ScrapeBadger's auto-escalation engine handles Imperva's reese84 JavaScript challenge, incap_ses session cookies, TLS fingerprinting, and 700-dimension behavioral detection — all without any configuration from you.
Imperva (formerly Incapsula) is one of the pioneering web application firewall and bot management platforms — in production since before most of its competitors existed. Today it protects an enormous cross-section of the web: e-commerce giants like Glassdoor, Zillow, and GameStop; major financial services companies; government portals; and media platforms. Its bot protection uses over 700 detection dimensions combining direct client interrogation, behavioral analysis, ML models, TLS fingerprinting, and threat intelligence feeds.
What distinguishes Imperva's detection approach is its layered challenge system. Rather than blocking immediately, Imperva escalates through a sequence of increasingly demanding challenges — first a cookie challenge to check if the client supports cookies, then a JavaScript challenge (reese84 and/or utmvc) that collects 180+ encrypted browser signals, and finally a CAPTCHA if the prior challenges are inconclusive. Each challenge layer sets session cookies (incap_ses, visid_incap, reese84) that must be present and valid on all subsequent requests.
Imperva's blocks don't always return a 403. A 200 OK response can still be a block page — the page content itself contains "Powered By Incapsula" text or an incident ID. This means scrapers that only check HTTP status codes may not even detect they're being blocked. ScrapeBadger validates the actual page content, not just status codes, to confirm successful bypass.
Request arrives
↓
Layer 1: TLS + IP check = JA3/JA4 hash, IP reputation
↓ fail → 403 Block immediately
↓
Layer 2: Cookie challenge = does client support cookies?
↓ fail → block (most basic bots)
↓
Layer 3: JS challenge (reese84) = 180+ encrypted signals
↓ POST to _Incapsula_Resource
↓ sets: reese84, incap_ses, visid_incap
↓ fail → CAPTCHA or block
↓
Layer 4: Behavioral monitoring = 700+ dimensions tracked
↓ score degrades → re-challenge
200 with block page = ← "Powered By Incapsula"
200 real content = ← all challenges passed
| Cookie | Role | Type |
|---|---|---|
| reese84 | Advanced JS challenge token | Critical |
| incap_ses_* | Session tracking cookie | Session |
| visid_incap_* | Visitor ID cookie | Session |
| nlbi_* | Load balancer ID | Session |
| ___utmvc | Legacy challenge cookie | Legacy |
Imperva detects over 700 dimensions across all layers simultaneously — and a 200 OK response doesn't mean you've bypassed it.
Like all enterprise bot management platforms, Imperva starts with TLS fingerprinting — analysing the JA3 and JA4 hashes from the TLS ClientHello. Python's requests and httpx produce JA3 hashes that match no real browser. This is the first gate — a TLS mismatch results in an immediate block before any JavaScript challenges are even offered. Correct TLS impersonation is the prerequisite for all subsequent bypass layers.
The reese84 challenge is Imperva's advanced bot detection mechanism. An obfuscated JavaScript script collects 180+ encrypted browser signals — canvas fingerprints, WebGL data, audio context, navigator properties, and mouse event data — then POSTs them to a dynamic endpoint (e.g. /_Incapsula_Resource). A valid response sets the reese84 cookie. HTTP-only scrapers cannot generate this payload.
Imperva issues incap_ses_* and visid_incap_* session cookies that must be maintained across all requests. Imperva monitors session consistency — if cookies are absent, expired, or manually modified, the request is immediately re-challenged or blocked. Scrapers that don't persist or rotate cookies correctly degrade their trust score progressively, triggering re-challenges mid-scrape even after passing the initial verification.
Imperva's Advanced Bot Protection analyses over 700 dimensions to build a trust score for each session — combining direct client interrogation, machine learning on behavioral patterns (navigation sequences, request timing, inter-page intervals), and threat intelligence feeds. Bots that request pages in patterns humans never would — linear navigation, no dwell time, identical request intervals — trigger score degradation and re-challenges even after passing the initial JS challenge.
Imperva WAF evaluates IP reputation alongside specific WAF rules. Datacenter IP ranges are pre-scored as high risk. The WAF layer also applies custom rules set by site operators — rate limiting, geolocation restrictions, and known attack pattern blocking. Imperva's Imperva WAF bypass is the broader challenge: even if a scraper passes bot detection, WAF rules may still block based on request rate, header anomalies, or IP classification. Residential proxies are required to pass both layers.
Imperva serves CAPTCHAs when behavioral or fingerprint signals are inconclusive. Uniquely, Imperva also returns 200 OK block pages — HTML responses with valid status codes that contain "Powered By Incapsula" text or an Incapsula incident ID. Scrapers that only check HTTP status codes will miss these blocks entirely. Imperva also uses the X-Iinfo response header and X-CDN: Imperva as identifiers.
