← Glossary / Puppeteer Extra Stealth

What is Puppeteer Extra Stealth?

Puppeteer Extra Stealth is a popular open-source plugin designed to patch the default browser environment and hide the fact that headless Chrome is being driven by automation. It intercepts and modifies JavaScript APIs like navigator.webdriver, window.chrome, and permissions to prevent basic bot detection scripts from flagging the session. While effective against legacy fingerprinting, modern anti-bot systems detect its presence within milliseconds, making it a liability for enterprise data pipelines.

PuppeteerEvasionsHeadless ChromeAnti-BotJavaScript Injection
// 02 — definitions

Patching the
leaks.

How the plugin attempts to mask automation flags in headless Chrome, and why JavaScript-level evasions are no longer enough for production scraping.

Ask a DataFlirt engineer →

TL;DR

Puppeteer Extra Stealth applies a series of JavaScript evasions to hide automation markers. It works by overriding native browser APIs before the page loads. However, advanced systems like Cloudflare and DataDome now detect the evasions themselves by inspecting proxy objects and stack traces, rendering the plugin ineffective for high-stakes scraping.

01Definition & structure
Puppeteer Extra Stealth is a modular plugin for the Puppeteer automation framework. It injects a suite of JavaScript evasions into the browser context before any site code runs. These evasions patch common leaks found in headless Chrome, such as removing the navigator.webdriver flag, mocking the window.chrome object, faking plugin arrays, and bypassing broken permissions APIs.
02How it works in practice
The plugin relies heavily on Puppeteer's page.evaluateOnNewDocument() method. Every time a new frame or page is created, the stealth scripts execute first. They use JavaScript Proxies and Object.defineProperty to overwrite native browser functions, ensuring that when an anti-bot script asks the browser "are you automated?", the patched functions lie and return "no".
03The detection arms race
Patching JavaScript is no longer sufficient. Modern anti-bot systems execute deep inspection on the objects themselves. If a function is wrapped in a Proxy, it behaves slightly differently than a native C++ function. Furthermore, stealth plugins do nothing to fix network-layer anomalies (like TLS JA3 signatures) or hardware-level entropy (like Canvas and WebGL rendering), leaving massive holes in the disguise.
04How DataFlirt handles it
We do not use Puppeteer Extra Stealth or any JavaScript-based evasion plugins. Instead, our fleet runs custom-compiled Chromium binaries where automation flags are permanently removed at the source code level. Because we don't inject polyfills, there are no proxy objects for anti-bot scripts to detect. We pair this native execution environment with perfectly aligned TLS stacks, ensuring a pristine, undetectable profile.
05Did you know?
The evasions applied by stealth plugins often create a unique fingerprint of their own. Because the plugin applies the exact same set of polyfills in the exact same order across thousands of users, anti-bot vendors simply fingerprint the "stealth profile" itself. Using the plugin can actually make your scraper more identifiable than using raw headless Chrome.
// 03 — the evasion math

Why patching JS
fails at scale.

Anti-bot vendors don't just look for automation flags; they look for the absence of expected native behaviors or the presence of proxy objects used by stealth plugins.

Evasion detection probability = P(detect) = proxy_traps + stack_trace_anomalies
If an anti-bot script catches your override, your trust score drops to zero instantly. DataFlirt Threat Research
True entropy gap = ΔH = H(real_chrome)H(stealth_patched)
Stealth plugins patch JS but leave TLS, Canvas, and Audio fingerprints untouched. Browser Fingerprinting Models
DataFlirt native pass rate = R = native_profiles / total_requests > 0.99
We achieve >99% pass rates by avoiding JS injections entirely. Internal SLO
// 04 — the detection trace

How Akamai sees
a stealth plugin.

A trace of a Puppeteer Extra Stealth session hitting a modern bot management endpoint. The evasions themselves trigger the block.

Akamai BMPJS ChallengeProxy Detection
edge.dataflirt.io — live
CAPTURED
// JS challenge execution
navigator.webdriver: false // patched successfully
window.chrome: [object Object] // patched successfully

// deep inspection by anti-bot script
toString.call(navigator.webdriver): "function get webdriver() { [native code] }"
Object.getOwnPropertyDescriptor: proxy detected // FLAG
Error.stack trace: puppeteer_evaluation_script // FLAG

// network layer mismatch
tls.ja3: 771,4865-4866-4867... // Node.js default, not Chrome
http2.settings: anomalous

// verdict
classifier.score: 0.98 // bot
action: block_ip
// 05 — detection vectors

How stealth plugins
get caught.

The most common ways modern anti-bot systems identify Puppeteer Extra Stealth, ranked by frequency of detection across our monitoring network.

