What is a Fortified Browser?
Fortified Browser represents an advanced browser automation solution designed specifically to evade sophisticated bot detection systems deployed by modern websites. While standard headless browsers excel at automation and testing, they exhibit detectable patterns that anti-bot systems easily identify—automation API usage, missing browser APIs, inconsistent fingerprints, and robotic interaction patterns. Fortified browsers address these weaknesses through comprehensive stealth modifications, realistic fingerprint generation, human behavior simulation, and adaptive evasion techniques.
Bot detection evolved dramatically in recent years moving beyond simple User-Agent checks to comprehensive fingerprinting, behavioral analysis, and machine learning classification. Detection systems analyze dozens of browser properties simultaneously—Canvas fingerprints, WebGL capabilities, plugin configurations, font lists, hardware concurrency, device memory, screen dimensions, and countless other attributes. Fortified browsers must pass all these checks while maintaining consistency across attributes and exhibiting realistic human browsing patterns to avoid triggering detection algorithms.
Browser Fingerprinting and Evasion
Browser fingerprinting collects device and browser characteristics creating unique signatures that identify users or detect automation. Canvas fingerprinting renders graphics offscreen and hashes the output—different GPUs and graphics drivers produce slightly different renderings creating unique fingerprints. WebGL fingerprinting tests graphics capabilities, shader compilation, and rendering characteristics. Audio context fingerprinting analyzes audio processing variations. Fortified browsers must randomize these fingerprints while maintaining internal consistency to avoid detection.
The navigator object exposes dozens of properties that standard headless browsers set incorrectly. The navigator.webdriver property explicitly indicates automation. Missing plugins, incorrect language arrays, mismatched timezone data, and absent permission APIs all signal automation. Fortified browsers override these properties injecting realistic values matching genuine browsers. Careful implementation ensures overrides execute before page JavaScript can detect original values or identify modification attempts.
// Fortified browser with comprehensive anti-detection
import { chromium } from 'playwright';
async function createFortifiedBrowser() {
const browser = await chromium.launch({
headless: true,
args: [
'--disable-blink-features=AutomationControlled',
'--disable-features=IsolateOrigins,site-per-process',
'--disable-site-isolation-trials',
'--disable-dev-shm-usage',
'--no-sandbox',
'--disable-setuid-sandbox'
]
});
const context = await browser.newContext({
userAgent: generateRealisticUserAgent(),
viewport: { width: 1920, height: 1080 },
deviceScaleFactor: 1,
hasTouch: false,
locale: 'en-US',
timezoneId: 'America/New_York',
permissions: ['geolocation', 'notifications']
});
// Inject stealth scripts before any page loads
await context.addInitScript(() => {
// Remove webdriver property
Object.defineProperty(navigator, 'webdriver', {
get: () => false
});
// Add chrome object
(window as any).chrome = {
runtime: {},
loadTimes: function() {},
csi: function() {},
app: {}
};
// Realistic plugin array
Object.defineProperty(navigator, 'plugins', {
get: () => [
{
name: 'Chrome PDF Plugin',
filename: 'internal-pdf-viewer',
description: 'Portable Document Format',
length: 1
},
{
name: 'Chrome PDF Viewer',
filename: 'mhjfbmdgcfjbbpaeojofohoefgiehjai',
description: '',
length: 1
}
]
});
// Languages array
Object.defineProperty(navigator, 'languages', {
get: () => ['en-US', 'en']
});
// Permissions API override
const originalQuery = window.navigator.permissions.query;
window.navigator.permissions.query = (parameters: any) => (
