Undetected-Playwright vs Playwright-Stealth: The Definitive Comparison for Bot Detection Evasion
If you’ve spent any time automating browsers and trying to dodge bot detection, you’ve almost certainly run into the same frustrating question: undetected-playwright vs playwright-stealth — which library actually keeps your scripts under the radar? Both projects promise to make Playwright invisible to anti-bot systems, but they take fundamentally different approaches to the problem. One patches Chromium at the protocol level while the other injects JavaScript to spoof runtime fingerprints. The difference matters more than most developers realize.
In this comprehensive comparison, we’ll dissect exactly how each library works under the hood, analyze their Cloudflare and DataDome bypass success rates, examine CDP leak patching strategies, evaluate maintenance health and community support, and explain why neither open-source stealth library can match the zero-detection architecture of a purpose-built cloud browser like Send.win.
What Is Undetected-Playwright?
Undetected-playwright (primarily maintained by Blinkit/Kaliiiiiiiiii on GitHub) is a Python library that modifies the Chromium browser binary and its Chrome DevTools Protocol (CDP) connection to prevent detection by anti-bot systems. Unlike surface-level stealth patches, undetected-playwright aims to eliminate the telltale artifacts that automation frameworks leave behind at the browser engine level.
How Undetected-Playwright Works
The library employs several key techniques to evade detection:
- CDP connection masking: Standard Playwright opens a WebSocket connection to Chromium via CDP, which leaves detectable artifacts. Undetected-playwright patches the connection handshake to remove or disguise these signatures.
- Binary patching: The library modifies the Chromium executable itself, stripping out strings and flags that identify it as an automated instance — such as the
--enable-automationflag and thecdc_driver variable. - Navigator property fixes: It corrects inconsistencies in
navigator.webdriver,navigator.plugins, andnavigator.languagesthat anti-bot scripts check. - Runtime environment cleanup: The library removes or modifies window properties like
window.chrome.runtimethat indicate an automated context.
The key advantage of undetected-playwright is its depth of patching. By modifying the browser binary and CDP layer, it eliminates detection vectors that JavaScript-only solutions simply cannot reach.
What Is Playwright-Stealth?
Playwright-stealth is an npm package (available for Node.js) that applies a set of JavaScript evasion scripts to Playwright browser contexts. It’s heavily inspired by the popular puppeteer-extra-plugin-stealth and ports those same evasion techniques to the Playwright ecosystem.
How Playwright-Stealth Works
Playwright-stealth takes a fundamentally different approach from undetected-playwright. Rather than modifying the browser binary, it injects JavaScript into every page context to override detectable properties:
- Script injection via
addInitScript: The library uses Playwright’s built-in API to run evasion scripts before any page JavaScript executes. This lets it modifynavigator.webdriver, spoof plugin arrays, and fake WebGL renderer strings. - User-agent consistency: It synchronizes the User-Agent header with the values reported by
navigator.userAgentandnavigator.platform. - Chrome runtime spoofing: It creates fake
window.chromeobjects with the expected properties of a genuine Chrome browser. - Permission API patching: It overrides the Permissions API to report “prompt” status for notification permissions, matching real browser behavior.
- WebGL and Canvas fingerprint noise: It adds subtle randomization to canvas and WebGL outputs to prevent fingerprint tracking.
The main advantage of playwright-stealth is its simplicity. You install it via npm, call stealth.use(context), and your Playwright scripts gain a layer of anti-detection protection without needing to modify any browser binaries.
CDP Leak Patching: The Critical Difference
The single most important technical distinction between undetected-playwright vs playwright-stealth is how they handle Chrome DevTools Protocol leaks. CDP leaks are the number-one way modern anti-bot systems detect Playwright automation.
What Are CDP Leaks?
When Playwright controls Chromium, it communicates through the Chrome DevTools Protocol — the same protocol that Chrome DevTools uses for debugging. This connection creates several detectable artifacts:
- WebSocket debugging URL: The browser listens on a debugging port, and the URL pattern is recognizable.
- Runtime.enable artifacts: When Playwright calls
Runtime.enableto inject JavaScript, it leaves traces in the execution context. - Target.setAutoAttach patterns: The way Playwright attaches to new targets creates unique behavioral signatures.
