ScrapeBadger's auto-escalation engine identifies DataDome's active detection layers — JS tag signals, Picasso device fingerprinting, behavioral analysis, and CAPTCHA challenges — and applies the right bypass method. You configure nothing.
DataDome is a dedicated bot management SaaS used by over 1,200 companies — predominantly in European retail, ticketing, travel, and classifieds. Unlike CDN-level protections like Cloudflare, DataDome is baked directly into the application layer, which means you cannot bypass it by finding an origin server IP. Every request is inspected at the edge in under 2 milliseconds using an ML engine that processes over 5 trillion signals per day.
DataDome builds a trust score for every request by combining server-side signals (TLS fingerprints, IP reputation, request headers) with client-side signals collected by a JavaScript tag embedded in every protected page. The JS tag collects browser fingerprints, GPU characteristics, device consistency checks, and — critically — real-time behavioral data: mouse movements, scroll patterns, keystroke cadence, and click timing. Bots that move in straight lines, scroll at fixed intervals, or execute actions with millisecond precision are flagged immediately.
What makes DataDome especially difficult is that it trains per-customer ML models on each protected website's unique traffic patterns. The same bot that passes on one DataDome-protected site may be blocked on another — because each site's model has learned what legitimate traffic looks like for that specific domain.
# DataDome response signals
# Blocked request indicators
Set-Cookie = datadome=...
# ↑ datadome cookie — absent = no clearance
x-datadome-request = blocked
# ↑ explicit block header
tls.ja3_hash = "mismatch"
# ↑ JA3 doesn't match any browser
js_tag.navigator.webdriver = true
# ↑ automation exposed
behavioral.mouse_variance = 0.00
# ↑ perfectly straight = bot
# Result:
HTTP = 403 + DataDome CAPTCHA challenge
IP allowlists, known bots, explicit block rules
TLS/HTTP fingerprints, known bot signatures
Behavioral, contextual, per-customer trained
DataDome applies all layers simultaneously, with per-site ML models that adapt to your scraper's behavior over time.
Every HTTPS request produces a JA3 hash from the TLS ClientHello message — cipher suite order, extensions, and protocol versions. DataDome compares this against a database of known client fingerprints. Python's requests, httpx, and curl all produce JA3 hashes that match no real browser. HTTP/2 frame ordering and header compression patterns add a second fingerprint layer. Both must be correctly impersonated for a request to be trusted.
DataDome embeds a lightweight JS tag on every protected page that runs silently in a service worker. It collects browser fingerprints — CPU cores, device memory, GPU type, installed plugins, screen properties — and generates a datadome session cookie. It also runs specially crafted JS challenges to detect side effects introduced by headless browsers and automation frameworks. Missing or inconsistent signals fail the tag check.
DataDome's Picasso protocol uses the HTML Canvas API and GPU rendering to verify the device class. The server sends a proof-of-work challenge that asks the browser to draw specific shapes. The canvas output differs by OS, browser, and GPU combination. Picasso verifies the device is genuinely the browser and OS it claims — catching scrapers that fake their User-Agent without matching the underlying hardware fingerprint.
The JS tag captures real-time behavioral data: mouse movements and jitter, scroll velocity and direction, click timing, keystroke cadence, and hover durations. Real humans have natural randomness in all of these — bots execute actions with machine precision. DataDome's ML models flag sessions where mouse variance is zero, scrolling happens at exact intervals, or actions fire with sub-millisecond timing. This layer is what exposes stealth browsers that don't simulate human movement.
IP reputation accounts for an estimated 25–30% of DataDome's trust score. Datacenter IPs (AWS, GCP, Azure, DigitalOcean) are pre-scored as high risk because virtually all bot traffic originates there. DataDome also detects residential proxy pools — so even "residential" IPs from known proxy providers may be flagged. Mobile IPs typically carry the highest reputation. Country and city-level geolocation inconsistencies add further risk signals.
When DataDome detects suspicious signals but lacks certainty, it triggers Device Check — a silent JS challenge that collects hundreds of signals and runs Picasso verification without user interaction. If Device Check is still inconclusive, a CAPTCHA challenge is served (typically a slider). The DataDome CAPTCHA bypass requires solving the interactive challenge while maintaining a consistent device fingerprint and behavioral session — not just solving the visual puzzle in isolation.
ScrapeBadger's auto-escalation engine addresses every DataDome detection signal simultaneously — TLS, fingerprint, behavior, IP, and CAPTCHA — without any configuration from you.
Every request uses a TLS configuration that matches a real browser's JA3 fingerprint — correct cipher suite order, extension list, and protocol versions. HTTP/2 frame parameters are set to match. User-Agent, Accept-Language, and all secondary headers are matched to the same browser profile so there are no cross-signal inconsistencies that DataDome's signature layer would flag.
