Anti-Bot

What Is a WebRTC IP Leak?

What Is a WebRTC IP Leak? — conceptual illustration
On this page

A WebRTC IP leak is the most-overlooked failure mode in browser-based scraping in 2026: WebRTC reveals your real local and public IP via STUN candidates even when all your HTTP traffic is routed through a proxy. The leak happens because WebRTC operates at the network layer below the HTTP proxy — it talks directly to STUN servers from your real network interface. Anti-bots use this as one input in a five-vector coherence test that all major vendors run.

Quick facts

How it leaksRTCPeerConnection ICE candidates expose local + STUN-discovered IPs
Bypassed proxy?Yes — HTTP proxy does not route STUN
Vendors checking itCloudflare, PerimeterX, DataDome, Akamai
Coherence testIP country + timezone + Accept-Language + WebRTC ICE + DNS resolver must all agree
Best fixCamoufox with geoip=True — auto-aligns all 5 vectors

How the leak works

WebRTC is the browser API for peer-to-peer audio, video, and data connections. To establish a connection between two peers behind NAT, WebRTC uses the ICE protocol, which gathers candidate IPs from the local network interface, a public IP via STUN servers, and TURN relays. Any web page can call:

const pc = new RTCPeerConnection({ iceServers: [{ urls: 'stun:stun.l.google.com:19302' }] });
pc.createDataChannel('');
pc.createOffer().then(o => pc.setLocalDescription(o));
pc.onicecandidate = (e) => { if (e.candidate) console.log(e.candidate.candidate); };

The returned ICE candidates include your real IP, even if all your HTTP traffic is going through a proxy.

The 5-vector coherence test

Modern anti-bots run a coherence check across five vectors that should tell the same geographic story:

  1. IP country — your proxy exit IP's country.
  2. TimezoneIntl.DateTimeFormat().resolvedOptions().timeZone.
  3. Accept-Language header — language preferences.
  4. WebRTC ICE candidate — the network the browser is actually on.
  5. DNS resolver location — which DNS server resolved the page domain.

A US proxy with Accept-Language ur-PK, timezone Asia/Karachi, and a Pakistani WebRTC candidate fails immediately. The proxy quality does not matter — the inconsistency itself is the signal. This is why "use a US datacenter proxy and call it a day" stopped working around 2021.

Mitigation by tool

Camoufox with geoip=True looks up the proxy exit IP, then sets timezone, locale, language, WebRTC ICE policy, and DNS to match. This single flag fixes the most common coherence failure mode in seconds. Playwright / Puppeteer require manual configuration — set locale, timezone_id, Accept-Language, and disable WebRTC explicitly or route it via the proxy. HTTP scraping (curl_cffi, tls-client) has no WebRTC at all, so the coherence test on this vector does not fire — part of why HTTP scraping outperforms browser scraping on many targets. Self-test: browserleaks.com/webrtc reveals exactly what WebRTC exposes from your setup. Run your browser context against it before deploying.

Code example

python
from camoufox.sync_api import Camoufox

# geoip=True aligns IP, WebRTC, DNS, timezone, and Accept-Language
# with the proxy exit country — fixes the 5-vector coherence test.
with Camoufox(
    headless=True,
    geoip=True,
    proxy={
        "server": "http://us-residential:port",
        "username": "user",
        "password": "pass",
    },
) as browser:
    page = browser.new_page()
    page.goto("https://browserleaks.com/webrtc")
    print(page.content())  # confirm no leak to your real IP

Related terms

What Is Anti-Bot Detection?
Anti-bot detection is the set of techniques websites use to distinguish automated traffic from human users — and to block, challenge, or thr…
What Is Camoufox?
Camoufox is a stealth-focused fork of Firefox with anti-fingerprinting patches applied at the C++ build level. Unlike playwright-stealth, wh…
What Is a Residential Proxy?
A residential proxy routes your HTTP traffic through a real residential internet connection — a home broadband or fiber line — instead of th…
What Is Browser Fingerprinting?
Browser fingerprinting is a technique that identifies and tracks a visitor by combining dozens of small, observable characteristics of their…
What Is Battery Status API Fingerprinting?
Battery Status API fingerprinting used the precise charge level and charging/discharging times exposed by navigator.getBattery() as a short-…
What Is Sensor Fingerprinting?
Sensor fingerprinting identifies a mobile device from the minute calibration errors in its motion and environment sensors. Every acceleromet…

Concept map

How WebRTC IP Leak connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections
You are here · Anti-Bot
Building map…

Tools & solutions for this topic

Frequently asked questions

Does a VPN protect against WebRTC leaks?

It depends on the VPN — some force WebRTC traffic through the tunnel, many do not. For scraping use, do not rely on VPNs at all. Configure WebRTC at the browser layer (Camoufox geoip=True, or explicit Playwright settings) so behaviour is deterministic.

Can I just disable WebRTC entirely?

You can, but it is itself a signal. Real browsers have WebRTC enabled — disabling it is unusual and adds a different anomaly. Better to align WebRTC with your proxy than to disable it.

Why does the proxy not route WebRTC?

HTTP proxies route HTTP/HTTPS traffic only. WebRTC initiates UDP connections to STUN servers from the real network interface, bypassing the HTTP layer entirely. SOCKS5 proxies can carry UDP, but most consumer scraping proxies are HTTPS-only.

How do I test my own setup?

Visit browserleaks.com/webrtc with your scraper-mimicking browser context. The page lists all ICE candidates the browser would expose. If you see your real public IP or a local IP from a different country than your proxy exit, you have a leak.

Last updated: 2026-05-26