- Console message interception: Playwright’s console message handlers create detectable side channels.
Undetected-Playwright’s CDP Approach
Undetected-playwright patches CDP leaks at the protocol level. It modifies the WebSocket connection, strips identifying headers, and prevents the browser from exposing debugging artifacts to page-level JavaScript. This is effective because the patching happens below the JavaScript execution layer — page scripts cannot detect something that has been removed from the protocol layer entirely.
Playwright-Stealth’s CDP Limitations
Playwright-stealth, being a JavaScript-only solution, cannot patch CDP leaks at the protocol level. It can override navigator.webdriver and spoof various browser properties, but the underlying CDP connection remains detectable. Advanced anti-bot systems like those offered by Cloudflare and DataDome now specifically probe for CDP artifacts that exist below the JavaScript layer — making playwright-stealth’s approach increasingly insufficient. For a deeper understanding of how these detection vectors overlap with other automation tools, see our comparison of playwright vs selenium stealth approaches.
Runtime Fingerprint Spoofing Compared
Beyond CDP leaks, both libraries attempt to spoof the browser’s runtime fingerprint — the collection of properties that anti-bot scripts examine to determine if a browser is genuine.
| Fingerprint Vector | Undetected-Playwright | Playwright-Stealth |
|---|---|---|
| navigator.webdriver | ✅ Patched at binary level | ✅ Overridden via JS injection |
| navigator.plugins | ✅ Realistic plugin array | ✅ Spoofed plugin list |
| Chrome runtime object | ✅ Genuine-looking chrome object | ✅ Faked chrome object |
| CDP WebSocket artifacts | ✅ Patched at protocol level | ❌ Cannot reach protocol layer |
| WebGL renderer string | ⚠️ Basic support | ✅ Configurable spoofing |
| Canvas fingerprint | ⚠️ Limited noise injection | ✅ Randomized canvas output |
| Permission API | ✅ Corrected responses | ✅ Patched to return “prompt” |
| Iframe contentWindow | ✅ Fixed cross-origin behavior | ✅ Patched iframe detection |
| User-Agent consistency | ✅ Binary + header alignment | ✅ Header + navigator sync |
| Screen resolution coherence | ⚠️ Manual configuration | ⚠️ Manual configuration |
As the table shows, both libraries cover the major fingerprinting vectors, but their approaches have trade-offs. Undetected-playwright wins on deeper system-level patching (especially CDP), while playwright-stealth offers more granular control over canvas and WebGL fingerprints. Understanding the full scope of Selenium browser fingerprint detection techniques helps contextualize why both libraries are locked in an arms race with anti-bot vendors.
Cloudflare and DataDome Bypass Rates
Theoretical capabilities are interesting, but what actually matters is whether these libraries bypass real-world anti-bot systems. Let’s look at the two biggest players: Cloudflare and DataDome.
Cloudflare Bypass Performance
Cloudflare’s bot management has evolved dramatically. Their system uses a combination of JavaScript challenges, TLS fingerprinting, HTTP/2 header ordering, and behavioral analysis. Here’s how each library performs:
| Metric | Undetected-Playwright | Playwright-Stealth |
|---|---|---|
| Cloudflare Managed Challenge | ~65-75% bypass rate | ~30-45% bypass rate |
| Cloudflare Turnstile | ~40-55% bypass rate | ~15-25% bypass rate |
| Cloudflare Bot Score (threshold 30) | Often scores 25-40 | Often scores 45-70 |
| TLS fingerprint match | Chromium-native (good) | Chromium-native (good) |
| Behavioral analysis evasion | ⚠️ Requires manual delays | ⚠️ Requires manual delays |
Undetected-playwright significantly outperforms playwright-stealth against Cloudflare because of its CDP leak patching. Cloudflare’s challenge scripts specifically probe for CDP artifacts, and playwright-stealth’s JavaScript-only patches leave these exposed.
