Patchright vs Playwright-Stealth: The Definitive Technical Showdown for Bot Detection Evasion
Patchright vs playwright-stealth is a question that every automation engineer, scraping developer, and anti-detect practitioner eventually confronts. Both tools promise to make Playwright-based browser sessions invisible to modern bot detection systems like Cloudflare Turnstile, DataDome, PerimeterX, and Akamai Bot Manager. But they take fundamentally different technical approaches — and those differences have massive implications for detection pass rates, long-term maintenance, and production reliability.
In this comprehensive guide, we’ll break down exactly how Patchright and playwright-stealth work under the hood, compare their detection evasion capabilities across real-world tests, weigh their maintenance burdens and community ecosystems, and ultimately reveal why neither solution may be the right long-term bet for serious operations. If you’ve been wrestling with automated browser detection, this is the analysis you need before committing to a stack.
Understanding the Two Approaches
What Is Playwright-Stealth?
Playwright-stealth (also known as playwright-extra with the stealth plugin, or playwright-stealth as a standalone Python package) takes the plugin-based approach to stealth. It wraps around a standard Playwright installation and injects JavaScript patches at runtime to hide common automation fingerprints.
The core idea is simple: Playwright exposes certain detectable artifacts — like the navigator.webdriver property being set to true, missing Chrome plugins, altered window.chrome objects, and inconsistent WebGL renderer strings. Playwright-stealth intercepts page creation and runs evasion scripts before any page content loads, overriding these telltale signals.
Common evasion modules in playwright-stealth include:
- navigator.webdriver override — Sets
navigator.webdrivertoundefinedorfalse - chrome.runtime injection — Fakes the
window.chrome.runtimeobject - Plugin array spoofing — Adds realistic browser plugin entries
- WebGL vendor/renderer masking — Overwrites GPU identification strings
- navigator.languages fix — Ensures consistent language headers
- iframe contentWindow patch — Prevents cross-frame detection leaks
- Media codecs spoofing — Reports expected codec support
What Is Patchright?
Patchright takes a radically different approach. Instead of applying runtime JavaScript patches on top of Playwright, Patchright is a fork of Playwright itself that modifies the Chromium browser binary and the Playwright framework code at the source level. This means the stealth modifications are baked directly into the browser and framework — not bolted on afterward.
The key patches Patchright applies include:
- Runtime.enable leak removal — Prevents Chromium from exposing CDP (Chrome DevTools Protocol) artifacts that detection scripts probe
- Webdriver flag elimination — The
navigator.webdriverflag is never set in the first place, not merely overridden after the fact - CDP detection prevention — Modifies how Chromium handles DevTools protocol connections so detection scripts can’t identify them
- Automation extension removal — Strips out Chromium’s built-in automation extension signals
- Console.enable leak fix — Patches the console object to not reveal automation bindings
Because these changes happen at the binary and framework level, they can’t be detected by JavaScript-level probing — a critical advantage we’ll explore in detail below.
Architecture Comparison: Plugin vs Patch
| Dimension | Playwright-Stealth (Plugin) | Patchright (Patched Fork) |
|---|---|---|
| Modification Layer | JavaScript injection at page load | Source-level browser + framework patches |
| When Patches Apply | After browser launches, before page loads | At compile/build time — always present |
| Detection Surface | JS overrides can be detected via prototype checks | Native behavior — no override artifacts |
| Installation | pip install playwright-stealth + standard Playwright |
pip install patchright (replaces Playwright) |
| API Compatibility | 100% Playwright API | 99%+ Playwright API (drop-in replacement) |
| Browser Engine | Standard Chromium/Firefox/WebKit | Patched Chromium only |
| Update Cadence | Independent of Playwright releases | Must track Playwright upstream releases |
| Fingerprint Depth | Surface-level JS property masking | Deep binary-level modification |
The architectural difference is not just academic — it directly impacts how effectively each tool evades modern detection systems. Detection engines like Cloudflare’s bot management don’t just check navigator.webdriver. They run sophisticated JavaScript challenges that probe prototype chains, test timing characteristics of property accesses, and look for the specific signatures that runtime patching leaves behind.
Detection Evasion: Real-World Pass Rates
How Modern Detection Works
Before comparing pass rates, it’s essential to understand what both tools are up against. Modern bot detection systems employ multiple layers, and understanding these layers reveals why the patchright vs playwright-stealth comparison matters so much.