ScrapeBadger addresses every Imperva detection layer — TLS fingerprint, reese84 challenge execution, session cookie management, behavioral signals, and IP reputation — in a single API call.
Every request is sent with a JA3/JA4 TLS fingerprint matching a real browser. All secondary headers — Accept, Accept-Encoding, Sec-Fetch-* — are set to match the same browser profile as the TLS fingerprint. Header ordering is browser-correct. This passes Imperva's transparent detection layer before any challenge is issued.
ScrapeBadger's Patchright stealth browser executes Imperva's reese84 JavaScript challenge in a genuine Chrome environment — collecting real canvas fingerprints, WebGL GPU data, audio context values, and navigator API properties. The 180+ encrypted signal payload is submitted to the _Incapsula_Resource endpoint, generating valid reese84, incap_ses, and visid_incap cookies.
All Imperva session cookies are persisted and sent on every subsequent request within the session. ScrapeBadger also validates response content — not just HTTP status codes — to detect Imperva's 200 OK block pages containing "Powered By Incapsula" text. When a block page is detected, the bypass process restarts automatically. Behavioral patterns are kept humanlike throughout the session to prevent trust score degradation.
Residential IPs from consumer ISPs in 150+ countries bypass both Imperva's IP reputation scoring and WAF-level IP rules simultaneously. A datacenter IP fails Imperva's first gate. ScrapeBadger routes all Imperva bypass requests through genuine residential IPs — included on all plans — so the proxy selection matches the geographic expectation of each protected site.
One API call. ScrapeBadger handles reese84, incap_ses cookies, TLS fingerprinting, and 200 OK block detection automatically.
# pip install scrapebadger
from scrapebadger import ScrapeBadger
client = ScrapeBadger("sb_live_your_api_key")
# ScrapeBadger auto-detects Imperva/Incapsula and handles:
# reese84 challenge, incap_ses cookie, TLS, 200 OK block detection.
result = client.scrape(
url="https://imperva-protected-site.com/products",
country="us", # route through US residential IP
render_js=True, # execute reese84 JS challenge
bypass_imperva=True, # full Imperva bypass stack
)
print(result.html) # real page — not a block page
print(result.status_code) # 200 with real content
# Imperva session cookies obtained automatically:
print(result.cookies['reese84']) # JS challenge token
print(result.cookies['incap_ses_*']) # session cookie
print(result.cookies['visid_incap_*']) # visitor IDWhy the reese84 challenge makes DIY Incapsula bypass significantly harder than it looks.
| Method | ScrapeBadger | requests / httpx | Playwright standard | curl-cffi | Nodriver |
|---|---|---|---|---|---|
| Bypasses TLS fingerprinting | Yes — auto | No | No | Yes | Partial |
| Executes reese84 challenge | Yes — genuine execution | No — no JS engine | No — webdriver exposed | No — no JS engine | Sometimes |
| Obtains valid incap_ses cookie | Yes — auto | No | No | No | Sometimes |
| Detects 200 OK block pages | Yes — content validated | No — status only | No — status only | No — status only | No — status only |
| Behavioral session management | Yes — humanised | No | No | No | Manual setup |
| Residential proxies included | Yes — 150+ countries | No | No | No — extra cost | No — extra cost |
| Breaks when Imperva updates | Never — we maintain it | Already broken | Constantly | TLS only — partial | Regularly |
| Bypass Imperva WAF rules | Yes — residential IPs | No | No | TLS only | Partial |
curl-cffi solves TLS fingerprinting for Imperva but cannot execute the reese84 JavaScript challenge or obtain incap_ses cookies — addressing only the first detection layer. The reese84 challenge requires a real browser environment.
Imperva's 200 OK block pages, reese84 execution complexity, and 700-dimension behavioral scoring make it one of the most nuanced anti-bot platforms to bypass reliably.
Imperva frequently returns 200 OK responses with block page content — "Powered By Incapsula" HTML or an Incapsula incident ID. Most DIY bypass approaches only check HTTP status codes and miss these entirely, silently collecting block page HTML instead of real data. ScrapeBadger validates actual page content on every response to confirm the bypass succeeded before returning the result to you.
The reese84 challenge requires executing obfuscated JavaScript in a genuine browser environment to generate the 180+ encrypted signal payload. HTTP-only tools cannot do this. ScrapeBadger's Patchright stealth browser executes the challenge authentically — producing real canvas fingerprints, actual WebGL GPU vendor data, and consistent behavioral signals — so the payload passes Imperva's validation and generates valid incap_ses and visid_incap session cookies.
A complete bypass imperva solution must address both the WAF layer (IP rules, rate limits, request pattern rules) and the bot detection layer (reese84, session cookies, behavioral scoring) simultaneously. Residential proxies bypass WAF IP rules. Stealth browser execution bypasses bot detection. ScrapeBadger combines both in one call — so you don't need separate tools for the WAF layer and the bot layer.