DataDome Bypass Performance
DataDome uses an even more aggressive detection approach, combining device fingerprinting, behavioral biometrics, and machine learning-based anomaly detection:
- Undetected-playwright: Achieves approximately 50-60% bypass rate against DataDome’s standard protection. Drops to 20-30% against DataDome’s advanced tier, which uses behavioral analysis that neither library can fully defeat.
- Playwright-stealth: Manages approximately 20-30% bypass rate against standard DataDome and less than 10% against advanced DataDome. The JavaScript-level spoofing is increasingly caught by DataDome’s server-side correlation checks.
The reality is that both libraries are fighting a losing battle against top-tier anti-bot systems. Each detection vendor update narrows the window of effectiveness, and open-source libraries are always playing catch-up. For a comprehensive understanding of these evolving detection systems, our guide on how to bypass anti-bot systems covers the latest evasion landscape in detail.
Maintenance Activity and Community Support
The effectiveness of any stealth library is directly tied to how actively it’s maintained. Anti-bot vendors push detection updates weekly, so a stealth library that hasn’t been updated recently is essentially broken.
Undetected-Playwright Maintenance
- Primary maintainer: Blinkit/Kaliiiiiiiiii (GitHub)
- Update frequency: Sporadic — major updates typically come when a detection method breaks the library, followed by periods of inactivity.
- Community size: Smaller but technically focused community. The GitHub repository typically has 1,000–2,500 stars.
- Issue response time: Variable. Critical detection bypasses may take days to weeks to get addressed.
- Python ecosystem: Primary target is Python developers, which limits contribution pool compared to the broader Node.js community.
Playwright-Stealth Maintenance
- Primary ecosystem: npm/Node.js
- Update frequency: Moderate — benefits from the larger puppeteer-extra-plugin-stealth community’s research, as many evasion techniques are portable.
- Community size: Larger user base, typically 2,000–4,000 GitHub stars across related repositories.
- Issue response time: Faster community responses, though official maintainer engagement varies.
- Cross-pollination: Benefits from puppeteer-stealth research and shared evasion technique development.
The Maintenance Problem Both Share
Neither library can guarantee long-term reliability. Both are reactive — they fix detection methods after anti-bot vendors deploy them. This creates a perpetual “cat and mouse” cycle where your automation scripts may break without warning and require manual intervention to update stealth patches. This fundamental limitation is why many teams eventually look beyond open-source stealth libraries entirely.
Head-to-Head Feature Comparison
| Feature | Undetected-Playwright | Playwright-Stealth |
|---|---|---|
| Language | Python | Node.js (npm) |
| Detection Approach | Binary + protocol patching | JavaScript injection |
| CDP Leak Patching | ✅ Protocol-level | ❌ Not addressable |
| Setup Complexity | Moderate (binary download) | Low (npm install) |
| Cloudflare Bypass | Good (65-75%) | Fair (30-45%) |
| DataDome Bypass | Moderate (50-60%) | Poor (20-30%) |
| Fingerprint Customization | Limited | Moderate |
| Multi-browser Support | Chromium only | Chromium primary, Firefox partial |
| Session Persistence | Manual implementation | Manual implementation |
| Proxy Integration | Supported | Supported |
| Active Maintenance | Sporadic | Moderate |
| Community Size | Smaller (1-2.5K stars) | Larger (2-4K stars) |
Common Pitfalls When Using Either Library
Even with the best stealth library, many automation projects fail because of avoidable mistakes. Here are the most common issues developers encounter:
1. Ignoring TLS Fingerprinting
Neither undetected-playwright nor playwright-stealth addresses TLS (JA3/JA4) fingerprinting. The TLS handshake that Chromium performs has a unique signature, and anti-bot systems increasingly use this to flag automated browsers. Even with perfect JavaScript-level spoofing, a mismatched TLS fingerprint will expose your automation.
2. Running Headless Without Adjustment
Both libraries improve headless detection evasion, but running in fully headless mode still leaves detectable traces. Screen dimensions, rendering behavior, and GPU acceleration differences between headless and headed modes can be caught by sophisticated anti-bot systems.
3. Neglecting Behavioral Patterns
No stealth library can fix robotic behavior. Instant page navigations, linear mouse movements, perfectly timed clicks, and missing scroll events are all behavioral signals that machine learning-based detection systems catch. You must implement realistic human-like interaction patterns regardless of which library you choose.
