← Glossary / Browser Integrity Check

What is Browser Integrity Check?

A browser integrity check (BIC) is a multi-layered verification process used by edge networks to confirm a client is a genuine, unmodified web browser. It evaluates network-layer signatures, HTTP header coherence, and JavaScript runtime properties against known browser profiles. For scraping pipelines, failing a BIC means your request is dropped at the edge before it ever reaches the target application's origin server.

Anti-BotCloudflareTLS FingerprintingWAFHeadless
// 02 — definitions

Proving you're
human.

The gauntlet every request must run before the edge network allows it to touch the origin server.

Ask a DataFlirt engineer →

TL;DR

A browser integrity check evaluates the consistency of your client's broadcasted identity. If your User-Agent claims to be Chrome 124 on Windows, but your TLS cipher suite matches a Go HTTP client and your navigator.webdriver flag is true, the BIC fails. Cloudflare's BIC is the most common implementation, acting as the first line of defense against automated traffic.

01Definition & structure
A browser integrity check is a defense mechanism that verifies a client is what it claims to be. It operates across three distinct layers:
  • Network layer (L4) — Evaluates the TLS handshake, cipher suites, and JA3/JA4 hashes to identify the underlying HTTP client (e.g., Go, Python, Java).
  • HTTP layer (L7) — Checks header order, HTTP/2 pseudo-headers, and the presence of modern browser markers like sec-ch-ua (Client Hints).
  • JavaScript layer — Executes active probes to check for headless markers (navigator.webdriver), missing plugins, or anomalous rendering behavior.
If any of these layers contradict each other, the integrity check fails.
02Passive vs Active checks
Integrity checks come in two forms. Passive checks happen invisibly on the edge server by analyzing the inbound request bytes (headers, TLS). They add zero latency and block obvious bots instantly. Active checks return a JavaScript challenge (like a Cloudflare Turnstile or DataDome interstitial) that forces the client to execute code, compute a proof of work, and submit telemetry back to the server before being allowed to proceed.
03The coherence problem
Most scrapers fail BICs not because they lack a specific header, but because they lack coherence. A Python script using the requests library but sending a Chrome User-Agent creates a paradox: the TLS fingerprint screams "Python", while the L7 headers scream "Chrome". Edge networks flag this mismatch immediately. Bypassing a BIC requires the entire stack—from the socket level up to the DOM—to tell the exact same story.
04How DataFlirt handles it
We don't rely on brittle header-spoofing. Our infrastructure uses custom HTTP clients compiled with TLS and HTTP/2 stacks that natively mirror the exact byte-level signatures of modern browsers. When a target requires active JS evaluation, we seamlessly route the request to our fleet of real, headed browsers running on bare-metal hardware, ensuring perfect coherence across all integrity vectors.
05Did you know?
Cloudflare's famous "Browser Integrity Check" toggle in their dashboard is actually one of their oldest and simplest features. It primarily looks for missing User-Agents or known bad signatures. The real heavy lifting is done by their Bot Management product, which uses machine learning and behavioral analysis to score requests dynamically, long after the basic BIC has been passed.
// 03 — the math

How coherence
is scored.

Edge networks don't just look for bad signals; they look for mismatched good signals. DataFlirt's fleet orchestration models these exact coherence matrices to ensure our requests pass passive BICs.

Coherence Score = C = Σ (wi · match(Lnet, Lapp))
Cross-layer consistency between TLS (L4) and JS properties (L7). WAF Heuristics Model
Anomaly Penalty = 1 − ( missing_headers / expected_headers )
Missing Accept-Language or sec-ch-ua headers drops the score exponentially. Passive Inspection Logic
DataFlirt Pass Rate = Pbic > 0.998
Our baseline SLO for passive integrity checks across top-100 targets. Internal SLO, v2026.5
// 04 — edge evaluation

A failed integrity
check in real time.

What Cloudflare's edge sees when a naive Python requests script tries to spoof a Chrome User-Agent.

Cloudflare BICTLS mismatchHTTP/2
edge.dataflirt.io — live
CAPTURED
// inbound request
user_agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36..."

// layer 4: TLS evaluation
ja3_hash: "771,4865-4866-4867-49195-49199-49196-49200..."
tls.inferred_client: "Python Requests / urllib3"

// layer 7: HTTP evaluation
http2.pseudo_header_order: ":method, :path, :scheme, :authority" // Go/Python default
missing_headers: ["sec-ch-ua", "sec-fetch-site"]

// integrity decision
coherence_check: FAILED // UA claims Chrome, TLS claims Python
action: BLOCK (HTTP 403)
cf_ray: "88a1b2c3d4e5f6g7-LHR"
// 05 — failure modes

Where integrity
checks fail.

The most common reasons scraping pipelines fail passive browser integrity checks, ranked by frequency across our incident logs.