parameters.name === 'notifications'
? Promise.resolve({ state: 'prompt' } as PermissionStatus)
: originalQuery(parameters)
);
// Canvas fingerprint randomization
const originalToDataURL = HTMLCanvasElement.prototype.toDataURL;
HTMLCanvasElement.prototype.toDataURL = function(type?: string) {
const shift = Math.random() * 0.0001;
const ctx = this.getContext('2d');
if (ctx) {
const imageData = ctx.getImageData(0, 0, this.width, this.height);
for (let i = 0; i < imageData.data.length; i += 4) {
imageData.data[i] += shift;
}
ctx.putImageData(imageData, 0, 0);
}
return originalToDataURL.call(this, type);
};
// WebGL vendor/renderer randomization
const getParameter = WebGLRenderingContext.prototype.getParameter;
WebGLRenderingContext.prototype.getParameter = function(parameter) {
if (parameter === 37445) {
return 'Intel Inc.'; // UNMASKED_VENDOR_WEBGL
}
if (parameter === 37446) {
return 'Intel Iris OpenGL Engine'; // UNMASKED_RENDERER_WEBGL
}
return getParameter.call(this, parameter);
};
});
return { browser, context };
}
function generateRealisticUserAgent(): string {
const versions = ['120', '121', '122', '123'];
const version = versions[Math.floor(Math.random() * versions.length)];
return `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ` +
`(KHTML, like Gecko) Chrome/${version}.0.0.0 Safari/537.36`;
}Human Behavior Simulation
Sophisticated detection systems analyze mouse movements, typing patterns, scroll behavior, and interaction timing identifying non-human patterns. Real users move mice in curved paths with variable speeds, make small corrections, and occasionally overshoot targets. Automated browsers typically move pointers in straight lines at constant velocities between exact coordinates. Fortified browsers implement Bezier curves, easing functions, and jitter simulating natural hand movements that pass behavioral analysis.
Typing patterns exhibit characteristic human variation. Real users type at varying speeds, occasionally pause while thinking, make typos requiring backspaces, and show consistent timing patterns between specific key combinations based on keyboard layout and finger positions. Automated form filling types at constant speeds with perfect accuracy—a clear bot signal. Fortified browsers add random delays between keystrokes, occasionally insert and correct typos, vary typing speed based on text complexity, and simulate realistic pause patterns.
Scrolling behavior reveals automation through excessive smoothness, constant speeds, and missing the slight irregularities characterizing human scrolling. Real users scroll in bursts, pause to read content, occasionally scroll backwards to reread sections, and adjust scroll speed based on content interest. Fortified browsers implement variable scroll speeds, add reading pauses proportional to content length, occasionally scroll backwards, and simulate mouse wheel physics versus smooth JavaScript scrolling.
// Human behavior simulation utilities
class HumanBehavior {
async moveMouseNaturally(page: any, fromX: number, fromY: number, toX: number, toY: number) {
const steps = 20 + Math.floor(Math.random() * 10);
const controlX = (fromX + toX) / 2 + (Math.random() - 0.5) * 100;
const controlY = (fromY + toY) / 2 + (Math.random() - 0.5) * 100;
for (let i = 0; i <= steps; i++) {
const t = i / steps;
// Quadratic Bezier curve for natural movement
const x = Math.pow(1 - t, 2) * fromX +
2 * (1 - t) * t * controlX +
Math.pow(t, 2) * toX;
const y = Math.pow(1 - t, 2) * fromY +
2 * (1 - t) * t * controlY +
Math.pow(t, 2) * toY;
await page.mouse.move(x, y);
await this.randomDelay(10, 30);
}
}
async typeNaturally(page: any, selector: string, text: string) {
await page.click(selector);
await this.randomDelay(100, 300);
for (let i = 0; i < text.length; i++) {
const char = text[i];
// Occasional typo and correction
if (Math.random() < 0.05 && i > 0) {
const wrongChar = String.fromCharCode(char.charCodeAt(0) + 1);