4. Using Default Configurations
The default configurations of both libraries are widely known to anti-bot vendors. Using playwright-stealth with default settings, for example, creates a specific fingerprint signature that Cloudflare has already cataloged. Customizing evasion parameters is essential for any serious automation project.
5. Overlooking IP Reputation
Data center IP addresses are flagged by virtually every anti-bot system. Even perfect browser fingerprinting won’t help if your traffic originates from known cloud provider IP ranges. Residential proxies are practically mandatory, adding significant cost and complexity. Learning how to detect an antidetect browser helps you understand exactly what detection systems look for.
When to Choose Undetected-Playwright
Undetected-playwright is the better choice when:
- You’re working in Python and need the deepest possible detection evasion
- Your target sites use Cloudflare or similar systems that probe for CDP leaks
- You’re comfortable managing binary updates and potential breaking changes
- You need protocol-level stealth that JavaScript injection cannot provide
- Your use case requires bypassing advanced challenge pages, not just simple bot checks
When to Choose Playwright-Stealth
Playwright-stealth is the better choice when:
- You’re working in Node.js and want quick, easy integration
- Your target sites use basic to moderate bot detection (not enterprise-grade Cloudflare or DataDome)
- You need granular control over canvas and WebGL fingerprint spoofing
- You prefer the larger community ecosystem and more frequent (if incremental) updates
- Your automation requires Firefox support in addition to Chromium
When Neither Library Is Enough
Here’s the uncomfortable truth: for production-grade automation against modern anti-bot systems, neither open-source stealth library provides a reliable, long-term solution. The fundamental problem is architectural — both libraries try to disguise an automated browser as a real one, but the disguise has seams that anti-bot vendors are getting better at finding.
The limitations include:
- Reactive maintenance: Both libraries fix detection methods after they’re already deployed, meaning your automation breaks before the fix is available.
- Incomplete fingerprint coverage: Neither library addresses every detection vector simultaneously (TLS, HTTP/2, behavioral, hardware).
- Infrastructure burden: You still need to manage proxies, session persistence, IP rotation, and browser profiles yourself.
- Scaling challenges: Running multiple stealth browser instances with unique fingerprints requires significant custom engineering.
This is exactly why cloud-based browser solutions have gained traction. Instead of trying to patch a local browser to look real, they provide genuinely clean browser sessions that have no automation footprint to detect in the first place.
The Cloud Browser Alternative: Zero Detection by Design
Send.win takes a fundamentally different approach to the stealth browser problem. Rather than patching Playwright or Selenium to hide automation artifacts, Send.win provides cloud browser sessions that are genuinely clean from the ground up. There’s no CDP connection to leak, no binary patching that might be incomplete, and no JavaScript injection that sophisticated anti-bot systems can detect.
Each Send.win session runs in an isolated cloud environment with:
- Native browser fingerprints: Real browser installations, not patched automation frameworks
- Clean IP reputation: Residential-grade exit nodes, not flagged data center IPs
- Hardware-backed fingerprints: Consistent GPU, audio, and canvas fingerprints that match real devices
- Zero automation artifacts: No CDP leaks, no
navigator.webdriverflags, nocdc_variables - Persistent sessions: Maintain cookies, local storage, and browsing history across sessions
How Send.win Helps You Master Undetected Playwright Vs Playwright Stealth
Send.win makes Undetected Playwright Vs Playwright Stealth simple and secure with powerful browser isolation technology:
- Browser Isolation – Every tab runs in a sandboxed environment
- Cloud Sync – Access your sessions from any device
- Multi-Account Management – Manage unlimited accounts safely
- No Installation Required – Works instantly in your browser
- Affordable Pricing – Enterprise features without enterprise costs
Try Send.win Free – No Credit Card Required
Experience the power of browser isolation with our free demo:
- Instant Access – Start testing in seconds
- Full Features – Try all capabilities
- Secure – Bank-level encryption
- Cross-Platform – Works on desktop, mobile, tablet
- 14-Day Money-Back Guarantee
Ready to upgrade? View pricing plans starting at just $9/month.