Failed requests — Imperva blocks, challenge failures, 200 OK block pages with Incapsula content, or timeouts — are never charged. Credits deduct only when ScrapeBadger returns a successful, real-content response. Given Imperva's multi-layer challenge escalation, the ability to not pay for failed attempts is meaningful — especially on sites that vary challenge intensity based on traffic volume or attack mode.
Start free with 1,000 credits. Pay-as-you-go credits never expire. Subscription plans available at lower per-credit rates.
Start anytime — credits never expire
Best for small teams and steady workloads
For growing projects — save vs PAYG
For professionals and high-volume usage
Maximum scale at the lowest per-credit rate
Custom credit volumes, dedicated infrastructure, SLA guarantees, invoice billing, and a dedicated account manager.
An Imperva bypass (also called an Incapsula bypass) is a technique or service that allows automated requests to pass through Imperva's multi-layer bot protection — including TLS/JA3 fingerprinting, the reese84 JavaScript challenge, incap_ses and visid_incap cookie validation, 700-dimension behavioral analysis, and CAPTCHA challenges — without being blocked. ScrapeBadger handles all layers automatically, including detecting Imperva's 200 OK block pages that standard scrapers miss entirely.
Incapsula was the original brand name of the cloud-based WAF and CDN product acquired by Imperva in 2014. The product has since been rebranded under the Imperva name — it is now called Imperva Advanced Bot Protection (and the WAF product is Imperva Cloud WAF). The two names refer to the same platform. You may still see "Incapsula" referenced in documentation, block page text ("Powered By Incapsula"), cookie names (incap_ses, visid_incap), and technical guides. An Incapsula bypass and an Imperva bypass are the same thing.
The reese84 challenge is Imperva's advanced JavaScript bot detection mechanism. When triggered, it serves an obfuscated script that collects 180+ encrypted browser and behavioral signals — canvas fingerprints, WebGL GPU data, audio context values, navigator API properties, and mouse event data — and POSTs them to a dynamic challenge endpoint. A valid response sets the reese84 cookie alongside the session cookies. HTTP-only clients like requests, httpx, or curl-cffi have no JavaScript engine — they cannot execute the reese84 script, generate the encrypted payload, or obtain a valid cookie. Only a browser environment that can run the JavaScript and pass the fingerprint checks can complete the challenge. This is why the reese84 challenge is the most significant barrier to DIY Imperva bypass.
Imperva intentionally returns 200 OK responses for some block pages — the HTTP status code is valid but the page content is an Imperva challenge or block page containing "Powered By Incapsula" text or an Incapsula incident ID. This design is deliberate: it prevents scrapers that check for 403 status codes from detecting the block, potentially causing them to store or process block page HTML as if it were real data. ScrapeBadger validates the actual page content on every response — not just the HTTP status code — to confirm the bypass succeeded. If a 200 OK response contains Imperva block content, ScrapeBadger detects it and restarts the bypass process automatically.
The Imperva WAF is the Web Application Firewall layer that filters malicious HTTP request payloads — XSS injection, SQL injection, DDoS patterns, and custom security rules. An Imperva WAF bypass or Imperva XSS bypass targets these rules, which is the domain of security researchers and penetration testers. The Imperva bot detection layer — what ScrapeBadger bypasses — is the system that identifies and blocks automated scrapers based on trust scores, TLS fingerprints, JavaScript challenges, and behavioral signals. Both layers can block the same request, which is why ScrapeBadger's residential proxies address WAF IP rules while the stealth browser addresses bot detection — both layers handled simultaneously.
Imperva Incapsula is used across e-commerce, financial services, media, and government sectors. Known examples include Glassdoor, Udemy, Zillow, GameStop, and numerous banking and government portals. You can identify an Imperva-protected site by: "Powered By Incapsula" in HTML block pages, incap_ses or visid_incap in Set-Cookie headers, X-Iinfo in response headers, X-CDN: Imperva header, or _Incapsula_Resource in network requests.
ScrapeBadger starts free with 1,000 credits — no credit card required. Pay-as-you-go packs start at $10 with credits that never expire. Subscription plans start at $49/month with lower per-credit rates and monthly rollover. You are only charged for successful responses — Imperva blocks, reese84 challenge failures, 200 OK block pages, and timeouts are always free. The full bypass stack (reese84 execution, session cookies, residential proxy, TLS impersonation, block page detection) is included at no extra charge.
1,000 free credits, no credit card required. reese84 challenge, incap_ses cookies, and 200 OK block detection — handled automatically in one API call.
Get 1,000 free creditsNo subscription · Credits never expire · 14-day money-back guarantee