← Glossary / DataDome 403 Block

What is DataDome 403 Block?

A DataDome 403 Block is the hard-stop HTTP response returned when DataDome's edge classifier determines a request originates from an automated client. Unlike a CAPTCHA challenge or a soft block, a 403 Forbidden indicates the session's bot score has crossed the critical threshold where remediation is no longer offered. For scraping pipelines, hitting this response means your IP reputation, TLS fingerprint, or behavioral telemetry has been definitively burned for that target.

Anti-ScrapingWAFBot ScoreTLS FingerprintingEdge Compute
// 02 — definitions

The hard
stop.

When the edge classifier decides you aren't human, and doesn't even bother offering a CAPTCHA to prove otherwise.

Ask a DataFlirt engineer →

TL;DR

A DataDome 403 Block occurs when a request's telemetry — combining IP reputation, TLS handshake signatures, and missing or invalid session cookies — yields a bot probability near 1.0. It drops the connection at the edge, saving origin bandwidth but instantly breaking naive scraping scripts.

01Definition & structure
A DataDome 403 Block is an HTTP 403 Forbidden response generated directly at the edge (often via Cloudflare, AWS CloudFront, or Fastly integrations) by the DataDome bot protection module. It prevents the request from ever reaching the origin server. You can identify it by the presence of the x-datadome response header and a generic HTML payload indicating access has been denied.
02The telemetry cascade
DataDome evaluates requests in two phases. First, the edge module checks network-layer signals: IP reputation, ASN type, and TLS/HTTP2 fingerprints. If these look highly suspicious (e.g., a Python requests TLS signature from an AWS IP), it issues a 403 immediately. If the network layer passes, it checks for a valid datadome session cookie. If missing, it serves a JS challenge.
03The role of the datadome cookie
The datadome cookie is a cryptographically signed token that proves a client has successfully passed browser fingerprinting and behavioral checks. Sending requests without this cookie is normal for a first-time visitor, but sending thousands of requests without it triggers a velocity block. Sending requests with an expired or forged cookie triggers an instant 403.
04How DataFlirt handles it
We treat 403s as a failure of infrastructure, not a cost of doing business. Our pipeline orchestrators run pre-flight validation on every worker node, ensuring the TLS JA3/JA4 signature perfectly matches the advertised User-Agent. We route initial requests through residential proxies to acquire valid datadome cookies, then distribute those cookies to lightweight HTTP workers for high-throughput, block-free extraction.
05The silent 200 trap
Occasionally, DataDome will not return a 403, but rather a 200 OK with a modified payload. This is a tarpit designed to poison your dataset or waste your compute resources. If your extraction logic isn't strictly validating the presence of expected fields, you might ingest thousands of blank records before realising the edge classifier has quietly isolated your scraper.
// 03 — the classification model

How DataDome
scores a request.

DataDome evaluates requests in under 2 milliseconds at the edge. DataFlirt's evasion models reverse-engineer these weights to keep our fleet's bot scores safely below the 403 threshold.

Edge Bot Score = S = (w1·IP) + (w2·TLS) + (w3·Cookie)
Simplified linear model of edge signals. Score > 0.99 triggers an instant 403. Observed Edge Behavior
Cookie Validity = V = HMAC(SessionID, DeviceFP, Timestamp)
If the datadome cookie fails cryptographic validation, the score spikes instantly. DataDome Payload Analysis
DataFlirt Session Health = H = 1 − (403_Count / Total_Reqs)
Maintained at > 0.999 across all DataDome-protected targets in our fleet. Internal SLO
// 04 — edge interception

A burned session
hitting the wall.

Trace of a Python requests client attempting to access a DataDome-protected endpoint without a valid TLS signature or session cookie.

HTTP/2Python/3.10Edge Block
edge.dataflirt.io — live
CAPTURED
// outbound request
GET /api/v1/inventory HTTP/2
user-agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64)..."
cookie: none

// edge evaluation (DataDome module)
tls.ja3_hash: "cd08e31494f9531f560d64c695473da9" // Python requests
ip.asn: "AS14061 (DigitalOcean)" // Datacenter
bot_score: 0.998

// inbound response
HTTP/2 403 Forbidden
server: "cloudflare"
x-datadome: "protected"
x-datadome-clientid: "none"
content-type: "text/html; charset=utf-8"

// payload
body: "<html>...Access Denied...</html>"
pipeline.status: FATAL_BLOCK
// 05 — block triggers

Why the edge
drops the connection.

The primary signals that push a request's bot score over the critical threshold, resulting in an immediate 403 Forbidden rather than a CAPTCHA challenge.