ScrapeBadger uses Patchright — a patched Playwright that removes navigator.webdriver, CDP timing leaks, and automation artefacts. The browser environment passes DataDome's JS tag signals and Device Check challenges. Picasso GPU canvas challenges are executed in a genuine rendering environment, producing the correct device-class output that matches the claimed browser and OS.
The stealth browser session simulates natural human behavior — randomised mouse movement paths with realistic jitter, variable scroll velocity, natural timing between page interactions, and session warm-up by loading page assets before hitting the target endpoint. This prevents behavioral analysis from flagging the session through zero-variance mouse data or machine-precision action timing.
All DataDome bypass requests are routed through residential IPs from real consumer ISPs in 150+ countries — the IP class with the highest trust scores in DataDome's reputation system. The datadome session cookie is obtained through the initial trusted evaluation and reused across subsequent requests, avoiding re-evaluation on every call.
One API call. ScrapeBadger handles TLS fingerprinting, JS tag bypass, Picasso, behavioral simulation, and residential routing automatically.
# pip install scrapebadger
from scrapebadger import ScrapeBadger
client = ScrapeBadger("sb_live_your_api_key")
# ScrapeBadger auto-detects DataDome and applies the full bypass stack:
# TLS impersonation, JS tag, Picasso, behavioral sim, residential proxy.
result = client.scrape(
url="https://datadome-protected-site.com/products",
country="fr", # route through French residential IP
render_js=True, # Patchright stealth browser
bypass_datadome=True, # full DataDome bypass stack enabled
)
print(result.html) # page HTML — DataDome bypassed
print(result.status_code) # 200 — not 403
print(result.cookies['datadome']) # valid session cookieWhy DataDome is harder than most anti-bot systems to bypass with open-source tools alone.
| Method | ScrapeBadger | requests / httpx | Playwright / Selenium | Nodriver / SeleniumBase | Camoufox |
|---|---|---|---|---|---|
| Bypasses TLS fingerprinting | Yes — auto | No | No | Partial | Partial |
| Passes DataDome JS tag | Yes — auto | No — JS not executed | No — webdriver exposed | Sometimes | Sometimes |
| Passes Picasso device check | Yes — auto | No | No | Limited | Limited |
| Behavioral simulation | Yes — humanised | No | No | Manual setup | Partial |
| DataDome CAPTCHA bypass | Yes — auto | No | No | No | No |
| Residential proxies included | Yes — 150+ countries | No | No | No — extra cost | No — extra cost |
| Breaks when DataDome updates | Never — we maintain it | Constantly | Constantly | Regularly | Regularly |
| Scales to 1M+ requests | Yes — cloud infrastructure | Possible | 500MB RAM per instance | 500MB RAM per instance | 500MB RAM per instance |
Nodriver eliminates chromedriver but does not handle behavioral simulation, Picasso, or DataDome CAPTCHA bypass. Camoufox uses Firefox (~3% market share), which some DataDome configurations may flag more aggressively.
DataDome continuously retrains its per-site ML models. Most bypass tools break within days of a model update. ScrapeBadger is maintained infrastructure.
A DataDome bypass requires passing TLS fingerprinting, JS tag signals, Picasso device verification, behavioral analysis, and IP reputation all at once. Failing any single layer triggers a block or a datadome captcha bypass challenge. ScrapeBadger's stack handles all of them in a single API call — you don't need to understand which layer is active on a given site.
DataDome trains a separate ML model for each protected website, tuned to that site's legitimate traffic patterns. A bypass that works on Foot Locker may not work on TripAdvisor. ScrapeBadger's engineering team monitors DataDome model updates across the protected web and deploys countermeasures continuously — your integration keeps working without any changes on your end.
DataDome's IP reputation layer is one of its most effective. Datacenter IPs are pre-flagged. Even known residential proxy pools can be identified and scored. ScrapeBadger routes DataDome bypass requests through genuine residential IPs from consumer ISPs in 150+ countries — the highest-trust IP category in DataDome's scoring. Country targeting lets you match the geographic expectation of each protected site.
Failed requests — sessions blocked by DataDome, challenge pages, timeouts — are never charged. Credits deduct only when ScrapeBadger returns a successful, data-containing response. At scale against a platform as strict as DataDome, the ability to not pay for failures is a meaningful cost difference versus billing per-attempt regardless of outcome.
Start free with 1,000 credits. Pay-as-you-go credits never expire. Subscription plans available at lower per-credit rates.