await page.keyboard.type(wrongChar);
await this.randomDelay(50, 150);
await page.keyboard.press('Backspace');
await this.randomDelay(100, 200);
}
await page.keyboard.type(char);
// Variable typing speed
const baseDelay = 50;
const variation = Math.random() * 100;
await this.randomDelay(baseDelay, baseDelay + variation);
// Thinking pauses at spaces and punctuation
if (char === ' ' || char === '.' || char === ',') {
if (Math.random() < 0.3) {
await this.randomDelay(300, 800);
}
}
}
}
async scrollNaturally(page: any, targetHeight: number) {
let currentScroll = 0;
while (currentScroll < targetHeight) {
// Variable scroll amount
const scrollAmount = 100 + Math.random() * 300;
await page.evaluate((amount: number) => {
window.scrollBy({
top: amount,
behavior: 'smooth'
});
}, scrollAmount);
currentScroll += scrollAmount;
// Reading pause proportional to content
const pauseDuration = 500 + Math.random() * 2000;
await this.randomDelay(pauseDuration, pauseDuration + 1000);
// Occasionally scroll back slightly
if (Math.random() < 0.1) {
await page.evaluate(() => {
window.scrollBy({
top: -50,
behavior: 'smooth'
});
});
await this.randomDelay(200, 500);
}
}
}
private randomDelay(min: number, max: number): Promise<void> {
const delay = min + Math.random() * (max - min);
return new Promise(resolve => setTimeout(resolve, delay));
}
private easeInOutCubic(t: number): number {
return t < 0.5
? 4 * t * t * t
: 1 - Math.pow(-2 * t + 2, 3) / 2;
}
}Session and State Management
Persistent browser profiles enable building browsing history, cookies, and cached data that detection systems analyze for authenticity. New browser instances with empty caches, no cookies, and missing browsing history signal automation or suspicious activity. Fortified browsers maintain session state across runs, storing cookies, localStorage, indexedDB, and cached resources creating realistic browsing footprints that pass history-based checks.
Cookie management goes beyond simple storage to include realistic cookie evolution. Real users accumulate cookies gradually as they browse, with timestamps spanning days or weeks. Fortified browsers seed initial cookie sets simulating past browsing, update cookies appropriately during sessions, and maintain cookie consistency across requests. This includes handling cookie domains, paths, expiration, and security flags correctly matching real browser behavior.
Browser fingerprint consistency across sessions prevents detection through fingerprint changes. Real users maintain consistent Canvas fingerprints, WebGL capabilities, fonts, and hardware properties across visits. Fortified browsers store fingerprint configurations and restore them for returning sessions. This consistency combined with gradual cookie and cache accumulation creates convincing long-term browsing profiles passing temporal analysis impossible with ephemeral automation instances.
Using Fortified Browsers with CorsProxy
Combining fortified browsers with CorsProxy provides comprehensive evasion capabilities merging browser-level stealth with network-level anonymity. CorsProxy handles IP rotation, geographic distribution, and residential IP sourcing while fortified browsers manage browser fingerprints, human behavior simulation, and automation detection evasion. This dual-layer approach defeats both network-based detection analyzing IP patterns and browser-based detection examining client characteristics.
Geographic IP consistency prevents mismatches between browser timezone, language preferences, and IP geolocation. A fortified browser configured for New York timezone should route through US east coast CorsProxy IPs. Inconsistent combinations—Japanese language preferences with Mexican IP addresses—trigger fraud detection systems. Coordinating browser locale, timezone, and proxy geography creates cohesive identities passing cross-validation checks.
