DataDome is one of the most aggressive bot-detection layers in production. this guide covers how it works, where it trips up, and the practical rotation and fingerprint stack that gets you through it reliably.
what is DataDome and why it is hard to bypass
DataDome is a real-time bot-management service used by Leboncoin, Rakuten, Foot Locker, and hundreds of others. it operates as a reverse proxy that inspects every request before it reaches the origin server. the decision to block happens in under 2ms, which means it runs lightweight heuristics, not deep ML on every hit.
the core signal stack: TLS fingerprint (JA3/JA4), HTTP/2 frame ordering, browser canvas and WebGL hash, mouse/keyboard event patterns, and cookie datadome value integrity. miss any one layer and you get a 403 with a CAPTCHA interstitial or a silent redirect to a honeypot page.
the datadome cookie
every successful browser session produces a datadome cookie scoped to the domain. this cookie encodes a signed payload that DataDome’s edge validates on subsequent requests. you cannot forge it client-side; it is generated server-side after their JS challenge passes.
the cookie has a ~1 hour TTL and is IP-bound in some configurations. rotating IPs mid-session without refreshing the cookie is the most common failure mode operators hit. always re-run the challenge flow on each new IP.
tls and http/2 fingerprinting
DataDome checks your JA3 hash on every TLS handshake. Python’s requests library produces a well-known JA3 that has been on blocklists for years. you need a client that mimics a real browser cipher suite ordering.
the best open-source option right now is curl-cffi (v0.6+), which wraps libcurl-impersonate and lets you impersonate Chrome 120 at the TLS level:
from curl_cffi import requests as cffi_requests
session = cffi_requests.Session(impersonate="chrome120")
resp = session.get("https://target.com/api/products", headers={
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36",
"Accept-Language": "en-US,en;q=0.9",
})
print(resp.status_code, len(resp.text))proxy rotation strategy
DataDome maintains IP reputation scores. datacenter IPs (AWS, GCP, DigitalOcean ranges) are scored heavily against. residential and mobile proxies score much better because they share IP space with real users.
for production scraping against DataDome targets, use mobile rotating proxies with per-request rotation disabled. stick to one IP for 3-5 requests, then rotate. aggressive per-request rotation triggers velocity anomalies. see SOCKS5 vs HTTP proxy for the protocol tradeoffs when routing through residential pools.
solving the js challenge
option 1: playwright stealth
use rebrowser-patches to patch Playwright’s headless Chromium. these patches fix the known navigator.webdriver leak, the chrome.runtime absence, and canvas noise patterns that DataDome’s injected script checks.
from playwright.sync_api import sync_playwright
from rebrowser_patches import patch_playwright
patch_playwright()
with sync_playwright() as p:
browser = p.chromium.launch(headless=True, args=["--disable-blink-features=AutomationControlled"])
context = browser.new_context(user_agent="Mozilla/5.0...", viewport={"width": 1920, "height": 1080})
page = context.new_page()
page.goto("https://target.com")
cookie = {c["name"]: c["value"] for c in context.cookies() if "datadome" in c["name"]}
print(cookie)option 2: capsolver datadome task
Capsolver offers a DataDomeCaptchaTask type. you send the challenge URL, user-agent, and proxy; they return a solved datadome cookie. cost is roughly $1.50-2.00 per 1,000 solves. use this for high-value targets where browser automation is too slow.
option 3: session harvesting
run a small pool of persistent browser sessions on residential IPs. harvest the datadome cookie from each, then inject into curl-cffi sessions for bulk requests. refresh sessions every 45 minutes. this trades compute for throughput.
monitoring for blocks
real mobile carrier IPs have much higher trust scores with anti-bot systems like DataDome. try our dedicated Singapore mobile proxy for reliable access to protected sites.
DataDome returns HTTP 403 with a X-DD-B response header when blocking. check for this header in your error handler rather than relying on status codes alone. log the X-DD-Debug header value when present; it tells you which signal triggered the block.