OmniScrape
ProductsSolutionsGuidesDocs ↗PricingAbout
ProductsSolutionsGuidesDocs ↗PricingAbout
← All guides
Anti-Bot Bypass

How to Bypass DataDome When Web Scraping

The response is HTTP 403, Set-Cookie contains datadome, and the product grid that renders fine in your home browser on a residential ISP is completely absent from your AWS scraper. DataDome did not block your HTML parser — it refused to serve trusted content to the request in the first place.

DataDome operates as a client-side behavioral scoring system. It measures mouse movement timing, touch event patterns, canvas and WebGL fingerprints, TLS JA3 signatures, and IP reputation against a continuously updated model of human traffic. Any request that diverges too far from that model receives a 403 or a slider CAPTCHA before the origin ever renders product HTML. This guide walks through every layer of that detection stack, why plain HTTP clients fail immediately, and how to reliably fetch catalog and listing pages from fashion retailers, marketplaces, and ticketing platforms that deploy DataDome.

On this page

1. The client-side JavaScript tag you must execute2. How DataDome blocks appear in logs and responses3. Geo-matched residential IPs are the baseline requirement4. Behavioral signals that trigger slider challenges5. Why replayed datadome cookies stop working6. OmniScrape execution path for DataDome targets7. Concurrency and rate control on DataDome sites8. Production mistakes that cause persistent DataDome blocks9. DataDome and Cloudflare running on the same stack10. Health metrics for DataDome-protected crawls11. FAQ

1.The client-side JavaScript tag you must execute

DataDome works by injecting a JavaScript tag into every page response. That tag collects behavioral telemetry — cursor velocity, scroll rhythm, keyboard cadence, canvas fingerprint — and communicates it back to DataDome's decision endpoint. The result is a signed datadome cookie that the browser sends on every subsequent request. The origin server validates that cookie before rendering any protected content. No valid cookie chain means no product HTML, regardless of how convincing your User-Agent header looks.

Server-only HTTP clients — Python requests, Go net/http, Node fetch — never execute JavaScript. They receive the page shell, never run the tag, and never earn a valid cookie. On datacenter ASNs the block is immediate: DataDome's IP reputation layer fires before behavioral scoring even starts. On residential IPs without JavaScript execution, you may get a few successful requests before the behavioral model accumulates enough signal to issue a challenge. The fix is not header tuning — it is executing the tag in a real browser engine.

Practically, this means any scraping path that skips JavaScript execution is fragile on DataDome-protected targets. You may see it work on lightly protected paths or during off-peak hours when the model's confidence threshold is looser, but it will not hold at production scale.

2.How DataDome blocks appear in logs and responses

The clearest signal is an HTTP 403 response where the Set-Cookie header contains datadome= and the response body references DataDome's block page or a slider CAPTCHA iframe. Unlike reCAPTCHA or hCaptcha, DataDome's challenge is typically a custom puzzle slider — a draggable element you must move to a target position. If you are logging raw response bodies, search for 'datadome' or 'dd_referrer' to confirm the protection layer.

On e-commerce sites, the block often manifests as an empty product grid rather than an explicit 403. The page shell loads — navigation, header, footer — but the product listing container is empty or contains a spinner that never resolves. This happens when DataDome intercepts the XHR or fetch call that populates the grid rather than the initial document request. Log both the document response and any subsequent API calls to isolate where the block occurs.

Geo-specific blocking is common: EU fashion sites frequently block US cloud IP ranges outright, returning 403 before any behavioral scoring runs. Mobile WebView traffic is scored differently from desktop Chrome automation — using a desktop User-Agent on a site that primarily serves mobile shoppers will fail faster than using a matching mobile profile. Check the site in a real browser with DevTools open to identify what device class and locale the site expects.

3.Geo-matched residential IPs are the baseline requirement

Sending requests from AWS us-east-1 to a EU fashion retailer is the single most common self-inflicted DataDome block. DataDome's IP reputation layer cross-references ASN, datacenter classification, and geographic distance from the storefront's primary audience. A UK fashion site with 90% British shoppers will have a very low tolerance for Virginia datacenter traffic regardless of what headers you send.

Match proxy country to storefront locale. For a .co.uk site, start with residential:gb. For a .de or .fr site, use the corresponding country code. If a site serves cross-border EU inventory from a single domain, test the country that matches the currency and language shown in a manual browser session — that is the locale the model was trained on.

Sticky sessions are essential across paginated flows. DataDome validates cookie integrity against the IP that earned it. If your session hops between proxy exit nodes mid-crawl, the cookie becomes invalid and you trigger a fresh challenge. Use session_id to pin a proxy exit node for the duration of a category walk or checkout flow.

EU residential + solver for a UK fashion PDP
json
123456789101112{
  "url": "https://eu-fashion.example.com/en-gb/dresses/4421",
  "mode": "auto",
  "proxy": "residential:gb",
  "enable_solver": true,
  "output_format": "css_extractor",
  "css_selectors": {
    "title": "h1",
    "price": "[data-test='price']",
    "sizes": ".size-selector button"
  }
}

4.Behavioral signals that trigger slider challenges

DataDome's behavioral model is trained on real human traffic patterns. The signals that deviate most sharply from human behavior — and therefore trigger challenges most reliably — are: zero-millisecond gaps between sequential API calls, identical request intervals across workers (a sign of programmatic timing), absence of scroll or touch events before interacting with interactive elements, and flash crowds of requests from the same IP pool hitting a single domain simultaneously.