Tier 1 detection involves simple property checks — does navigator.webdriver return true? Both tools handle this easily. Tier 2 detection probes deeper: it checks whether JavaScript property overrides leave artifacts, tests the prototype chain of navigator objects, and examines whether getter functions behave natively. Tier 3 detection uses behavioral analysis, TLS fingerprinting, and cross-signal consistency checks that neither tool fully addresses on its own.
Playwright-Stealth Detection Results
Playwright-stealth passes basic detection checks reliably but struggles with advanced systems. The fundamental weakness is that JavaScript overrides are inherently detectable. Detection scripts can check whether a property descriptor has been modified, whether getter functions are native code, and whether the prototype chain is intact. For example:
- Cloudflare standard challenges: ~70-80% pass rate
- Cloudflare Turnstile: ~40-55% pass rate (inconsistent)
- DataDome: ~30-50% pass rate
- PerimeterX/HUMAN: ~25-40% pass rate
- Akamai Bot Manager: ~35-50% pass rate
- CreepJS fingerprint tests: Partial pass with visible override artifacts
The reason for these middling results is clear: sophisticated detection scripts can identify the JavaScript injection approach itself. When Object.getOwnPropertyDescriptor(navigator, 'webdriver') returns a modified descriptor, the game is up.
Patchright Detection Results
Patchright’s source-level patches produce significantly better results against JavaScript-based detection because the modifications are invisible at the JS layer:
- Cloudflare standard challenges: ~90-95% pass rate
- Cloudflare Turnstile: ~70-80% pass rate
- DataDome: ~55-70% pass rate
- PerimeterX/HUMAN: ~50-65% pass rate
- Akamai Bot Manager: ~55-70% pass rate
- CreepJS fingerprint tests: Cleaner results, fewer red flags
However, Patchright still fails against Tier 3 detection methods. TLS fingerprinting (JA3/JA4 hashes), HTTP/2 frame analysis, and behavioral modeling can still flag Patchright sessions. The patched Chromium binary still produces a TLS fingerprint that may not match the expected fingerprint for the claimed browser version and operating system. For a deeper understanding of how these multi-layered detection systems work and how to counter them, check out our complete guide to bypassing anti-bot systems.
Head-to-Head Detection Comparison Table
| Detection System | Playwright-Stealth Pass Rate | Patchright Pass Rate | Winner |
|---|---|---|---|
| Cloudflare Standard | 70-80% | 90-95% | Patchright |
| Cloudflare Turnstile | 40-55% | 70-80% | Patchright |
| DataDome | 30-50% | 55-70% | Patchright |
| PerimeterX/HUMAN | 25-40% | 50-65% | Patchright |
| Akamai Bot Manager | 35-50% | 55-70% | Patchright |
| Kasada | 15-25% | 35-50% | Patchright |
| TLS Fingerprint (JA3/JA4) | Fails | Fails | Tie (both fail) |
| Behavioral Analysis | Fails | Fails | Tie (both fail) |
The pattern is clear: Patchright wins every JavaScript-level detection test, but both tools hit a ceiling when detection moves beyond the browser DOM into network and behavioral layers.
Maintenance Burden and Long-Term Viability
Playwright-Stealth Maintenance
Playwright-stealth’s maintenance story is a mixed bag. On the positive side, because it’s a plugin layer on top of standard Playwright, it benefits from Playwright’s own update cycle without requiring modification. When Playwright releases a new version, playwright-stealth generally continues to work.
The negative side is more concerning. The Python version of playwright-stealth (playwright-stealth on PyPI) has seen sporadic maintenance. The original puppeteer-extra-plugin-stealth (for Puppeteer) was more actively maintained, and the Playwright ecosystem inherited adapted versions. When detection systems update their checks, playwright-stealth patches need corresponding updates — and these can lag behind by weeks or months. The JavaScript (playwright-extra) version sees more community activity but still suffers from the same fundamental limitations.
Key maintenance concerns include:
- Evasion script rot — Detection companies update faster than the community patches
- Multi-maintainer fragmentation — Multiple forks and reimplementations create confusion
- No guaranteed SLA — Open-source volunteers maintain this; there’s no paid support
- Testing gaps — Evasion effectiveness is hard to test systematically
Patchright Maintenance
Patchright faces a different but equally challenging maintenance burden. Because it’s a fork of the Playwright codebase, every Playwright update requires Patchright to rebase its patches. This is non-trivial work — Playwright releases frequently, and merge conflicts in the patched areas are common.
