What Is Kasada Bot Defense?

Paste into ChatGPT, Claude, or any LLM

On this page

Kasada is a gatekeeper-proxy bot defense used by major retailers, ticketing platforms, and sneaker drops. Unlike Cloudflare or DataDome, it sits in front of the origin and issues JavaScript proof-of-work challenges before any request reaches the application server. There are no CAPTCHAs — failures are silent 403s or 429s with no explanation. The 2026 fact most scrapers learn the hard way: Kasada specifically fingerprints playwright-stealth by calling Function.prototype.toString() on patched native functions. The patch signatures are catalogued.

Detection cookies	x-kpsdk-ct, x-kpsdk-cd
Challenge file	ips.js — polymorphic, renamed every deployment
Distinct signal	Function.prototype.toString() inspection on patched APIs
Block style	Silent 403 / 429 — no challenge page, no explanation
Best bypass tool	PatchRight (Python source patches, not runtime JS)

How Kasada scores requests

Kasada operates as a gatekeeper proxy — every request flows through it before reaching the origin. Its JavaScript file (ips.js, polymorphically renamed on each deployment) issues a proof-of-work challenge that requires real CPU cycles and real browser APIs to solve. PoW tokens (x-kpsdk-ct) are single-use; reusing them is an immediate flag.

The standout 2026 detection vector: Kasada calls Function.prototype.toString() on dozens of native APIs (navigator.webdriver, WebGLRenderingContext.getParameter, HTMLCanvasElement.toDataURL). If playwright-stealth or any runtime stealth tool has patched them in JavaScript, the patched function returns function () { [custom code] } instead of function () { [native code] } — and Kasada has the full signature set indexed.

What does not work

playwright-stealth — every patch leaves a toString() trail. The patch signatures are catalogued and blocked outright.

undetected-chromedriver alone — removes the webdriver flag, but does not address the broader toString-detectable surface.

Datacenter proxies — IP reputation weight is heavy. AWS, GCP, DigitalOcean ASNs get near-zero trust regardless of browser quality.

Token replay — x-kpsdk-ct tokens are single-use. Caching them across requests, even to save cost, is an immediate flag.

What works

PatchRight is the canonical answer in 2026. It patches the Playwright Python source itself before Chrome ever starts. There is nothing in the JS runtime for toString() to inspect — the modifications happen at a layer Kasada cannot see.

SeleniumBase UC mode is a viable alternative — removes the WebDriver flag and auto-handles the PoW challenge.

Required around the browser: residential or ISP static IPs (datacenter is dead against Kasada), no token replay (always solve fresh), and a fresh session per session — no aggressive concurrency from one identity.

Code example

python

# PatchRight is the 2026 answer for Kasada — patches the Python source
# before Chrome starts, so toString() inspection finds nothing.

from patchright.sync_api import sync_playwright

with sync_playwright() as p:
    browser = p.chromium.launch(headless=False)
    context = browser.new_context(
        proxy={"server": "http://user:pass@residential:port"}
    )
    page = context.new_page()
    page.goto("https://kasada-protected.com/")
    # PoW solved automatically by real browser execution
    html = page.content()

Related terms

What Is Anti-Bot Detection?

Anti-bot detection is the set of techniques websites use to distinguish automated traffic from human users — and to block, challenge, or thr…

What Is TLS Fingerprinting (JA3/JA4)?

TLS fingerprinting is a technique that identifies an HTTP client from its TLS handshake — before the server reads a single request byte. The…

What Is a Residential Proxy?

A residential proxy routes your HTTP traffic through a real residential internet connection — a home broadband or fiber line — instead of th…

What Is Camoufox?

Camoufox is a stealth-focused fork of Firefox with anti-fingerprinting patches applied at the C++ build level. Unlike playwright-stealth, wh…

Anti-Bot Vendor Detection Cheatsheet

The first step of any scrape against a protected site is identifying which anti-bot vendor is in front of it. The vendor determines almost e…

What Is Function.toString() Inspection?

Function.prototype.toString() inspection is the technique anti-bot scripts use to detect runtime JavaScript patches. Every JS function expos…

Concept map

How Kasada connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections

You are here · Anti-Bot

Tools & solutions for this topic

Frequently asked questions

Why does playwright-stealth fail on Kasada?

Because Kasada calls Function.prototype.toString() on patched native functions. playwright-stealth patches them in JavaScript, so toString() returns the patched source — which is exactly the signal Kasada is looking for. The patch itself is the detection.

What is ips.js and why is it renamed?

ips.js is Kasada's polymorphic JavaScript challenge file. It is renamed on every deployment to defeat signature-based blocking. The challenge logic inside it also changes shape so static deobfuscation tools cannot keep up.

Can I solve Kasada without a browser?

Rarely. The PoW challenge requires real browser APIs (Crypto, performance.now timing, page execution context). HTTP-only solving has been demonstrated for some deployments by reverse-engineering the PoW algorithm, but the engineering cost is high and breaks with each ips.js rotation.

When should I use a managed scraping API instead?

When your team spends more than ~2 engineer-days a month maintaining the Kasada bypass. The PoW rotation, the toString() surface, and the proxy reputation overhead compound quickly. A managed API like Scrappey or Bright Data Web Unlocker is usually cheaper above that threshold.

Last updated: 2026-05-26