: () => window.innerWidth });
Object.defineProperty(window, 'outerHeight', { get: () => window.innerHeight + 80 });
});
We also pass through a curated set of "real browser" launch args that suppress various automation tells. The full list is roughly 40 flags long; the ones above are the highest-impact subset.
The chrome object
window.chrome exists in real Chrome and has a specific structure. Playwright runs Chromium without the Chrome-specific extensions, so window.chrome is missing or partial.
Stealth plugins patch this in, but you should validate the patch matches your target Chrome version. The structure changed in 2024 and again in early 2026:
await page.addInitScript(() => {
if (!window.chrome) {
window.chrome = {
runtime: {
OnInstalledReason: { CHROME_UPDATE: 'chrome_update', INSTALL: 'install', SHARED_MODULE_UPDATE: 'shared_module_update', UPDATE: 'update' },
OnRestartRequiredReason: { APP_UPDATE: 'app_update', OS_UPDATE: 'os_update', PERIODIC: 'periodic' },
PlatformArch: { ARM: 'arm', ARM64: 'arm64', MIPS: 'mips', MIPS64: 'mips64', X86_32: 'x86-32', X86_64: 'x86-64' },
PlatformNaclArch: { ARM: 'arm', MIPS: 'mips', MIPS64: 'mips64', X86_32: 'x86-32', X86_64: 'x86-64' },
PlatformOs: { ANDROID: 'android', CROS: 'cros', FUCHSIA: 'fuchsia', LINUX: 'linux', MAC: 'mac', OPENBSD: 'openbsd', WIN: 'win' },
RequestUpdateCheckStatus: { NO_UPDATE: 'no_update', THROTTLED: 'throttled', UPDATE_AVAILABLE: 'update_available' },
},
// ... more subkeys
};
}
});
The full object is large. Get it right by copying from a real Chrome instance and serializing the structure into your patch.
Iframe context bleed
Most checks above apply to the top-level frame. Detection scripts often run in iframes — and an iframe doesn't inherit your addInitScript patches by default.
Solution: register your init scripts at the context level, not the page level. They apply to all frames automatically:
const context = await browser.newContext();
await context.addInitScript(yourPatchFunction);
const page = await context.newPage();
// All iframes in this page get the patches
This single change closed a class of detection we'd been wrestling with for weeks.
Validation: how to know you're undetected
The same testing sites apply as for fingerprint randomization (see our other article), but for headless detection specifically:
-
bot.sannysoft.com— comprehensive bot-detection check, the gold standard -
fingerprint.com/products/bot-detection/— commercial-grade detection (gives a "bot likelihood" score) -
incolumitas.com/Botfront-1— research-grade detection
The pass criteria:
-
bot.sannysoft.comshows all green (no failures, no warnings) -
fingerprint.comshows bot likelihood < 10% - All claimed properties (platform, UA, screen) are consistent across tests
If you can pass bot.sannysoft.com with zero failures on Playwright + your patches, you're in the top 20% of automation. Most production setups have 2-5 failures and accept it.
When patches stop working
The half-life of any specific patch is roughly 6-12 months. Browsers update, detection updates, your patches break or become obsolete. Some practical advice:
- Run weekly automated regression tests against the validation sites. Flag any new failures.
- Subscribe to Playwright release notes. Browser updates frequently surface or fix detection vectors.
-
Track Chromium issue tracker for
--disable-blink-featuresflag changes. Several of our patches relied on flag behaviors that were later modified. - Have a kill switch. If detection regresses overnight, you need to slow your traffic before you get a wave of account bans.
We monitor a detection score per slot in HelperX — if any slot's fingerprint becomes suddenly flagged, we throttle that slot, alert the operator, and run our regression suite. That observability is what lets us catch regressions before they cascade.
Key takeaways
-
--disable-blink-features=AutomationControlledis the highest-leverage single fix. -
navigator.pluginspatches must use real Plugin/PluginArray prototypes, not plain objects. - Permission API state and Notification.permission must agree — both need patching together.
- Behavioral fingerprinting (mouse, scroll, typing) is the new frontier. Static patches alone are insufficient.
- Patches go on the context, not the page. Iframe inheritance matters.
-
window.chromestructure changes with Chrome versions. Keep it current. -
Validate with
bot.sannysoft.comweekly. Patches expire. - Have detection observability per session. Catch regressions before they cascade.
Stock Playwright is detectable. Stealth-patched Playwright with careful behavioral simulation is much less so. The cat-and-mouse game is permanent — budget for ongoing maintenance, not a one-time setup.
HelperX maintains a curated patch set against a rotating panel of detection probes. Self-hosted, brings your own proxy. Free 30-day trial — exactly the patches we run in production.
Top comments (0)