You rotate residential proxies, set a Chrome user agent, and still get a 403. Or worse, you get a 200 response that contains a Cloudflare challenge page instead of the product, article, or search result you expected. That usually means the site is not blocking just your IP address.
The proxy is only one part of the fingerprint
A proxy changes where the request comes from. It does not make your HTTP client behave like Chrome.
This is the common version of the problem:
import requests
url = "https://example.com/product/123"
headers = {
"User-Agent": (
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) "
"AppleWebKit/537.36 (KHTML, like Gecko) "
"Chrome/121.0.0.0 Safari/537.36"
)
}
proxies = {
"https": "http://user:pass@residential-proxy.example:8000"
}
r = requests.get(url, headers=headers, proxies=proxies, timeout=30)
print(r.status_code)
print(r.text[:500])
The request might return:
403
<!DOCTYPE html><html><head><title>Just a moment...</title>
Or it may return 200, but the body still contains cf-chl, turnstile, or Just a moment. If your scraper only checks the status code, it will treat a block page as a successful scrape.
The user agent header says Chrome, but the rest of the connection does not. Cloudflare can inspect details such as:
- TLS Client Hello ordering
- Cipher suites and extensions
- HTTP/2 SETTINGS frames
- Header ordering and casing
- JavaScript API behavior
- Canvas, WebGL, and font fingerprints
- Cookie and session consistency across requests
Python requests, Go net/http, and many scraping libraries do not emit the same low-level network fingerprint as a real browser. A residential IP does not fix that mismatch.
Cloudflare has different layers
It helps to separate the protection types, because they fail in different ways.
Basic challenge pages
These are the interstitial pages that run JavaScript before allowing the request through. A plain HTTP client usually gets stuck here because it does not execute the challenge.
Symptom: HTML contains Just a moment, cf-browser-verification, or challenge scripts instead of the target content.
Turnstile
Turnstile is Cloudflare's challenge widget. Sometimes it runs invisibly. Sometimes it requires interaction.
Symptom: the page renders, but the content remains gated until a token appears or a form submission completes.
Bot Management
Bot Management is the harder case. It can block before your scraper reaches useful HTML because the browser, TLS, protocol, and behavior signals do not line up.
Symptom: rotating IPs does not improve success rate much, and failures happen early with 403s, redirects, or repeated challenge loops.
This is where a browser-rendering approach often becomes necessary, not because browsers are magic, but because the target expects a real browser-shaped session.
Test for content, not just status codes
A basic verification loop should check three things:
- Did the request return a 200?
- Does the body contain the content you need?
- Does the body contain signs of a block page?
For example:
from bs4 import BeautifulSoup
BLOCK_MARKERS = [
"Just a moment",
"cf-chl",
"cf-browser-verification",
"turnstile",
"Attention Required!",
]
def classify_response(html: str, expected_selector: str) -> str:
if any(marker in html for marker in BLOCK_MARKERS):
return "blocked"
soup = BeautifulSoup(html, "html.parser")
if soup.select_one(expected_selector):
return "ok"
return "unknown"
result = classify_response(r.text, ".product-title")
print(result)
The unknown case matters. It catches layout changes, partial responses, empty states, and soft blocks that do not use obvious Cloudflare text.
Run this against 3 to 5 representative URLs before scaling. Include the pages that usually fail: product detail pages, search results, login-gated pages, and paginated flows. Ten successful requests against a homepage do not tell you much.
When proxies are still enough
Proxy rotation still works when the site mostly enforces IP reputation or rate limits. If you scrape static pages, public listings, or lightly protected endpoints, a browser may be unnecessary overhead.
The tradeoff is simple:
- Proxy-only scraping is faster and cheaper
- Browser rendering handles more protection layers
- Browser sessions cost more and add latency
- CAPTCHA and login flows need explicit handling
- Multi-page workflows need cookie and storage persistence
The mistake is treating proxies and browsers as interchangeable. They solve different parts of the fingerprint.
When you have targets with mixed protection levels, Wire provides browser rendering, proxy-based scraping, and structured extraction behind one scraping API, so the mode can match the actual failure pattern instead of forcing every page through the same path: Wire.
A practical rule of thumb
Start with the cheapest thing that can prove it returns real content.
Use HTTP plus proxies if the target returns stable HTML and your validation passes. Move to browser rendering when you see challenge pages, Turnstile, session-sensitive navigation, or failures that do not improve with IP rotation. Keep the validation code in production either way, because a 200 response with a challenge page is still a failed scrape.
The full breakdown is here if you want the complete picture.
Top comments (0)