CloakBrowser: An Anti-Detection Browser Built from Chromium’s Core
Bypassing increasingly sophisticated anti-bot systems is a core challenge in web automation and data collection. Traditional solutions, like JavaScript injection using libraries such as undetected-chromedriver, often break with Chrome updates and the injection itself can be detected. Meanwhile, commercial anti-detection browsers come at a high cost. A new open-source project, CloakBrowser, offers a third approach: directly modifying Chromium’s C++ source code to compile anti-detection capabilities into the browser binary itself.
Rebuilding from the Ground Up: A New Anti-Detection Philosophy
CloakBrowser’s core idea is to solve the problem at its source. It avoids dynamically modifying features like navigator.webdriver via JavaScript at runtime, as these “reactive” strategies are easily defeated by advanced anti-bot scripts that check for DOM changes or inconsistencies in the JS execution environment.
Instead, CloakBrowser directly modifies Chromium’s C++ source code. This means that when the browser launches, the various device fingerprints and environmental parameters it exposes to web pages are already spoofed to mimic a regular user’s state at a low level. This “native” camouflage makes it difficult for anti-bot systems to find traces of automation tools.
The project provides an API that is fully compatible with the popular automation framework Playwright. Developers can migrate existing projects seamlessly by simply changing their import statement from playwright.sync_api to cloakbrowser, without needing to learn a new API or refactor business logic. The tool can be installed via pip (Python) and npm (Node.js), and it automatically downloads a pre-compiled, customized Chromium browser (around 200MB) on its first run.
Deep Dive into the Core: 49 Chromium Source-Level Patches
As of v0.3.26, CloakBrowser applies 49 distinct C++ patches to the Chromium 146 source code, creating a multi-layered defense system. These patches cover common browser fingerprinting vectors, including:

- Graphics Rendering Fingerprint: Modifies the behavior of Canvas and WebGL APIs to prevent websites from identifying specific devices through minute differences in GPU rendering.
- Audio Fingerprint: Spoofs hardware information related to AudioContext to avoid exposing device uniqueness through audio processing capabilities.
- Client Environment: Hides the list of actual system-installed fonts and ensures that key automation flags like
navigator.webdriver return false directly at the C++ level.
- Network Characteristics: Camouflages ICE candidate addresses in WebRTC connections to prevent leaking the real IP address, and also processes network timing features like DNS queries and SSL handshakes to remove traces left by proxy networks.
- Automation Protocol Detection: Modifies code related to the Chrome DevTools Protocol (CDP), making it impossible for web scripts to detect that the browser is being controlled by an automation tool.
Proven Effectiveness: Passing Major Fingerprinting Services
According to the project’s test data, CloakBrowser performs exceptionally well against major anti-bot systems. A comparison on third-party detection services shows:
| Detection Service | Standard Playwright | CloakBrowser |
| reCAPTCHA v3 | 0.1 (Bot) | 0.9 (Human) |
| Cloudflare Turnstile | Blocked | Passed |
| FingerprintJS | Detected as Bot | Passed |
| BrowserScan | Detected as Bot | Normal (4/4) |
Achieving a score of 0.9 (out of 1.0) on Google’s reCAPTCHA v3 test is particularly significant. It indicates that its server-side comprehensive evaluation model recognizes the browser session as having a high degree of human trustworthiness. This performance far exceeds the 0.1 score of standard Playwright, proving the effectiveness of its low-level spoofing strategy.
Behavior Simulation: From Fingerprint Spoofing to Human-like Interaction
Modern anti-bot systems don’t just check static fingerprints; they also analyze user behavior patterns. To counter this, CloakBrowser offers a humanize=True mode, which automatically converts standard Playwright actions (like clicks, typing, and scrolling) into more human-like interactions.
- Mouse Movement: Uses Bézier curves to generate smooth, non-linear mouse trajectories.
- Keyboard Input: Simulates realistic typing speeds by introducing random delays and “thinking pauses” between character inputs.
- Page Scrolling: Scrolls the page at a non-uniform speed, mimicking how humans browse long content.
With this mode enabled, the interactive behavior of automation scripts becomes much harder to distinguish from human actions during dynamic analysis, further increasing the success rate.
Ecosystem and Open Source: A Browser Profile Management Solution
In addition to being an automation library, the CloakBrowser project also provides an open-source Browser Profile Manager, designed to compete with commercial tools like Multilogin and GoLogin. Users can launch a web service with a single Docker command to create and manage browser profiles with independent fingerprints, proxies, and cookies, and can also perform manual operations remotely through an integrated noVNC client.
The project is open-sourced on GitHub under CloakHQ/CloakBrowser, is licensed under the MIT License, and has currently garnered over 10.8k stars while being actively maintained. This model, which combines low-level technology, ease of use, and an open-source ecosystem, provides developers with a powerful and free anti-detection solution.