// Production fortified browser with CorsProxy
class FortifiedProxyScraper {
private apiKey: string;
private humanBehavior: HumanBehavior;
constructor(apiKey: string) {
this.apiKey = apiKey;
this.humanBehavior = new HumanBehavior();
}
async scrapeWithFortification(url: string) {
const { browser, context } = await createFortifiedBrowser();
const page = await context.newPage();
try {
// Route through CorsProxy for IP anonymity
const proxyUrl = `https://corsproxy.io/?url=${encodeURIComponent(url)}&key=${this.apiKey}&type=residential&colo=fra`;
await page.goto(proxyUrl, {
waitUntil: 'networkidle',
timeout: 30000
});
// Human-like behavior before extraction
await this.humanBehavior.scrollNaturally(
page,
await page.evaluate(() => document.body.scrollHeight)
);
await this.randomDelay(1000, 3000);
// Extract data
const data = await page.evaluate(() => {
const title = document.title;
const content = Array.from(document.querySelectorAll('.content')).map(
el => el.textContent?.trim()
);
return { title, content };
});
return data;
} catch (error) {
console.error('Scraping failed:', error);
throw error;
} finally {
await browser.close();
}
}
async scrapeWithFormInteraction(url: string, formData: Record<string, string>) {
const { browser, context } = await createFortifiedBrowser();
const page = await context.newPage();
try {
const proxyUrl = `https://corsproxy.io/?url=${encodeURIComponent(url)}&key=${this.apiKey}&type=residential&colo=fra`;
await page.goto(proxyUrl);
// Natural form filling with human behavior
for (const [selector, value] of Object.entries(formData)) {
// Move mouse to field naturally
const element = await page.$(selector);
if (element) {
const box = await element.boundingBox();
if (box) {
await this.humanBehavior.moveMouseNaturally(
page,
Math.random() * 500,
Math.random() * 500,
box.x + box.width / 2,
box.y + box.height / 2
);
}
}
await this.humanBehavior.typeNaturally(page, selector, value);
await this.randomDelay(500, 1500);
}
// Click submit with natural movement
await page.click('button[type="submit"]');
// Wait for response
await page.waitForNavigation({ timeout: 10000 });
const result = await page.content();
return result;
} finally {
await browser.close();
}
}
private randomDelay(min: number, max: number): Promise<void> {
const delay = min + Math.random() * (max - min);
return new Promise(resolve => setTimeout(resolve, delay));
}
}
// Usage
const scraper = new FortifiedProxyScraper('your-api-key');
// Scrape with full fortification
const data = await scraper.scrapeWithFortification('https://example.com');
// Interact with forms naturally
const formResult = await scraper.scrapeWithFormInteraction(
'https://example.com/search',
{
'input[name="query"]': 'search term',
'select[name="category"]': 'products'
}
);Advanced Detection Evasion Techniques
WebRTC leak prevention stops browsers from exposing real IP addresses through WebRTC connections even when using proxies. WebRTC enables peer-to-peer connections that can bypass proxy configurations revealing actual client IPs to detection systems. Fortified browsers disable or modify WebRTC implementations preventing IP leakage while maintaining compatibility with sites requiring WebRTC for functionality.
Font fingerprinting analyzes installed system fonts creating unique device signatures. Different operating systems, installed applications, and user configurations result in distinct font lists. Fortified browsers either randomize font lists within realistic bounds or use common font sets matching target demographics. Consistency matters—once a fingerprint declares specific fonts available, all rendering and queries must reflect that font availability.
Battery API, hardware concurrency, device memory, and connection type all contribute to device fingerprinting. Mobile devices report battery status, low memory, and cellular connections. Desktop workstations show high core counts, large memory, and wired connections. Fortified browsers configure these properties consistently with the targeted device profile—mobile fortification uses mobile-appropriate values, desktop profiles use desktop-typical specifications.
Performance Considerations and Best Practices
Fortified browser overhead includes stealth script injection, fingerprint randomization, behavior simulation, and comprehensive detection evasion. This overhead increases per-page scraping time compared to standard headless browsers. Production deployments must balance stealth requirements against throughput needs—some targets require full fortification while others accept standard headless approaches. Profile different fortification levels measuring detection rates versus performance costs.
Resource blocking improves performance by preventing download of unnecessary assets. Images, stylesheets, fonts, and third-party tracking scripts consume bandwidth and processing time without contributing to data extraction. Request interception selectively blocks these resources while allowing essential JavaScript and HTML through. This optimization dramatically speeds page loads and reduces memory consumption without compromising stealth effectiveness.
Browser pool management amortizes launch overhead across multiple scraping operations. Launching fortified browsers takes several seconds per instance. Connection pooling maintains ready browser instances accepting scraping tasks from queues. This architecture achieves high throughput despite individual fortification overhead. Periodic browser rotation prevents fingerprint staleness and session accumulation triggering long-running session detection.
