← Glossary / DataDome Score Threshold

What is DataDome Score Threshold?

DataDome Score Threshold is the internal confidence boundary at which DataDome's machine learning classifier decides a request is non-human and triggers a mitigation response. Unlike binary IP blocks, DataDome evaluates hundreds of signals—from TLS fingerprints to mouse velocity—to compute a probability score. If your scraper's session score crosses the threshold, you stop receiving JSON and start receiving a 403 Forbidden or a CAPTCHA challenge.

Anti-ScrapingBot ScoreMachine LearningFingerprintingWAF
// 02 — definitions

The line between
data and CAPTCHA.

How DataDome quantifies bot probability, and why staying below the threshold requires full-stack identity coherence.

Ask a DataFlirt engineer →

TL;DR

DataDome doesn't just look for bad signatures; it calculates a continuous bot probability score for every request. The threshold is dynamic, adjusting based on target traffic and attack patterns. Staying below it means your TLS, JS runtime, and behavioral signals must perfectly align with your advertised user agent.

01Definition & structure
The DataDome Score Threshold is the specific numerical value at which DataDome's edge logic decides to intervene. Every incoming request is evaluated by machine learning models that analyze network signals, browser fingerprints, and behavioral data. This evaluation produces a score. If the score remains below the threshold, the request is routed to the origin server. If it crosses the threshold, DataDome intercepts the request and serves a 403 Forbidden or a CAPTCHA challenge.
02How the score is calculated
DataDome calculates the score in two phases. First, the edge node evaluates network-layer signals: IP reputation, ASN, TLS JA3/JA4 fingerprints, and HTTP/2 framing. Second, if the request loads HTML, DataDome injects a JavaScript payload that gathers client-side telemetry: canvas hashes, WebGL renderer strings, font lists, and mouse movements. These signals are sent back to the DataDome API, which updates the session score in real-time.
03Dynamic thresholding
The threshold is not a static number. Site administrators can adjust the sensitivity globally or per endpoint. For example, a login API might have a very low threshold (highly sensitive), while a public product catalog might have a higher threshold. Furthermore, DataDome can automatically lower the threshold during traffic spikes or suspected DDoS attacks, meaning a scraper that works perfectly at 2 AM might get blocked at 2 PM.
04How DataFlirt handles it
We treat DataDome as an identity coherence problem, not a CAPTCHA solving problem. Our infrastructure ensures that every request presents a unified identity. If we route through a residential IP in Texas, the TLS fingerprint matches a standard consumer browser, the JS runtime lacks headless artifacts, and the behavioral telemetry mimics human interaction. By maintaining this coherence, we keep our session scores safely below the threshold, ensuring uninterrupted data extraction.
05The silent shadow-ban
A common misconception is that crossing the threshold always results in a 403 or a CAPTCHA. In some configurations, DataDome employs a "tarpit" or shadow-ban response. If your score is high but not critical, the server might return a 200 OK but serve cached, stale, or intentionally poisoned data. This is why monitoring data quality and extraction completeness is just as important as monitoring HTTP status codes.
// 03 — the math

How is the
score computed?

DataDome uses an ensemble of models. The final score is a weighted probability of bot-like behavior. DataFlirt reverse-engineers these weights to optimize our proxy and browser profiles.

Session Risk Score = S = Σ (wi · fi) + behavioral_penalty
Weighted sum of fingerprint anomalies plus in-page behavioral flags. Classifier Model
Threshold Trigger = if S > Tdynamicblock
T shifts based on the target's strictness settings and current traffic baseline. DataDome Edge Logic
DataFlirt Safety Margin = 1 - (Savg / Testimated)
We aim to keep pipeline sessions at least 40% below the estimated trigger threshold. Internal SLO
// 04 — what the server sees

A session crossing
the threshold.

Trace of a Playwright script failing to maintain identity coherence over multiple page loads, eventually triggering a DataDome block.

DataDome APISession Tracking403 Forbidden
edge.dataflirt.io — live
CAPTURED
// Request 1: Initial load
tls.ja3: "771,4865-4866-4867..." // Chrome match
ip.asn: "AS7922 Comcast" // Residential
datadome.score: 0.12 PASS

// Request 2: JS Challenge execution
navigator.webdriver: true // Puppeteer leak
canvas.hash: "3f8c...b21a"
datadome.score: 0.68 // Score spikes

// Request 3: Pagination click
mouse.velocity: "linear" // Mechanical movement
event.trusted: false
datadome.score: 0.94 THRESHOLD CROSSED

// Edge Response
action: "block"
response.status: 403 Forbidden
response.body: "<html>...DataDome CAPTCHA...</html>"
// 05 — score penalties

What drives the
score up.

