A low-code platform blending no-code simplicity with full-code power 🚀
Get started free
Invisible Automation: Using puppeteer-extra-plugin-stealth to Bypass Bot Protection
March 26, 2025
•
7
min read

Invisible Automation: Using puppeteer-extra-plugin-stealth to Bypass Bot Protection

George Miloradovich
Researcher, Copywriter & Usecase Interviewer
Table of contents

Want to bypass bot detection systems while automating Chrome? The puppeteer-extra-plugin-stealth is a tool that helps hide automation fingerprints, making it harder for websites to detect bots.

Key Takeaways:

  • What it does: Masks automation markers (like navigator.webdriver) and mimics real browser behavior.
  • How it works: Adjusts browser fingerprints, introduces natural browsing patterns, and manages session details.
  • Why it matters: Helps avoid detection from advanced anti-bot systems like CAPTCHA challenges and browser fingerprinting.
  • Setup: Install Puppeteer, puppeteer-extra, and the stealth plugin via npm or Yarn. Use the stealth plugin to configure your browser to behave like a real user.

Quick Example:

import puppeteer from 'puppeteer-extra';
import StealthPlugin from 'puppeteer-extra-plugin-stealth';

puppeteer.use(StealthPlugin());

(async () => {
  const browser = await puppeteer.launch({ headless: true });
  const page = await browser.newPage();
  await page.goto('https://bot.sannysoft.com');
  await browser.close();
})();

This tool is perfect for automating tasks on websites with strict bot detection. Learn how to set it up, optimize its settings, and simulate human-like behavior to stay undetected.

Nodejs Puppeteer Tutorial #7 - Bypass Detection using ...

Puppeteer

Installation and Setup

To get started, you'll need to install the necessary packages and configure them to minimize detection during automation. This section covers the installation process, initial setup, and testing to ensure everything works as intended.

Required Package Installation

First, install Puppeteer, Puppeteer Extra, and the Stealth plugin. Open your terminal and run the following command:

npm install puppeteer puppeteer-extra puppeteer-extra-plugin-stealth

If you're using Yarn, use this command instead:

yarn add puppeteer puppeteer-extra puppeteer-extra-plugin-stealth

Initial Setup Steps

After installation, set up your JavaScript file to integrate the stealth plugin. Here's the code you need:

import puppeteer from 'puppeteer-extra';
import StealthPlugin from 'puppeteer-extra-plugin-stealth';

puppeteer.use(StealthPlugin());

(async () => {
  const browser = await puppeteer.launch({ headless: true });
  const page = await browser.newPage();
  await page.goto('https://nowsecure.nl/');
  await browser.close();
})();

Important: Make sure to import Puppeteer from 'puppeteer-extra' instead of 'puppeteer' to access the added functionality.

Once you've completed the setup, it's time to verify that everything is working correctly.

Testing Your Installation

Run these tests to confirm your setup is functioning as expected:

  • Basic Functionality Test: Try navigating to a site that detects bots and review the results.
  • Screenshot Verification: Take a screenshot of the test page to confirm that stealth features are properly applied.
  • reCAPTCHA Score Check: Observe your reCAPTCHA v3 scores to determine if there are any improvements.

For a quick verification, use the following script:

(async () => {
  const browser = await puppeteer.launch({ headless: true });
  const page = await browser.newPage();
  await page.goto('https://bot.sannysoft.com');
  await page.waitForTimeout(5000);
  await page.screenshot({ path: 'stealth-test.png' });
  await browser.close();
})();

This script will take a screenshot of the test page. Check the screenshot to see if your browser behaves like a regular Chrome browser without revealing signs of automation.

Once your setup passes these tests, you're ready to dive into the plugin's advanced features, which are covered in the next section.

Main Stealth Features

The puppeteer-extra-plugin-stealth uses various techniques to make automated browsing harder to detect.

Browser Identity Masking

The plugin tweaks key browser properties to mimic a typical Chrome browser. These include:

  • Replacing the default HeadlessChrome user-agent with a more natural one
  • Setting realistic Accept-Language headers
  • Adjusting codec support for media playback
  • Modifying navigator.vendor to match standard Chrome behavior

These changes help create a browser profile that looks like a regular user, not a bot. On top of this, the plugin employs anti-fingerprinting techniques to further reduce detection risk.

Anti-Fingerprinting Methods

Feature Method Purpose
Processor Emulation Limits logical processors to 4 Mimics typical user hardware
Plugin Emulation Mocks navigator.mimeTypes and plugins Imitates standard Chrome functionality
Window Properties Adds outerWidth and outerHeight Completes the browser simulation
Vendor Properties Tweaks Chrome's Google identifier Helps avoid automation detection

These methods ensure the browser behaves in a way that aligns with what websites expect from real users.

Removing Automation Markers

To further disguise automation, the plugin removes or modifies tell-tale signs of bot activity:

  • Deletes the navigator.webdriver property
  • Adds chrome.app and chrome.csi objects, which are present in regular Chrome browsers
  • Hides the sourceurl attribute in Puppeteer scripts
  • Adjusts permissions properties to match natural browser behavior

CAPTCHA Management

The plugin also helps reduce CAPTCHA challenges by maintaining consistent browser behavior and managing sessions effectively. This creates a browsing pattern that aligns with human activity, allowing it to bypass most bot detection tests on platforms like sannysoft.com. However, advanced anti-bot systems, such as those used by Cloudflare, may still detect automation in some cases.

sbb-itb-23997f1

Custom Configuration

Custom configuration allows you to tweak stealth settings and browser behavior, helping you avoid detection more effectively.

