We Were Scoring 0.1 on reCAPTCHA v3. So We Rewrote Chromium

CloakHQ — Thu, 07 May 2026 10:43:36 +0000

We were automating sites behind Cloudflare, reCAPTCHA, DataDome. Tried every stealth tool we could find. playwright-stealth, patchright, undetected-chromedriver. Each one worked until it didn't, and when it broke, it broke silently: sessions just stopped working and you'd spend days figuring out why.

reCAPTCHA v3 kept returning 0.1. If you haven't worked with v3 before: it doesn't show you a challenge. It watches the session silently and produces a score. Below 0.5 means bot. We were getting 0.1, which means "bot, confidently."

We needed something universal. One tool that held up across all of them, not just the one you were fighting that week.

Why JS patches don't work long-term

Most stealth library works the same way: inject JavaScript into the page before it loads, spoof the values detection scripts look for. navigator.webdriver set to false. Fake plugin lists. Canvas overrides.

They all failed the same check.

It took some time to understand why, but once we saw it, it was obvious. JavaScript patches run inside the browser. The browser itself (its C++ internals, the TLS fingerprint it sends, the CDP protocol behavior, the way input events are structured at the engine level) is still stock headless Chrome. Detection systems compare what JavaScript reports against everything else: what the network stack says, what the GPU reports, what the audio context returns. When those don't match, you get flagged.

A JS patch puts a mask on a robot. The seams are visible because they're there.

The fix had to happen at a different level.

What we built

We patched Chromium at the source. Actual C++ changes compiled into the binary before it runs. Canvas, WebGL, audio context, fonts, GPU strings, screen properties, network timing, CDP input behavior. All modified before compilation.

Websites can't tell it from a real Chrome session, because at the engine level, it is one.

The first test run: reCAPTCHA v3 returned 0.9. We ran it again. Same result. Ran it on a fresh session. Same result. Then we started running it against everything that had been blocking us (Cloudflare, DataDome, FingerprintJS) and it went through them one by one, cleanly. Honestly, we expected it to help. We didn't expect it to work that well, that consistently. Sites that had been blocking us for months just... loaded.

That internal fix became CloakBrowser. We open-sourced it in February.

Drop-in replacement

Same API as Playwright and Puppeteer. Swap the import, nothing else changes.

# before
from playwright.sync_api import sync_playwright
pw = sync_playwright().start()
browser = pw.chromium.launch()

# after
from cloakbrowser import launch
browser = launch()

// before
const browser = await chromium.launch();

// after
import { launch } from 'cloakbrowser';
const browser = await launch();

The binary ships with 57 source-level C++ patches and auto-generates a random fingerprint seed on every launch. Each session looks like a different device.

For behavioral detection on top of the fingerprint, humanize=True replaces mouse movement, keyboard input, and scroll with patterns that match real user behavior: Bezier curves, per-character typing delays, realistic scroll acceleration. One flag, no code changes.

browser = launch(humanize=True)
page = browser.new_page()
page.locator("#email").fill("user@example.com")  # types character by character
page.locator("button[type=submit]").click()       # Bezier curve to click target

Test results

Verified against live services, May 2026:

Service	Result
reCAPTCHA v3	0.9 (server-verified)
Cloudflare Turnstile (managed + non-interactive)	Pass
FingerprintJS	Pass
BrowserScan	Normal (4/4)
ShieldSquare	Pass
`navigator.webdriver`	false at source level
CDP automation detection	Not detected

reCAPTCHA scores it as a normal browser, because at the engine level, it is one.

What it doesn't solve

Proxy reputation is separate. Datacenter IPs get hard-blocked on aggressive sites regardless of how clean the fingerprint is. Residential proxies, ideally ISP/static rather than shared pools, are still part of the stack.

And some advanced configurations still catch us. The arms race is real, and we'd rather say that than pretend otherwise.

Try it

No install needed to test:

docker run --rm cloakhq/cloakbrowser cloaktest

Runs the full stealth test suite against live detection sites from your machine. Or install directly:

pip install cloakbrowser

npm install cloakbrowser playwright-core

Binary downloads automatically on first run, around 200MB, cached locally. Works on Linux, macOS, Windows.

The repo is github.com/CloakHQ/CloakBrowser. If you try it and something still gets blocked, open an issue with the site. That's exactly the feedback that drives the next build.

CloakBrowser is free and open source (MIT). The compiled binary has a separate license: free to use, no redistribution.