Playwright Stealth: Complete Guide (2026)

Table of Contents

What Is Playwright Stealth?

Playwright Stealth is a plugin for Microsoft’s Playwright browser automation framework that modifies the automated browser’s behavior and properties to evade bot detection systems. When you use Playwright for web scraping, testing, or automation, websites can detect that a bot — not a human — is controlling the browser through dozens of telltale signals. Playwright Stealth patches these signals to make automated browsers appear identical to regular, human-operated browsers.

The plugin is inspired by and closely mirrors the functionality of puppeteer-extra-plugin-stealth (the equivalent for Puppeteer), adapted specifically for Playwright’s architecture. It works by modifying JavaScript execution environments, browser APIs, and navigator properties before page content loads — effectively removing the “I’m a bot” fingerprint that Playwright leaves behind.

In 2026, playwright stealth has become an essential tool for developers, researchers, and marketers who need to interact with websites programmatically without being blocked. As anti-bot services like Cloudflare, DataDome, PerimeterX (now HUMAN), and reCAPTCHA have become increasingly sophisticated, stealth plugins are the first line of defense against detection.

Why Playwright Gets Detected

Before diving into stealth solutions, it’s important to understand why automated browsers get detected in the first place. Websites use multiple layers of bot detection:

JavaScript Property Leaks

Playwright injects automation-related properties into the browser’s JavaScript environment that don’t exist in regular browsers:

navigator.webdriver — Set to true in automated browsers, undefined in regular ones
window.__playwright — Playwright-specific global variable
window.cdc_adoQpoasnfa76pfcZLmcfl_* — ChromeDriver-related properties
Missing window.chrome runtime object in Chromium automation mode
Inconsistent navigator.plugins and navigator.mimeTypes arrays

Browser Fingerprint Anomalies

Automated browsers produce unusual fingerprints that differ from real user browsers:

Canvas fingerprint — Headless browsers render canvas differently than headed browsers
WebGL renderer — Reports “SwiftShader” (software renderer) instead of actual GPU names
Audio context — Produces deterministic audio fingerprints that don’t match real hardware
Screen dimensions — Default viewport sizes (800×600) that no real user would use

Behavioral Analysis

Advanced bot detection systems analyze user behavior patterns:

Mouse movements that are too linear or too fast
Click patterns without hover events
Keyboard input without keydown/keyup event sequences
Navigation patterns that skip typical human browsing flows
Timing patterns that are too consistent (no human-like variability)

Setting Up Playwright Stealth

The most popular implementation for playwright stealth is the playwright-stealth npm package. Here’s how to set it up:

Installation

npm install playwright playwright-stealth

Basic Usage (JavaScript/TypeScript)

const { chromium } = require('playwright');
const { newInjectedContext } = require('playwright-stealth');

(async () => {
  const browser = await chromium.launch({ headless: false });
  const context = await newInjectedContext(browser, {
    fingerprintOptions: {
      devices: ['desktop'],
      operatingSystems: ['windows'],
    },
  });
  const page = await context.newPage();
  await page.goto('https://bot.sannysoft.com');
  // All stealth patches are automatically applied
  await page.screenshot({ path: 'stealth-test.png' });
  await browser.close();
})();

Python Usage

from playwright.sync_api import sync_playwright
from playwright_stealth import stealth_sync

with sync_playwright() as p:
    browser = p.chromium.launch(headless=False)
    page = browser.new_page()
    stealth_sync(page)
    page.goto('https://bot.sannysoft.com')
    page.screenshot(path='stealth-test.png')
    browser.close()

What Playwright Stealth Patches

The playwright stealth plugin applies several critical patches to the browser environment:

Patch	What It Does	Why It Matters
navigator.webdriver	Removes or sets to undefined	Most basic bot detection check
chrome.runtime	Adds mock chrome.runtime object	Expected in real Chrome browsers
navigator.plugins	Adds realistic plugin arrays	Empty plugins = headless browser
navigator.languages	Ensures consistent language arrays	Mismatched languages are suspicious
WebGL renderer	Spoofs GPU renderer string	SwiftShader = headless indicator
iframe.contentWindow	Fixes iframe detection bypass	Iframes reveal automation context
Permissions API	Returns realistic permission states	Automated browsers deny all permissions
Media codecs	Adds expected codec support	Missing codecs indicate headless mode

Advanced Stealth Techniques Beyond the Plugin

While playwright stealth handles the most common detection vectors, advanced bot detection systems require additional evasion techniques:

Residential Proxy Rotation

IP reputation is a major detection signal. Datacenter IPs are immediately flagged by most anti-bot services. Use residential proxies that rotate IPs to appear as different users from different locations. Configure Playwright to use proxies per browser context for proper isolation.

Realistic Viewport and User Agent

Set viewport dimensions and user agents that match real device configurations. Don’t use random values — use combinations that actually exist in the wild. Match the user agent to the browser version, OS, and viewport dimensions coherently.

Human-Like Behavior Simulation

Add realistic delays, mouse movements, and scrolling patterns to your automation scripts. Instead of clicking elements instantly, move the mouse to the element with curved, variable-speed trajectories and add small random delays before clicking.

TLS Fingerprint Matching

Advanced detection systems analyze the TLS handshake to identify automated browsers. Playwright’s Chromium-based TLS fingerprint differs from standard Chrome. Tools like curl-impersonate or custom browser builds can help match the TLS fingerprint of a regular Chrome browser.