The highest-weighted signals that push a session score over the DataDome threshold, based on DataFlirt's telemetry across 50M+ requests.

SAMPLE SIZE ·  ·  ·  ·    50M+ requests
TARGETS ·  ·  ·  ·  ·  ·  E-commerce & Travel
UPDATED ·  ·  ·  ·  ·  ·  2026-05-19
01

TLS / User-Agent Mismatch

Critical penalty · JA3 hash doesn't match the advertised browser version.
02

Datacenter IP (ASN)

High penalty · Traffic originating from AWS, DigitalOcean, or known proxy providers.
03

Headless Browser Leaks

High penalty · navigator.webdriver = true or missing Chrome plugins.
04

Mechanical Interactions

Medium penalty · Perfectly linear mouse movements or zero-delay clicks.
05

Missing Cookie Tokens

Medium penalty · Failing to pass back the datadome cookie on subsequent requests.
// 06 — our stack

Coherent identities,

not just rotated IPs.

DataDome's threshold is unforgiving to mismatched signals. If your IP is residential but your TLS fingerprint screams Go HTTP client, your score spikes instantly. DataFlirt maintains threshold safety by ensuring full-stack coherence: the IP ASN, the TLS JA3 hash, the canvas fingerprint, and the HTTP/2 frame settings all belong to the exact same real-world device profile.

datadome.session.eval

Live telemetry of a DataFlirt worker maintaining a low DataDome score.

worker.id df-node-882
ip.type Residentialclean
tls.ja3 Chrome 124match
js.challenge solved
cookie.datadome present
score.current 0.04safe
pipeline.status extracting

Stay ahead of the pipeline

Data engineering
intel, weekly.

Anti-bot shifts, scraping infrastructure updates, dataset delivery patterns, and business outcomes from our pipelines. Short, technical, no fluff.

By submitting, you acknowledge our Privacy Notice.

// 07 — FAQ

Common
questions.

About DataDome scoring, threshold dynamics, and how DataFlirt keeps pipelines running without triggering CAPTCHAs.

Ask us directly →
What is a good DataDome score? +
DataDome scores typically range from 0 (definitely human) to 1 (definitely bot). A score below 0.2 is generally safe. Anything above 0.7 is almost guaranteed to trigger a hard block or a CAPTCHA. The exact threshold varies by customer configuration and endpoint sensitivity.
Does rotating IPs reset my DataDome score? +
No. DataDome tracks sessions using a combination of IP, browser fingerprints, and the datadome cookie. If you rotate your IP but keep the same fingerprint or cookie, the high score follows you. If you drop the cookie but keep the fingerprint, the anomaly is detected and your new session starts with a penalty.
Why did my scraper work yesterday but get blocked today? +
DataDome's threshold is dynamic. During high-traffic events (like a product drop), targets often lower the threshold to aggressively shed bot traffic. Additionally, DataDome continuously updates its machine learning models; a fingerprint that passed yesterday might be flagged today.
Can I bypass DataDome by solving the CAPTCHA? +
Technically yes, but it's inefficient and expensive at scale. Relying on third-party CAPTCHA solvers adds massive latency to your pipeline and drastically increases cost per record. The sustainable approach is to keep your score below the threshold so the CAPTCHA is never served.
How does DataFlirt handle DataDome protected sites? +
We don't solve CAPTCHAs; we avoid them. We use a proprietary fleet of residential proxies paired with heavily customized browser profiles that ensure TLS, HTTP/2, and JS runtime signals are perfectly coherent. This keeps our session scores well below the trigger threshold.
Is it legal to bypass DataDome? +
Accessing public data is generally lawful, provided you do not breach authenticated areas or cause server degradation. DataDome is a security appliance, not a legal boundary. However, you must always review the target's Terms of Service and consult legal counsel regarding your specific use case.
$ dataflirt scope --new-project --target=datadome-score-threshold READY

Tell us what
to extract.
We do the rest.

20-minute scoping call. Pilot dataset within the week. Production within two. Whether you need a one-off catalogue dump or a continuous feed across millions of records — we scope, build, and operate the pipeline.

Start a pipeline → View pricing
hello@dataflirt.com  ·  Bengaluru  ·  IST  ·  typical reply < 4h
// 08 — keep reading

Related glossary terms

Anti-Scraping

DataDome 403 Block

The immediate consequence of crossing the DataDome score threshold.

Read →
Anti-Scraping

DataDome Device Check API

The telemetry endpoint DataDome uses to gather client-side signals.

Read →
Anti-Bot Bypass

Bot Score

The general concept of quantifying bot probability across different WAF vendors.

Read →
Anti-Bot Bypass

Browser Fingerprinting

The primary mechanism DataDome uses to calculate your session score.

Read →