What PerimeterX is
PerimeterX is a reverse-proxy WAF deployed between visitors and the origin site. Every request hits PerimeterX's edge, which produces a per-request trust score from IP reputation, sensor data collected in the browser, TLS handshake characteristics, and behavioural telemetry.
Low-trust requests surface as one of:
- A silent 403 or 429 with
x-px-blockheaders. - A
press and holdhuman-verification challenge that measures touch pressure, mouse velocity, hold duration and micro-movements. - A full block page with a
refID.
The scorer is intent-blind — any client that doesn't match a real browser profile is scored the same regardless of what it's trying to do.
The four signal categories
1. IP address reputation
- Datacenter IPs (AWS, GCP, Azure, DigitalOcean, OVH…) — pre-scored low. Many cloud ranges are blanket-blocked on Zillow and StockX before any fingerprint check even runs.
- Residential IPs — assigned by ISPs to home connections, treated as much higher trust.
- Mobile IPs — cell tower and CGNAT pools, the highest baseline trust because pools rotate naturally.
IP reputation dominates the first-request score, before the sensor has anything to report.
2. JavaScript sensor and the _px* cookie chain
This is the layer PerimeterX is best known for. Every protected page ships a heavily-obfuscated sensor script that runs in the browser and collects hundreds of data points: canvas/WebGL fingerprints, audio context, installed fonts, screen metrics, timezone, language, plugin list, navigator.webdriver, the shape of window.chrome, mouse-movement entropy, and more.
The sensor POSTs an encrypted payload to PerimeterX's collector and the response sets the cookie chain:
_pxhd— long-lived device hash._pxvid— visitor ID._px3— short-lived session token.
A missing or stale payload triggers the press and hold challenge, which itself collects timing and pressure data a scripted click can't easily generate.
3. HTTP and TLS fingerprinting
Before any HTML is exchanged, PerimeterX fingerprints the client from the TLS handshake (JA3/JA4) and HTTP/2 behaviour.
- Most scraping libraries still default to HTTP/1.1. Real Chrome and Firefox haven't in years.
libcurland Go'snet/httpproduce JA3 signatures that don't match any real browser, even when they negotiate HTTP/2.- HTTP/2 fingerprinting tracks pseudo-header order, SETTINGS frame values, and window-update sizes.
4. Behavioural and pattern analysis
PerimeterX runs continuous ML pattern analysis on connection history:
- Missing real-browser headers (
Sec-Fetch-*,Accept-Language,sec-ch-ua). - The
_px*cookies missing or sent from a different IP than the one that minted them. - Honeypot link hits.
- Bursty timing.
- Identical sensor payloads reused across pages.
What this means for developers
The four signals are evaluated together, so improving one rarely moves the score on its own. The general categories of tooling that show up in real-world workflows:
- HTTP clients with browser-impersonating TLS —
curl_cffi,curl-impersonate,tls-client. They match the handshake but can't run the sensor. - Stealth-patched browsers —
patchright, Camoufox, and Playwright with stealth plugins, which run the sensor in a real browser context. - Managed scraping APIs — services like Scrappey that combine proxies, patched browsers and session persistence behind one endpoint.
A minimal example through a managed API, kept here for shape:
import requests
response = requests.post(
'https://publisher.scrappey.com/api/v1',
json={
'cmd': 'request.get',
'url': 'https://example.com/listings',
'session': 'px-session-1'
},
headers={'Authorization': 'Bearer YOUR_API_KEY'}
)
print(response.json()['solution']['response'])
Session reuse is particularly load-bearing on PerimeterX: the _px* cookies and accumulated behavioural state are much harder to mint fresh on every request than to keep warm across one.
Sites commonly fronted by PerimeterX
Real-estate, marketplaces, ticketing and sneaker resale dominate: Zillow.com, Stockx.com, Realtor.com, Trulia.com, Lazada and Kickstarter.com. Many of these sites rotate between PerimeterX, Cloudflare, Akamai and DataDome depending on traffic conditions.
Summary
PerimeterX produces a continuous trust score from IP reputation, the _px* JS sensor and its cookie chain, TLS/HTTP/2 fingerprints, and behavioural patterns over time. The press and hold challenge is the most visible failure mode but is downstream of the sensor — by the time it fires, the score has already dropped. As with any modern WAF, detection logic updates on a rolling basis.