Start anytime — credits never expire
Best for small teams and steady workloads
For growing projects — save vs PAYG
For professionals and high-volume usage
Maximum scale at the lowest per-credit rate
Custom credit volumes, dedicated infrastructure, SLA guarantees, invoice billing, and a dedicated account manager.
A DataDome bypass is a technique or service that allows automated requests to pass through DataDome's multi-layer bot protection — including TLS fingerprinting, JS tag signals, Picasso device verification, behavioral analysis, IP reputation, and CAPTCHA challenges — without being blocked. ScrapeBadger handles all of these simultaneously using Patchright stealth browser automation, residential proxies, TLS impersonation, and behavioral simulation.
Several reasons. First, DataDome is baked into the application layer — unlike Cloudflare which operates at CDN level, you cannot bypass DataDome by finding an origin server IP. Second, DataDome trains per-customer ML models on each protected website's specific traffic patterns — a bypass that works on one site may fail on another. Third, DataDome's behavioral analysis layer (capturing mouse movement variance, scroll patterns, and click timing) exposes stealth browsers that don't simulate human interaction. Finally, DataDome's Picasso device fingerprinting protocol verifies the GPU rendering environment matches the claimed browser and OS — catching scrapers that fake headers without matching hardware.
The datadome cookie is a session token DataDome issues to browsers that have passed its trust scoring. It functions similarly to Cloudflare's cf_clearance cookie — requests to DataDome-protected pages without a valid datadome cookie trigger re-evaluation and may be blocked or challenged. ScrapeBadger obtains the datadome cookie through the initial trusted session evaluation and reuses it across subsequent requests to the same domain — so the full evaluation only needs to happen once per session rather than on every request.
The most effective approach is to prevent the DataDome CAPTCHA challenge from appearing in the first place. DataDome typically only serves a CAPTCHA when other detection signals are inconclusive — when the request looks mostly human but some signals are uncertain. ScrapeBadger's full bypass stack presents consistent, trusted signals across all detection layers so the trust score is high enough that a datadome captcha bypass challenge is never triggered. When a CAPTCHA does appear, ScrapeBadger's stealth browser environment handles solving it automatically as part of the session. The key difference from naive CAPTCHA solving is that ScrapeBadger maintains consistent device fingerprinting and behavioral signals throughout — DataDome correlates CAPTCHA solving behavior with the broader session, so a bot-like solving pattern still results in a block even if the visual challenge is completed.
Picasso is DataDome's device class fingerprinting protocol, originally conceived by Google. It sends the browser a proof-of-work challenge that asks it to draw specific shapes using the HTML Canvas API. The GPU rendering engine produces output that differs by device class — browser type (Chrome, Firefox, Safari) and OS (Windows, macOS, Linux, iOS, Android). DataDome learns to associate challenge seeds with expected device-class outputs during a training phase. Scrapers that fake their User-Agent to claim they are Chrome on Windows — but are actually running a headless browser with a different GPU or OS — produce Picasso output that doesn't match the claimed device class, triggering a block. Passing Picasso requires executing the canvas challenge in a genuine rendering environment that matches the claimed browser and OS.
DataDome protects over 1,200 companies, predominantly in retail e-commerce, ticketing, travel, and media — with especially strong adoption in Europe. Known customers include Foot Locker, TripAdvisor, SoundCloud, Deezer, and Leboncoin. You can identify a DataDome-protected site by looking for "datadome" in response cookies, "x-datadome" in response headers, or "dd" references in the page's script tags after a block response.
No — residential proxies are necessary but not sufficient on their own. IP reputation accounts for roughly 25–30% of DataDome's trust score, which means a residential IP with perfect reputation still fails if the TLS fingerprint is wrong, the JS tag reveals automation, or behavioral signals are bot-like. DataDome also maintains lists of known residential proxy pool IP ranges, which reduces their effectiveness compared to genuine consumer ISP IPs. An effective DataDome bypass requires all detection layers addressed simultaneously — TLS impersonation, genuine browser environment, realistic behavioral signals, and clean residential IPs. ScrapeBadger combines all of these in a single call.
ScrapeBadger starts free with 1,000 credits — no credit card required. Pay-as-you-go packs start at $10 and credits never expire. Subscription plans start at $49/month with lower per-credit rates and monthly rollover. You are only charged for successful responses — sessions blocked by DataDome, challenge pages, or timeouts are always free. DataDome bypass features (stealth browser, residential proxy, behavioral simulation) are included in your existing credit balance at no extra per-request charge.
1,000 free credits, no credit card required. Pass DataDome's full detection stack — JS tag, Picasso, behavioral analysis — with a single API call.
Get 1,000 free creditsNo subscription · Credits never expire · 14-day money-back guarantee