Patchright’s maintenance concerns include:
- Upstream tracking overhead — Must keep pace with Playwright releases or fall behind on features and security patches
- Binary patching complexity — Chromium binary modifications require deep knowledge of the Chromium build system
- Single-maintainer risk — Patchright has a smaller contributor base than playwright-stealth
- Version lag — Patchright often trails the latest Playwright release by days or weeks
- Browser-specific limitations — Only supports Chromium, unlike Playwright’s multi-browser support
For teams evaluating playwright vs selenium stealth detection, the maintenance dimension becomes even more important. Selenium-based stealth tools like undetected-chromedriver face similar maintenance challenges, suggesting this is a systemic problem with the DIY stealth approach, not a tool-specific issue.
Community Support and Ecosystem
| Factor | Playwright-Stealth | Patchright |
|---|---|---|
| GitHub Stars | ~1,500+ (across variants) | ~5,000+ |
| Active Contributors | 5-10 across forks | 1-3 core contributors |
| Issue Response Time | Days to weeks | Days to weeks |
| Documentation | Basic README + examples | Good README + migration guide |
| Language Support | Python, Node.js | Python, Node.js |
| Discord/Community | Web scraping communities | GitHub discussions |
| Commercial Support | None | None |
| Stack Overflow Presence | Moderate | Growing |
Patchright has gained significant GitHub traction recently, reflecting the community’s recognition that source-level patching is more effective than runtime injection. However, both projects lack commercial backing, meaning neither guarantees ongoing maintenance or support SLAs — a significant risk for production deployments.
Setup and Integration Complexity
Setting Up Playwright-Stealth
Playwright-stealth is straightforward to install and integrate with existing Playwright projects:
Python setup:
pip install playwright playwright-stealth
python -m playwright install chromium
# Usage
from playwright.sync_api import sync_playwright
from playwright_stealth import stealth_sync
with sync_playwright() as p:
browser = p.chromium.launch()
page = browser.new_page()
stealth_sync(page)
page.goto("https://target-site.com")
The key advantage here is that you keep your existing Playwright installation and simply add stealth as a wrapper. If stealth breaks or you need to disable it, you just remove the stealth_sync() call.
Setting Up Patchright
Patchright replaces Playwright entirely, which means changing your import statements:
pip install patchright
python -m patchright install chromium
# Usage
from patchright.sync_api import sync_playwright
with sync_playwright() as p:
browser = p.chromium.launch()
page = browser.new_page()
page.goto("https://target-site.com")
# No stealth wrapper needed — patches are built in
The migration from Playwright to Patchright is generally a find-and-replace of import statements. However, you’re now committed to using a forked browser binary, which adds risk: if Patchright has a bug or security vulnerability, you depend on its maintainers to patch it, not the Playwright team.
When to Choose Which Tool
Choose Playwright-Stealth When:
- You’re targeting sites with basic bot protection (simple Cloudflare, reCAPTCHA)
- You need multi-browser support (Firefox, WebKit) alongside stealth
- You want to keep your Playwright version perfectly in sync with upstream releases
- Your use case tolerates occasional detection failures
- You’re prototyping or doing lightweight scraping, not production-scale automation
Choose Patchright When:
- You’re targeting sites with advanced bot protection (DataDome, PerimeterX, Kasada)
- Chromium-only operation is acceptable for your use case
- You want the best possible JavaScript-level stealth without additional configuration
- You’re comfortable depending on a fork with a smaller maintainer pool
- Clean API integration matters — you don’t want wrapper functions cluttering your code
Choose Neither When:
- You need to bypass TLS fingerprinting, behavioral analysis, or IP reputation checks
- You’re running production workloads that require 99%+ success rates
- Maintenance predictability and support SLAs matter to your organization
- You need authentic browser fingerprints that match real user populations
- You’re managing multiple accounts or identities that each need unique, consistent fingerprints
If you find yourself in the “choose neither” category, you’re not alone. Many teams discover after months of patching, tweaking, and chasing detection updates that the fundamental approach — trying to disguise an automated browser as a real one — has a ceiling that keeps getting lower. For a broader look at stealth automation frameworks and their limitations, see our comparison of playwright vs selenium stealth capabilities.
The Fundamental Problem Both Tools Share
Whether you choose Patchright or playwright-stealth, you’re fighting a structural disadvantage. Both tools attempt to make an automated browser instance look like a real human’s browser session. But detection companies have entire engineering teams dedicated to finding the cracks in exactly this approach.
