Anti-Bot

What Is DataDome?

What Is DataDome? — conceptual illustration
On this page

DataDome is a bot-protection vendor used on roughly 1,200 enterprise sites, scoring more than 5 trillion signals per day. Unlike Cloudflare and Akamai, it deploys one ML model per protected site (roughly 85,000 total), runs at the application server (not CDN edge), and decides in around 2 ms — so there is no universal bypass. What works on Grainger.com may fail on Le Monde with the same TLS, same browser, and same proxy.

Quick facts

Detection cookiedatadome (also dd_cookie_test)
Models~85,000 — one per protected site
Decision latency~2 ms, real-time, per request
Key signalsIP reputation (25–30%), TLS, WASM boring_challenge, Picasso device FP, 35+ behavioural signals
Common bypasscurl_cffi + mobile/residential proxy, __NEXT_DATA__ extraction

How DataDome works

When a request hits a DataDome-protected site, the request is forwarded synchronously to DataDome's scoring service alongside the response. The model evaluates IP reputation (which alone accounts for 25–30% of the score), TLS fingerprint, HTTP/2 frame characteristics, the datadome cookie if present, and any behavioural data the site has previously collected. A score returns in roughly 2 ms — fast enough to block in-line without affecting page load time.

The WASM boring_challenge is the most distinctive DataDome component. It is a Rust-compiled state machine that runs inside the browser and produces a token. Because the challenge is real WebAssembly executing on real browser APIs, you cannot solve it without an actual browser execution context. Headless detection happens here too: anti-bot WASM probes the CPU via SIMD timing in a way no stealth-browser JS patch covers.

Why universal bypasses do not exist

With 85,000 per-site models, DataDome configures sensitivity per customer. Le Monde (a news site, light scoring) blocks far less aggressively than Grainger (e-commerce, hard scoring). Solutions that work for one customer can fail entirely for another. There is no "DataDome bypass" — there is a bypass per protected site, and it may stop working when DataDome retrains.

What scrapers actually do

Three strategies in priority order:

  1. Look for the data in initial HTML first. Many DataDome-protected Next.js sites embed full page state in a __NEXT_DATA__ script tag — confirmed on Grainger.com, a 110KB JSON blob with all product data accessible in the initial HTML response. curl_cffi + residential proxy fetches the HTML; DataDome never even runs its WASM check because there is no XHR.
  2. Use mobile or ISP residential proxies for XHR endpoints. IP weighting is so heavy that switching from datacenter to mobile-4G frequently flips a session from blocked to 200 OK with no other change. Rotating residential is risky; ISP static or mobile is safest.
  3. Use Camoufox with geoip=True when the page actually executes the WASM challenge. The five identity vectors (IP, WebRTC, DNS, timezone, Accept-Language) must align.

Datacenter IPs are not a viable starting point — IP reputation alone disqualifies them before any fingerprint matters.

Code example

python
from curl_cffi import requests
import chompjs, re

# Many DataDome-protected sites embed all data in __NEXT_DATA__
r = requests.get(
    "https://target.com/product/123",
    impersonate="chrome131",
    proxies={"https": "http://user:pass@mobile-4g-proxy:port"},
)
m = re.search(r'<script id="__NEXT_DATA__"[^>]*>(.*?)</script>', r.text, re.S)
data = chompjs.parse_js_object(m.group(1))
print(data["props"]["pageProps"]["product"])

Related terms

What Is Anti-Bot Detection?
Anti-bot detection is the set of techniques websites use to distinguish automated traffic from human users — and to block, challenge, or thr…
What Is TLS Fingerprinting (JA3/JA4)?
TLS fingerprinting is a technique that identifies an HTTP client from its TLS handshake — before the server reads a single request byte. The…
What Is a Mobile Proxy?
A mobile proxy routes scraper requests through 4G or 5G mobile-carrier IP addresses — T-Mobile, Vodafone, O2, AT&T, and similar networks. Be…
What Is curl_cffi?
curl_cffi is a Python HTTP client that produces TLS fingerprints identical to real Chrome, Firefox, or Safari. It wraps curl-impersonate — a…
Anti-Bot Vendor Detection Cheatsheet
The first step of any scrape against a protected site is identifying which anti-bot vendor is in front of it. The vendor determines almost e…
What Is Behavioural Bot Detection?
Behavioural bot detection is the layer of anti-bot scoring that asks "how does this client act?" rather than "what is it?". It tracks mouse-…
What Is a CAPTCHA Solver?
A CAPTCHA solver is software that automatically completes CAPTCHA challenges on behalf of an automated client. It receives the challenge fro…

Concept map

How DataDome connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections
You are here · Anti-Bot
Building map…

Tools & solutions for this topic

Frequently asked questions

Is DataDome the same as Cloudflare?

No. Cloudflare runs at the CDN edge and uses a single global ML model trained on roughly 20% of all internet traffic. DataDome runs per-site at the application layer with 85,000 separate models. They detect different things and have very different bypass strategies.

Can I bypass DataDome with just a residential proxy?

Sometimes, for the lightest deployments. For most production e-commerce or ticketing sites you need residential or mobile proxy plus realistic TLS fingerprint plus, for XHR endpoints, a real browser context that can execute the WASM challenge.

Why does DataDome respond in 2 ms?

Because every request is scored independently and inline — there is no warm-up trust accumulation. Speed matters because the site cannot afford to delay legitimate users while a model thinks. The downside for scrapers: every request is scored, not just the first one.

Does the datadome cookie mean I am whitelisted?

No — the cookie marks a session that has been seen before, but the score is recomputed per request. A valid cookie with a passing score on request 1 can still fail request 50 if the behavioural fingerprint diverges. The cookie is a hint, not a pass.

Last updated: 2026-05-26