Playwright Stealth vs. Alternatives

Tool	Framework	Language	Stealth Level	Best For
playwright-stealth	Playwright	JS/Python	Good	General automation
puppeteer-extra-stealth	Puppeteer	JS	Good	Chrome-specific automation
undetected-chromedriver	Selenium	Python	Moderate	Selenium-based workflows
Camoufox	Firefox-based	Python	High	Advanced evasion
Patchright	Playwright fork	JS/Python	High	Hardcore anti-detection
Cloud Browser (Send.win)	None needed	Any	Highest	No-code, team access

When Playwright Stealth Isn’t Enough

Despite its effectiveness, playwright stealth has limitations. Tier-1 anti-bot services like Cloudflare Turnstile, DataDome, and HUMAN (PerimeterX) use advanced techniques that stealth plugins alone cannot bypass:

TLS fingerprinting — Analyzing the TCP/TLS handshake at the network level
HTTP/2 fingerprinting — Detecting automation through HTTP/2 settings frames
Machine learning behavioral analysis — AI models trained on millions of sessions to distinguish humans from bots
CAPTCHA challenges — Requiring human verification that automation cannot solve

How Send.win Helps You Master Playwright Stealth

Send.win makes Playwright Stealth simple and secure with powerful browser isolation technology:

Browser Isolation – Every tab runs in a sandboxed environment
Cloud Sync – Access your sessions from any device
Multi-Account Management – Manage unlimited accounts safely
No Installation Required – Works instantly in your browser
Affordable Pricing – Enterprise features without enterprise costs

Try Send.win Free – No Credit Card Required

Experience the power of browser isolation with our free demo:

Instant Access – Start testing in seconds
Full Features – Try all capabilities
Secure – Bank-level encryption
Cross-Platform – Works on desktop, mobile, tablet
14-Day Money-Back Guarantee

Try Send.win Free Demo Now

Ready to upgrade? View pricing plans starting at just $9/month.

For these scenarios, a cloud-based approach often works better. Antidetect virtual browsers like Send.win provide real browser environments with authentic fingerprints that aren’t flagged as automation tools. Since the browser is a real, human-operated session in the cloud, there are no automation signals to detect.

Best Practices for Playwright Stealth

Always use headed mode — Headless browsers have more detectable differences from regular browsers. Use headless: false with Xvfb on Linux for invisible headed operation.
Keep Playwright updated — New browser versions patch stealth bypasses. Keep your Playwright and stealth plugin versions in sync.
Use residential proxies — Datacenter IPs are blacklisted by most anti-bot services.
Add realistic delays — Use random delays between actions (300-2000ms) to simulate human timing.
Rotate fingerprints — Don’t use the same fingerprint across thousands of requests. Generate new fingerprints per session.
Test against detection services — Regularly test your setup on bot detection test pages like bot detection bypass guides recommend.
Handle CAPTCHAs gracefully — Integrate CAPTCHA solving services or fall back to manual intervention.
Monitor and adapt — Anti-bot systems evolve constantly. Monitor your success rates and adapt quickly when detection rates increase.

Legal and Ethical Considerations

Using playwright stealth raises important legal and ethical questions. Web scraping and automation exist in a legal gray area that varies by jurisdiction:

Terms of Service — Most websites prohibit automated access in their ToS. Violating ToS can result in bans but typically doesn’t have legal consequences.
CFAA (USA) — The Computer Fraud and Abuse Act may apply if you bypass access controls or access systems without authorization.
GDPR (EU) — Scraping personal data may violate data protection regulations.
Copyright — Scraping and republishing copyrighted content may violate copyright law.
hiQ vs. LinkedIn — The US Supreme Court ruled that scraping publicly available data is not a CFAA violation, but the legal landscape continues to evolve.

Always check the applicable laws in your jurisdiction and the terms of service of the websites you’re interacting with. Use automation responsibly and respect rate limits.

Frequently Asked Questions

Does Playwright Stealth work with headless mode?

Stealth patches apply to both headed and headless modes, but headed mode is still more effective at evading detection because headless browsers have additional detectable differences that stealth plugins can’t fully address.

Is Playwright Stealth better than Puppeteer Stealth?

They’re roughly equivalent in stealth capability. The main difference is the underlying framework. Playwright offers multi-browser support (Chromium, Firefox, WebKit), while Puppeteer is Chrome-only. Choose based on your framework preference.

Can Playwright Stealth bypass Cloudflare?

It can bypass basic Cloudflare challenges. For Cloudflare Turnstile and advanced protection, additional techniques (residential proxies, TLS fingerprint matching, human-like behavior) are needed. Cloud-based cloud browsers with real browser fingerprints often perform better against Cloudflare.

How do I test if my stealth setup is working?

Visit these detection test pages: bot.sannysoft.com, browserleaks.com, pixelscan.net, and creepjs.com. They check various automation indicators and show you what a website can detect about your browser.

Is using Playwright Stealth legal?

The tool itself is legal. How you use it determines legality. Using it for legitimate testing, research, and data collection from publicly available sources is generally legal. Using it to bypass access controls, scrape personal data, or violate ToS may have legal consequences.

What programming languages does Playwright Stealth support?

The main implementations are available for JavaScript/TypeScript (npm) and Python (pip). Community ports exist for other languages, but they may lag behind in features and updates.