SAMPLE SIZE ·  ·  ·  ·    12.4M requests
TARGETS ·  ·  ·  ·  ·  ·  Top 500 Alexa
UPDATED ·  ·  ·  ·  ·  ·  2026-05-19
01

Proxy object detection

JS traps · Catching overridden properties via Object methods
02

Network layer mismatch

TLS/JA3 · Node.js TLS doesn't match advertised Chrome version
03

Stack trace analysis

V8 Engine · Evaluation scripts visible in thrown errors
04

Canvas/Audio entropy

Hardware · Default headless fingerprints remain untouched
05

Missing native APIs

Polyfills · Over-patched or incomplete mock objects
// 06 — our architecture

Native profiles,

not JavaScript band-aids.

Relying on JavaScript injection to hide automation is fundamentally flawed because the execution environment is hostile. The anti-bot script runs in the same context and can inspect your patches. DataFlirt abandons JS evasions entirely. We run a custom Chromium build where automation flags are stripped at the C++ level, and TLS/HTTP2 signatures are natively aligned with the advertised User-Agent. The result is a browser that doesn't need to lie about its identity because it is natively indistinguishable from a consumer installation.

stealth-vs-native.comparison

Comparing a stealth-patched Puppeteer session against DataFlirt's native Chromium build.

navigator.webdriver proxy objectundefined (native)
tls.signature Node.js defaultChrome 124
execution.context sharedisolated
canvas.hash headless defaulthardware-backed
injection.overhead ~120ms per page0ms
datadome.pass_rate 14%99.8%

Stay ahead of the pipeline

Data engineering
intel, weekly.

Anti-bot shifts, scraping infrastructure updates, dataset delivery patterns, and business outcomes from our pipelines. Short, technical, no fluff.

By submitting, you acknowledge our Privacy Notice.

// 07 — FAQ

Common
questions.

About stealth plugins, detection mechanisms, and how DataFlirt bypasses modern anti-bot systems without relying on brittle JavaScript injections.

Ask us directly →
Is Puppeteer Extra Stealth still effective? +
Only for basic, legacy targets. If a site uses a modern anti-bot vendor like Cloudflare Turnstile, DataDome, or Akamai BMP, the plugin will fail. These systems have evolved from looking for automation flags to looking for the evasions themselves.
Why do anti-bot systems detect the plugin so easily? +
Because the plugin operates in JavaScript, within the same execution environment as the anti-bot script. Vendors use techniques like Object.getOwnPropertyDescriptor to check if native functions have been replaced by proxy objects. If you patch a function, you leave a footprint.
Can I just update the plugin to bypass new detections? +
It's a losing arms race. Anti-bot vendors update their detection scripts daily; open-source plugins update monthly at best. By the time a new evasion is merged into the stealth plugin, the vendors have already mapped its signature.
How does DataFlirt bypass detection without stealth plugins? +
We compile Chromium from source, removing automation flags at the C++ engine level. We pair this with residential IPs and native TLS stacks that perfectly match the advertised browser version. Our browsers don't need to inject JavaScript to hide — they are natively clean.
Does Playwright have a stealth plugin? +
Yes, playwright-stealth exists, but it suffers from the exact same architectural flaws. Whether you use Puppeteer or Playwright, injecting JavaScript polyfills via evaluateOnNewDocument is fundamentally detectable by advanced scripts.
What is the performance cost of using stealth plugins? +
Injecting dozens of polyfills before every page load adds 50–150ms of overhead per navigation. At scale, this significantly reduces pipeline throughput and increases compute costs, all for an evasion method that ultimately fails on high-value targets.
$ dataflirt scope --new-project --target=puppeteer-extra-stealth READY

Tell us what
to extract.
We do the rest.

20-minute scoping call. Pilot dataset within the week. Production within two. Whether you need a one-off catalogue dump or a continuous feed across millions of records — we scope, build, and operate the pipeline.

Start a pipeline → View pricing
hello@dataflirt.com  ·  Bengaluru  ·  IST  ·  typical reply < 4h
// 08 — keep reading

Related glossary terms

Anti-Bot Bypass

Playwright Stealth

The Playwright equivalent of Puppeteer Extra Stealth, suffering from the same architectural limitations.

Read →
Anti-Bot Bypass

Headless Browser Detection

The specific signals and flags that stealth plugins attempt to mask.

Read →
Anti-Bot Bypass

Browser Fingerprinting

The broader science of identifying clients, which stealth plugins only partially address.

Read →
Network Layer

TLS Fingerprinting

The network-layer detection that JavaScript-based stealth plugins cannot fix.

Read →