Banata

Browser Sessions

Stealth & Anti-Detection

How Banata stealth mode makes your browser sessions appear as regular user browsers to bot detection systems.

When you create a browser session with stealth: true, the platform applies comprehensive anti-detection measures to make the browser appear as a regular user's browser. Stealth mode is available on Builder plans and above.

Enabling Stealth

Pass stealth: true when creating a session:

bash
curl -X POST "https://api.boxes.banata.dev/v1/browsers" \
  -H "Authorization: Bearer br_live_..." \
  -H "Content-Type: application/json" \
  -d '{"stealth": true}'

Stealth is off by default. If you are on the Free plan and try to enable it, the API returns:

json
{
  "error": "Stealth mode is not available on the Free plan. Upgrade to Builder or higher to enable anti-detection.",
  "code": "PLAN_FEATURE_UNAVAILABLE",
  "requiredPlan": "builder"
}

What Gets Spoofed

Every stealth session generates a coherent, realistic browser fingerprint. All values within a single session are internally consistent — a macOS user agent gets macOS platform strings, Apple GPU renderers, and matching hardware values.

CategoryWhat's Covered
User Agentnavigator.userAgent, navigator.userAgentData (Client Hints)
Platformnavigator.platform, navigator.oscpu
Hardwarenavigator.hardwareConcurrency, navigator.deviceMemory
Locale & Timezonenavigator.language, navigator.languages, Intl.DateTimeFormat timezone
WebGLVendor and renderer strings via WEBGL_debug_renderer_info
Chrome Objectwindow.chrome.runtime, window.chrome.loadTimes
Pluginsnavigator.plugins array with realistic entries
PermissionsNotification.permission and related APIs
ScreenResolution and color depth consistent with the user agent

The fingerprint includes a matching viewport, which is included in the session response:

json
{
  "fingerprint": {
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) ...",
    "viewport": { "width": 1440, "height": 900 },
    "locale": "en-US",
    "timezone": "America/New_York"
  }
}

What's Detected and Evaded

Stealth mode specifically addresses these common bot detection vectors:

  • WebDriver flag — navigator.webdriver is properly hidden
  • Chrome runtime — window.chrome object is present and correctly structured
  • Headless indicators — All known headless Chrome artifacts are removed
  • Plugin enumeration — Realistic plugin and MIME type arrays
  • Permission API consistency — Permissions match what a real browser would report
  • WebGL fingerprint — Renderer strings correspond to real GPU models
  • User agent consistency — UA string matches across all APIs (navigator, HTTP headers, Client Hints)
  • CDP artifacts — Protocol-level indicators are suppressed
  • iframe behavior — Consistent behavior in cross-origin frames
  • Font fingerprinting — Standard font list matches the spoofed platform

Detection Coverage

The stealth system passes 34 out of 34 checks in our validation suite, covering the most common detection techniques used by anti-bot services.

What this means in practice

Stealth mode handles the detection techniques used by the majority of websites and provides strong coverage against common anti-bot services.

That said, the most advanced detection systems combine browser fingerprinting with:

  • Behavioral analysis (mouse movement patterns, typing cadence)
  • Network reputation scoring
  • Account-level risk signals
  • JavaScript challenge telemetry

No browser-level spoofing can address all of these signals. For the best results with heavily protected sites, combine stealth sessions with:

  • Realistic browsing patterns — Add appropriate delays between actions, scroll naturally, and avoid perfectly timed clicks.
  • Residential proxies — Use the rotating-residential or static-residential egress profiles (Scale plan) or bring your own residential proxy.
  • Profile persistence — Reuse browser profiles with established cookies and history using the profileKey option.

Stealth and CDP Connection Timing

When stealth is enabled, all anti-detection measures are fully applied before your CDP commands are processed. If you connect to the cdpUrl immediately after the session reaches ready, your commands are queued and replayed once the browser is fully prepared.

This means you do not need to add any delays or checks — just connect and start working. Anti-detection is also automatically reapplied on every page navigation within the session.

When to Disable Stealth

Set stealth: false (or omit it, since it defaults to false) when:

  • You are automating your own applications for testing
  • You are scraping sites that do not use bot detection
  • You want the fastest possible session startup time

Next Steps