SAMPLE SIZE ·  ·  ·  ·    1.2M blocked reqs
WINDOW ·  ·  ·  ·  ·  ·   30d trailing
UPDATED ·  ·  ·  ·  ·  ·  2026-05-19
01

TLS / User-Agent mismatch

fatal signal · JA3 hash contradicts the advertised browser
02

Datacenter ASN

high risk · AWS, GCP, or known proxy provider IPs
03

Missing datadome cookie

state error · No prior JS challenge completion
04

Headless JS leaks

fatal signal · navigator.webdriver or missing plugins
05

Request velocity

rate limit · Unrealistic concurrency from a single IP
// 06 — evasion architecture

Don't fight the block,

prevent the score from rising.

Once a DataDome 403 Block is issued, that IP and fingerprint combination is burned for the duration of the cooldown period. DataFlirt's architecture doesn't try to bypass 403s; it prevents them. We orchestrate perfectly aligned TLS handshakes, residential exit nodes, and valid JS challenge responses to maintain a pristine datadome cookie. A pipeline that never sees a 403 is infinitely cheaper to run than one that constantly rotates burned proxies.

DataDome Session State

A live snapshot of a healthy DataFlirt session passing through a DataDome-protected edge.

session.id dd_sess_8f92a
tls.ja4 t13d1516h2_8daaf6152771
ip.reputation residential · clean
cookie.datadome present · valid
js.challenge passed · 142ms
bot_score 0.012human
edge.action allow · 200 OK

Stay ahead of the pipeline

Data engineering
intel, weekly.

Anti-bot shifts, scraping infrastructure updates, dataset delivery patterns, and business outcomes from our pipelines. Short, technical, no fluff.

By submitting, you acknowledge our Privacy Notice.

// 07 — FAQ

Common
questions.

About DataDome blocks, edge classification, legal considerations, and how DataFlirt maintains access at scale.

Ask us directly →
What is the difference between a DataDome 403 and a CAPTCHA challenge? +
A CAPTCHA challenge (often a 200 OK with an interstitial page or a 401) means the classifier is unsure and wants interactive proof of humanity. A 403 Forbidden means the classifier is absolutely certain you are a bot. The 403 is a terminal state for that request; no remediation is offered.
Can I bypass a 403 by just rotating my IP address? +
No. If your TLS fingerprint (JA3/JA4) or HTTP/2 framing still looks like a Python script or a headless browser, DataDome will instantly block the new IP as well. You will just burn through your proxy pool faster. You must fix the underlying fingerprint before rotating the IP.
Is it legal to bypass DataDome to scrape public data? +
Accessing publicly available data is generally lawful in the US and EU, supported by precedents like hiQ v. LinkedIn. Bypassing a WAF does not inherently violate the CFAA unless you are accessing authenticated, non-public areas. However, you must review the target's Terms of Service and consult counsel for your specific jurisdiction.
How does DataFlirt maintain access against DataDome at scale? +
We don't brute-force it. We use a fleet of real browsers on bare metal, paired with high-quality residential IPs. We solve the initial JS challenges legitimately to acquire valid datadome cookies, then attach those cookies to highly concurrent, TLS-aligned HTTP requests. This keeps our bot scores near zero.
Why am I getting a 403 in production but not locally? +
Your local machine uses a residential ISP and a standard OS network stack. Your production environment runs in a datacenter (AWS, GCP, DigitalOcean) with a known ASN, and likely uses a different TLS library. DataDome flags the datacenter ASN and the mismatched TLS signature immediately.
What is the x-datadome header? +
It is a custom HTTP response header injected by the DataDome edge module. It indicates whether the request was evaluated and what action was taken. Seeing x-datadome: protected on a 403 confirms that DataDome, not the origin server, dropped your connection.
$ dataflirt scope --new-project --target=datadome-403-block READY

Tell us what
to extract.
We do the rest.

20-minute scoping call. Pilot dataset within the week. Production within two. Whether you need a one-off catalogue dump or a continuous feed across millions of records — we scope, build, and operate the pipeline.

Start a pipeline → View pricing
hello@dataflirt.com  ·  Bengaluru  ·  IST  ·  typical reply < 4h
// 08 — keep reading

Related glossary terms

Anti-Scraping

DataDome Device Check API

The telemetry endpoint DataDome uses to collect browser fingerprints and behavioral data.

Read →
Anti-Scraping

DataDome Score Threshold

The exact bot probability metric that determines if you get a 200, a CAPTCHA, or a 403.

Read →
Network Layer

TLS Fingerprinting

How DataDome identifies your HTTP client before you even send a request header.

Read →
Anti-Bot Bypass

Anti-Detect Browser

Specialised browsers designed to spoof fingerprints and avoid edge blocks like DataDome.

Read →