Consider the signals that neither Patchright nor playwright-stealth can convincingly fake:
- TLS fingerprints — The TLS handshake reveals the exact browser build, which can be cross-referenced against the claimed User-Agent
- HTTP/2 settings frames — Each browser has characteristic HTTP/2 connection parameters
- IP reputation — Data center IPs are flagged regardless of browser fingerprint quality
- Canvas and WebGL fingerprints — Spoofing these consistently across sessions without introducing statistical anomalies is extremely difficult
- Font enumeration — Available fonts must match the claimed operating system
- Behavioral biometrics — Mouse movement patterns, scroll velocity, and typing cadence
- Cookie and storage consistency — Real users have browsing histories, cookies, and cached credentials
Each of these signals adds another dimension that a stealth tool must fake convincingly. Miss even one, and cross-signal inconsistency analysis flags the session. This is why even Patchright, with its superior approach, still fails against the most sophisticated detection systems. To understand the full depth of what’s being detected, explore our complete antidetect browser guide which covers every fingerprinting vector and how genuine antidetect platforms address them.
The Cloud Browser Alternative: Why Send.win Changes the Equation
The patchright vs playwright-stealth debate assumes a paradigm where you’re running a local browser and trying to hide its automated nature. But what if you could skip the disguise entirely?
Send.win takes a fundamentally different approach by providing real cloud browser instances that are indistinguishable from genuine user sessions. Instead of patching or forking a browser to hide automation signals, Send.win runs actual browser environments in the cloud with:
- Authentic fingerprints — Each browser instance has a genuine, consistent fingerprint that matches real user populations — not spoofed values that create statistical anomalies
- Real residential IP rotation — Sessions route through residential proxies, eliminating IP reputation problems
- Native TLS stacks — TLS fingerprints match exactly what detection systems expect from real browsers
- Persistent profiles — Cookie jars, local storage, and browsing history persist across sessions, building organic user credibility
- Zero maintenance — No forks to track, no patches to update, no detection cat-and-mouse game
How Send.win Helps You Master Patchright Vs Playwright Stealth
Send.win makes Patchright Vs Playwright Stealth simple and secure with powerful browser isolation technology:
- Browser Isolation – Every tab runs in a sandboxed environment
- Cloud Sync – Access your sessions from any device
- Multi-Account Management – Manage unlimited accounts safely
- No Installation Required – Works instantly in your browser
- Affordable Pricing – Enterprise features without enterprise costs
Try Send.win Free – No Credit Card Required
Experience the power of browser isolation with our free demo:
- Instant Access – Start testing in seconds
- Full Features – Try all capabilities
- Secure – Bank-level encryption
- Cross-Platform – Works on desktop, mobile, tablet
- 14-Day Money-Back Guarantee
Ready to upgrade? View pricing plans starting at just $9/month.
For teams currently spending engineering hours maintaining Patchright patches or playwright-stealth configurations, Send.win eliminates that entire category of work. You connect to a cloud browser instance via API, automate it with standard Playwright or Puppeteer commands, and the stealth is handled at the infrastructure level — not the code level.
Cost-Benefit Analysis
| Factor | Playwright-Stealth | Patchright | Send.win |
|---|---|---|---|
| Upfront Cost | Free (open source) | Free (open source) | Subscription |
| Ongoing Eng. Hours | High (patch chasing) | Medium (fork tracking) | Minimal |
| Detection Pass Rate | Low-Medium | Medium-High | Very High |
| Support SLA | None | None | Included |
| Multi-Account Ready | Manual setup | Manual setup | Built-in |
| Infrastructure | Self-hosted | Self-hosted | Cloud-managed |
| Scalability | Limited by local resources | Limited by local resources | Elastic cloud scaling |
| Total Cost of Ownership | High (hidden eng. costs) | Medium | Predictable |
The “free” price tag of open-source stealth tools is misleading. When you factor in engineering time spent debugging detection failures, updating patches, managing browser binaries, and handling the inevitable production incidents when a detection system updates, the total cost often exceeds a managed solution like Send.win.
🏆 Send.win Verdict
The patchright vs playwright-stealth comparison has a clear technical winner — Patchright’s source-level patching approach is fundamentally stronger than playwright-stealth’s runtime injection. But both tools share the same fatal flaw: they’re disguises, not the real thing. Modern detection systems are increasingly able to see through both approaches, especially at the TLS and behavioral layers. Send.win eliminates this entire arms race by providing genuine cloud browser instances with authentic fingerprints, real network stacks, and persistent profiles. Instead of spending your engineering cycles chasing detection updates, you get reliable, scalable browser sessions that just work.
Try Send.win free today — stop patching browsers and start using real ones.
Frequently Asked Questions
Is Patchright a drop-in replacement for Playwright?
Yes, Patchright is designed as a near-complete drop-in replacement. The API is virtually identical to Playwright — you simply change your import from from playwright.sync_api import sync_playwright to from patchright.sync_api import sync_playwright. However, Patchright only supports Chromium, so if your project uses Firefox or WebKit through Playwright, those browsers won’t be available. Additionally, Patchright may lag behind the latest Playwright release by a few days or weeks as patches are rebased.