Stealth Module Settings

Puppeteer Stealth lets you manage its evasion modules for specific websites. You can enable or disable modules as needed:

const StealthPlugin = require('puppeteer-extra-plugin-stealth')
const stealth = StealthPlugin({
  webglVendor: "Google Inc. (Intel)",
  webglRenderer: "Intel Iris OpenGL Engine",
  navigator: {
    platform: "MacIntel",
    languages: ["en-US", "en"]
  }
})

After setting up stealth modules, you can adjust browser behavior to better imitate real user activity.

Browser Behavior Settings

Fine-tune browser parameters to mimic a genuine browsing experience:

Category Options Purpose
User Identity User-Agent, Platform, Languages Creates a consistent browser identity
Hardware Profile WebGL vendor, Screen dimensions Imitates actual device characteristics
Runtime Environment Chrome runtime objects, Navigator properties Emulates normal browser behavior

Introduce natural delays between actions to make automation less detectable:

const randomDelay = (min, max) => {
  return Math.floor(Math.random() * (max - min + 1) + min);
}

await page.waitForTimeout(randomDelay(1000, 3000));

Adding these delays helps your automation resemble human behavior.

Proxy Configuration

Using proxies during browser launch enhances anonymity:

const browser = await puppeteer.launch({
  args: [
    `--proxy-server=http://proxy.example.com:8080`,
    '--disable-features=IsolateOrigins,site-per-process'
  ]
});

"It's probably impossible to prevent all ways to detect headless chromium, but it should be possible to make it so difficult that it becomes cost-prohibitive or triggers too many false-positives to be feasible." - TiZho, GitHub contributor

Rotate proxies and set up automatic failover to maintain reliable connectivity. These configurations help minimize detection risks while ensuring stable performance.

Stealth Best Practices

To keep automated sessions under the radar, careful planning and execution are key.

Natural Browsing Patterns

Simulate realistic browsing by adding random delays and actions:

async function emulateHumanBehavior(page) {
  // Random scrolling behavior
  await page.evaluate(() => {
    window.scrollBy({
      top: Math.random() * 500,
      behavior: 'smooth'
    });
  });

  // Random pauses between actions
  await page.waitForTimeout(1500 + Math.random() * 2500);
}
Behavior Pattern Implementation Purpose
Mouse Movement Random curves and speeds Imitates natural cursor movement
Page Interaction Vary scroll depths and pauses Simulates reading habits
Navigation Timing Random delays (1.5–4 seconds) Avoids predictable timing patterns
Input Speed Randomized keystroke intervals Mimics human typing behavior

These simulated interactions work alongside the configuration settings outlined earlier.

Session Management

Proper session handling ensures that stealth settings remain consistent. Use persistent storage to save cookies and session data:

const browserContext = await browser.createIncognitoBrowserContext({
  userDataDir: './sessions/user1',
  persistentContext: true
});

You can also manage cookies effectively:

// Remove specific cookies but keep session-critical data
await page.deleteCookie({
  name: '_ga',
  domain: '.example.com'
});

Usage Guidelines

Combine the above techniques with these practical steps for better automation:

  • Request Rate Management: Start with a 2-second delay between requests and increase it if CAPTCHAs emerge.
  • Error Handling: Create a retry system to handle failed requests:
    const maxRetries = 3;
    const baseDelay = 2000;
    
    async function fetchWithRetry(page, url) {
      for (let i = 0; i < maxRetries; i++) {
        try {
          return await page.goto(url);
        } catch (error) {
          await page.waitForTimeout(baseDelay * Math.pow(2, i));
        }
      }
    }
    
  • Proxy Rotation: Use multiple IP addresses to avoid being flagged for excessive activity.

"It's probably impossible to prevent all ways to detect headless chromium, but it should be possible to make it so difficult that it becomes cost-prohibitive or triggers too many false-positives to be feasible." - TiZho, GitHub contributor

Keep an eye on evolving anti-bot detection methods and adjust your settings as needed. These practices complement the stealth techniques covered earlier in the article.

Conclusion

Here's a quick summary of the main points and tips for using Puppeteer-extra-plugin-stealth effectively.

Main Benefits

Puppeteer-extra-plugin-stealth helps automate browsing without being flagged. It works by hiding automation markers using built-in evasion modules.

Some key features include:

  • Removing the 'HeadlessChrome' identifier from User-Agent headers.
  • Hiding critical automation markers, like navigator.webdriver.
  • Adjusting browser fingerprints to mimic real user behavior.
  • Allowing tailored evasion strategies for specific website needs.

Tips for Implementation

To refine your automation setup, keep these strategies in mind:

Focus Area Strategy Outcome
Evasion Modules Enable only the features you need Lower detection risk, better performance
Error Management Use retry logic with exponential backoff More reliable handling of temporary issues
Session Handling Use persistent browser contexts Consistent stealth profile across sessions

Additional suggestions:

  • Start with the default stealth settings, then tweak them to match your needs.
  • Stay updated on new anti-bot techniques and adjust your approach accordingly.
  • Combine stealth features with natural browsing behaviors for better results.
  • Focus on consistent session management to avoid detection.

While no setup is 100% foolproof, combining multiple evasion tactics makes detection much harder. Success relies on careful setup and regular updates to your methods. These tips, paired with the plugin's features, create a strong foundation for undetectable automation.

Related posts

Related Blogs

Use case

Backed by