This approach eliminates the entire “cat and mouse” dynamic. Anti-bot systems can’t detect what isn’t there — and Send.win sessions simply don’t contain the artifacts that trigger detection.
🏆 Send.win Verdict
Both undetected-playwright and playwright-stealth are impressive open-source projects, but they’re fighting a battle they can’t win long-term. Anti-bot vendors have larger teams, faster update cycles, and access to the source code of these public libraries. Send.win eliminates the problem entirely by providing cloud browser sessions with zero automation footprint — no CDP leaks to patch, no fingerprints to spoof, and no maintenance burden when detection vendors push updates. For teams that need reliable, undetectable browser sessions without the constant firefighting of stealth library maintenance, Send.win is the clear choice.
Try Send.win free today — stop patching stealth libraries and start using browser sessions that are invisible by design.
Frequently Asked Questions
What is the main difference between undetected-playwright and playwright-stealth?
The main difference is their approach to evasion. Undetected-playwright modifies the Chromium binary and patches CDP (Chrome DevTools Protocol) leaks at the protocol level, while playwright-stealth is an npm package that injects JavaScript to spoof browser properties. Undetected-playwright’s deeper patching makes it more effective against advanced anti-bot systems like Cloudflare, but playwright-stealth is easier to set up and offers more granular fingerprint customization options.
Can playwright-stealth patch CDP leaks?
No. Playwright-stealth operates entirely at the JavaScript injection level using Playwright’s addInitScript API. CDP (Chrome DevTools Protocol) leaks exist at the protocol layer below JavaScript execution, so playwright-stealth cannot reach or modify them. This is a fundamental architectural limitation that makes playwright-stealth more detectable by advanced anti-bot systems that specifically probe for CDP artifacts.
Which library has a higher Cloudflare bypass rate?
Undetected-playwright generally achieves a higher Cloudflare bypass rate — approximately 65-75% for managed challenges compared to playwright-stealth’s 30-45%. This difference is primarily because Cloudflare’s challenge scripts probe for CDP connection artifacts that undetected-playwright patches but playwright-stealth cannot address. However, both libraries’ bypass rates fluctuate as Cloudflare updates its detection methods.
Do I need residential proxies with these stealth libraries?
Yes, residential proxies are practically mandatory for any serious automation project, regardless of which stealth library you use. Data center IP addresses are flagged by virtually every anti-bot system, and even perfect browser fingerprint spoofing won’t overcome a bad IP reputation score. Budget for residential proxy costs when planning your automation infrastructure.
Is undetected-playwright available for Node.js?
No, undetected-playwright is primarily a Python library. If you’re working in Node.js, playwright-stealth is your main open-source option for adding stealth capabilities to Playwright. Alternatively, you could use Python’s undetected-playwright as a separate service and communicate with it from your Node.js application via API, though this adds complexity.
How often do these stealth libraries need updating?
Both libraries require updates whenever major anti-bot vendors push new detection methods, which typically happens every few weeks. Undetected-playwright updates tend to be less frequent but more substantial (binary patches), while playwright-stealth receives more incremental updates. In practice, you should expect your stealth setup to break at least once a month against top-tier anti-bot systems and plan for maintenance time accordingly.
Can I use undetected-playwright and playwright-stealth together?
While technically possible (since they target different layers), combining both libraries is generally not recommended. The overlapping JavaScript-level patches can conflict and create inconsistent fingerprints that are actually more detectable than using either library alone. If you need both protocol-level and JavaScript-level evasion, undetected-playwright already covers most of playwright-stealth’s JavaScript patches internally.
Why do cloud browser solutions like Send.win outperform stealth libraries?
Cloud browser solutions like Send.win outperform stealth libraries because they eliminate the detection surface entirely rather than trying to hide it. Stealth libraries patch an automated browser to look real, but the patches are never perfect and anti-bot vendors can study the open-source code to develop counters. Send.win provides genuinely clean browser sessions running on real browser installations with no CDP connections, no automation flags, and no injected scripts — there is simply nothing for anti-bot systems to detect.