Can I use Patchright and playwright-stealth together?
Technically you could apply playwright-stealth patches on top of a Patchright instance, but it’s generally unnecessary and not recommended. Patchright already addresses the core detection vectors at a deeper level than playwright-stealth. Adding runtime JS patches on top could potentially introduce new inconsistencies that detection systems could flag. If Patchright alone isn’t passing a specific detection check, the issue is likely at the TLS or behavioral layer, which playwright-stealth can’t fix either.
Which tool is better for bypassing Cloudflare Turnstile?
Patchright performs significantly better against Cloudflare Turnstile than playwright-stealth, with approximately 70-80% pass rates compared to 40-55%. However, neither tool achieves consistent, reliable Turnstile bypass because Cloudflare’s system combines JavaScript challenges with TLS fingerprinting, behavioral analysis, and IP reputation scoring. For reliable Turnstile bypass, you need a solution that addresses all these layers simultaneously, not just the browser fingerprint layer.
How often do detection systems update, and how does that affect each tool?
Major detection providers like Cloudflare, DataDome, and PerimeterX update their detection models continuously — often multiple times per week for machine learning models, and monthly for major rule changes. Playwright-stealth evasion scripts may take weeks or months to catch up with new detection checks. Patchright’s patches are more durable because they operate at a deeper level, but they still need updates when Chromium introduces new detectable artifacts. This ongoing maintenance requirement is a fundamental challenge with both tools.
Does Patchright work with Firefox or WebKit?
No. Patchright only supports Chromium because its stealth modifications are applied directly to the Chromium browser binary and the Chromium-specific parts of the Playwright framework. Firefox (Gecko) and WebKit have entirely different codebases and would require separate patch sets. If you need Firefox stealth automation, you’ll need to use a different tool like Camoufox or a modified Firefox build. Playwright-stealth, in contrast, works with any browser that Playwright supports, though its evasion effectiveness varies by browser engine.
What is the biggest detection risk that neither tool addresses?
TLS fingerprinting is arguably the biggest unaddressed risk. When your browser establishes an HTTPS connection, the TLS handshake reveals a “fingerprint” (JA3/JA4 hash) that identifies the exact browser build and configuration. Detection systems compare this fingerprint against the claimed User-Agent string. Both Patchright and playwright-stealth modify the browser’s DOM behavior but cannot alter the underlying TLS stack, creating a cross-signal inconsistency that sophisticated detection systems exploit.
Is it legal to use stealth browser tools for web scraping?
The legality depends on your jurisdiction, the target website’s terms of service, and how the scraped data is used. In many jurisdictions, publicly accessible data can be collected for legitimate purposes, but circumventing technical access controls may raise legal issues under laws like the CFAA (US) or Computer Misuse Act (UK). Always consult with legal counsel for your specific use case, and review each target site’s robots.txt and terms of service.
How does Send.win compare to running Patchright on a VPS?
Running Patchright on a VPS gives you cloud infrastructure but doesn’t solve the core detection problem — your browser sessions still produce detectable automation signals at the TLS and behavioral layers, and your VPS IP is likely flagged as a data center address. Send.win provides genuine browser instances with authentic fingerprints, residential IP rotation, and persistent profiles, addressing all detection layers rather than just the JavaScript fingerprint layer. Additionally, Send.win handles all infrastructure scaling, updates, and maintenance, eliminating the DevOps burden of managing VPS instances.
Conclusion
The patchright vs playwright-stealth matchup has a clear winner on technical merit: Patchright’s source-level patching approach is fundamentally more robust than playwright-stealth’s runtime JavaScript injection. Patchright produces cleaner fingerprints, passes more detection challenges, and provides a simpler API integration without wrapper functions.
But winning the patchright vs playwright-stealth comparison doesn’t mean winning the war against bot detection. Both tools operate within the same paradigm — disguising automated browsers as real ones — and that paradigm has a shrinking ceiling. As detection systems incorporate TLS fingerprinting, behavioral biometrics, and cross-signal consistency analysis, the gap between “patched automation” and “genuine human browsing” becomes increasingly difficult to bridge with code alone.
For teams that need reliable, production-grade browser automation with genuine stealth, the answer isn’t choosing between Patchright and playwright-stealth. It’s stepping outside the paradigm entirely with a cloud browser platform like Send.win that provides real browser instances, authentic fingerprints, and zero maintenance overhead. The best disguise is not needing one in the first place.