Cloudflare can detect and block automated traffic even when you're using real browsers like Chromium through Puppeteer. This is because it doesn’t just check for JavaScript execution—it also evaluates fingerprinting signals, behavioral patterns, and IP reputation.
Try using puppeteer-extra-plugin-stealth, which masks some of Puppeteer’s detectable behaviors. This helps in many cases but isn’t foolproof against more aggressive Cloudflare configurations.
Run Chrome in headful mode (not headless), mimic human-like interactions (e.g., delay typing, random scrolls), and avoid triggering rate limits. Still, this might not get past high-security pages.
Your IP plays a big role. Using datacenter IPs often leads to immediate blocks. Rotating through residential or ISP proxies with good reputation can help avoid detection.
If you're hitting a wall with Puppeteer and spending too much time on anti-bot workarounds, Bright Data’s Scraping Browser might be worth exploring. It’s fully compatible with Puppeteer and Playwright, but it runs in an environment optimized for scraping—handling the fingerprinting, session management, and IP rotation for you. You just write your Puppeteer scripts like usual.
Cloudflare is tough with Puppeteer alone. You can tweak your setup with stealth plugins and proxies, but for high-reliability scraping, a tool like the Scraping Browser gives you the same Puppeteer interface without the blocks.