SAMPLE SIZE ·  ·  ·  ·    1.2M blocked reqs
WINDOW ·  ·  ·  ·  ·  ·   30d trailing
UPDATED ·  ·  ·  ·  ·  ·  2026-05-19
01

TLS/JA3 mismatch

94% of failures · Network stack doesn't match User-Agent
02

Missing sec-ch-* headers

82% of failures · Client Hints absence flags older bots
03

HTTP/2 pseudo-header order

76% of failures · Go/Python defaults vs Chrome standard
04

Headless JS leaks

61% of failures · navigator.webdriver = true
05

Canvas/WebGL anomalies

45% of failures · Hardware doesn't match OS claim
// 06 — our stack

Coherence by design,

not by patching.

Bypassing a browser integrity check isn't about stripping out the bad signals; it's about perfectly aligning the good ones. DataFlirt doesn't use stealth plugins to lie to the edge. We use custom-compiled network stacks that natively generate the exact TLS and HTTP/2 signatures expected by the target, paired with real browser rendering engines. When the edge checks our integrity, it sees a mathematically perfect Chrome client.

DataFlirt BIC Profile

Live integrity profile for a DataFlirt worker targeting a Cloudflare-protected origin.

tls.ja4 t13d1516h2_8daaf6152771
http2.settings 1:65536, 3:1000, 4:6291456
headers.sec_ch_ua "Chromium";v="124"
js.navigator.webdriver false
js.plugins.length 5
integrity.status PASS

Stay ahead of the pipeline

Data engineering
intel, weekly.

Anti-bot shifts, scraping infrastructure updates, dataset delivery patterns, and business outcomes from our pipelines. Short, technical, no fluff.

By submitting, you acknowledge our Privacy Notice.

// 07 — FAQ

Common
questions.

Common questions about edge network integrity checks, Cloudflare's specific implementation, and how to maintain access.

Ask us directly →
What exactly does Cloudflare's 'Browser Integrity Check' toggle do? +
It enables a specific set of passive checks looking for common bot headers, missing User-Agents, and known bad signatures. It's the baseline, not the whole WAF. Passing the BIC toggle doesn't mean you bypass Bot Management or Turnstile; it just means you survive the first 10 milliseconds of the request lifecycle.
Why does my scraper work locally but fail the BIC in production? +
Your local machine likely routes differently, or your production environment uses a datacenter IP that triggers a higher scrutiny threshold where the BIC becomes mandatory. Furthermore, local environments often use different network libraries or OS-level TLS stacks than stripped-down Linux containers in production.
Can I bypass a BIC by just copying headers from my browser? +
No. Headers are only layer 7. The edge also checks layer 4 (TLS fingerprinting) and layer 7 framing (HTTP/2 pseudo-header order). If you copy Chrome headers but use Python's requests, the TLS mismatch will flag you instantly. Coherence across all layers is required.
How does DataFlirt handle dynamic JavaScript integrity checks? +
For targets that deploy active JS challenges (like Turnstile or DataDome), we route the request to our managed browser fleet, which executes the challenge in a real V8 environment with hardware-backed canvas and WebGL profiles. Once cleared, we extract the session cookies and hand them back to the high-throughput HTTP workers.
Is it legal to bypass a browser integrity check? +
Bypassing a BIC to access public data is generally considered lawful under the CFAA (in the US), as established in hiQ v. LinkedIn. However, we strictly adhere to accessing only public, unauthenticated data and respecting target infrastructure limits. Always consult counsel for jurisdiction-specific use cases.
How fast can you scrape if you have to pass a BIC on every request? +
Passive BICs add zero latency — they are evaluated on the inbound request. Active JS challenges add ~1.5s. DataFlirt caches clearance cookies across our worker pool, allowing subsequent requests to run at standard HTTP speeds. Our median response time on Cloudflare-protected targets is under 400ms.
$ dataflirt scope --new-project --target=browser-integrity-check READY

Tell us what
to extract.
We do the rest.

20-minute scoping call. Pilot dataset within the week. Production within two. Whether you need a one-off catalogue dump or a continuous feed across millions of records — we scope, build, and operate the pipeline.

Start a pipeline → View pricing
hello@dataflirt.com  ·  Bengaluru  ·  IST  ·  typical reply < 4h
// 08 — keep reading

Related glossary terms

Anti-Bot Bypass

Cloudflare Bot Management

The broader WAF ecosystem that utilizes browser integrity checks to score traffic.

Read →
Network Layer

TLS Fingerprinting

The layer 4 network signature that causes most naive scrapers to fail the BIC.

Read →
Anti-Bot Bypass

Headless Browser Detection

How the edge identifies automated browsers even when they execute JavaScript perfectly.

Read →
Anti-Bot Bypass

Browser Fingerprinting

The active collection of client properties used to build a unique identity profile.

Read →