Warming a session before hitting high-value endpoints significantly reduces challenge rate. A realistic warm path is: homepage load → category browse with a short pause → product detail page. This mirrors the navigation pattern DataDome's model associates with genuine shoppers. Jumping directly to a PDP URL from a cold session on a residential IP is borderline; doing it from a datacenter IP is an immediate block.

Concurrency matters at the session level, not just the IP level. Ten workers each making requests at 200ms intervals from different residential IPs can still pattern-match as automation if the request fingerprints are identical — same TLS cipher suite, same Accept-Language, same viewport dimensions. Vary device profiles across workers to avoid fleet-level fingerprint clustering.

5.Why replayed datadome cookies stop working

A common shortcut is to extract a valid datadome cookie from a manual browser session and inject it into a scraping worker. This fails reliably in production for a structural reason: DataDome cookies are cryptographically bound to the session context that earned them — IP address, TLS fingerprint, and behavioral history. When you replay a cookie from a residential Chrome session into a datacenter HTTP client, the IP, JA3 signature, and behavioral profile all diverge from what the cookie was issued for. DataDome's validation rejects it within one or two requests.

The correct approach is to earn the cookie in the same environment that will continue the session. With OmniScrape, that means using js_rendering with enable_solver so the browser execution environment that runs the DataDome tag is the same environment that makes subsequent requests. The cookie is earned and consumed within a single session context, and the proxy exit node is pinned via session_id across requests in the same crawl.

For multi-step journeys — login, cart, checkout — browser-as-a-service patterns are more appropriate than single-request scraping. The session state, including DataDome cookies, must persist across every step of the flow.

6.OmniScrape execution path for DataDome targets

mode auto is the correct starting point for most DataDome targets. It attempts a fast HTTP request first and escalates to browser execution when it detects that JavaScript tag execution is required — which DataDome-protected pages trigger reliably. This keeps costs lower on any unprotected paths while ensuring browser execution on the paths that need it. If you know a target always requires JavaScript, use js_rendering directly to skip the fast-lane attempt.

enable_solver activates OmniScrape's CAPTCHA solving pipeline, which handles DataDome's slider challenges when behavioral scoring drops below threshold. Set js_wait_selector to a CSS selector that appears only after the protected content has rendered — for example, the product title or price element. This prevents the response from being returned before the page has fully hydrated past the DataDome check.

After each request, inspect metadata.challenge_solved and metadata.method_used. If challenge_solved is false and the response is a 403 or an empty grid, the session needs rotation or the proxy country needs adjustment. Validate that data.content contains actual product markup — a 200 response with DataDome's block page HTML still in data.content is a failed scrape.

js_rendering with challenge validation and content assertion
python
12345678910111213141516171819202122import requests, os

r = requests.post(
    "https://api.omniscrape.io/v1/scrape",
    headers={"X-API-Key": os.environ["OMNISCRAPE_KEY"]},
    json={
        "url": "https://marketplace.example.com/listing/99102",
        "mode": "js_rendering",
        "proxy": "residential:de",
        "enable_solver": True,
        "js_wait_selector": ".listing-details",
        "output_format": "html",
    },
    timeout=180,
)
data = r.json()
meta = data["metadata"]
content = data["data"]["content"]

# Confirm challenge was handled and content is real
assert meta.get("challenge_solved") or meta.get("method_used") == "js_rendering"
assert "listing-details" in content, "Block page returned instead of listing"

7.Concurrency and rate control on DataDome sites

DataDome's model is sensitive to traffic shape at the domain level, not just the IP level. Ten workers each making requests at maximum concurrency against the same domain looks like a coordinated scraping fleet even if each worker uses a different residential IP. The model flags the pattern based on aggregate request velocity, timing regularity, and fingerprint similarity across the fleet.

Cap parallel requests per domain to a level that keeps aggregate request rate within the range a realistic user population would generate. Separate monitoring workloads — which need higher rotation and can tolerate more aggressive pacing — from catalog walks, which benefit from sticky sessions and slower, more human-paced timing. A per-domain semaphore with jittered sleep between requests is the standard implementation pattern.

Read web scraping without getting blocked for per-domain semaphore implementations and backoff strategies. The same principles apply to DataDome targets, with the additional constraint that session stickiness matters more here than on sites using simpler IP-based rate limiting.

8.Production mistakes that cause persistent DataDome blocks

Skipping JavaScript execution entirely and relying on header manipulation is the most common mistake. No combination of User-Agent, Accept-Language, Referer, or sec-ch-ua headers compensates for the absence of the DataDome tag running in a real browser engine. Header tuning is a secondary concern — tag execution is the primary one.

Using a desktop User-Agent and viewport on a site that primarily serves mobile traffic. DataDome's model is trained on the actual device distribution of a site's real users. If 70% of a fashion site's traffic is mobile Chrome on iOS, a desktop Chrome fingerprint is an outlier. Check the site's actual traffic in a manual browser session before choosing a device profile.

Assuming that mobile app API endpoints skip DataDome validation. Many mobile apps send DataDome cookies or tokens with every API request, earned during app initialization. Scraping the app's REST API directly without replicating that token flow will fail the same way web scraping without JavaScript execution fails. Match the full request context the app sends, or use browser execution against the web version.

Running CAPTCHA farms on every page request when the underlying issue is IP geo mismatch or missing JavaScript execution. Solving sliders repeatedly without fixing the root cause means you are paying to solve challenges that a correct setup would never encounter. Fix the session setup first, then measure residual challenge rate.

9.DataDome and Cloudflare running on the same stack

A significant number of sites run both Cloudflare at the edge and DataDome on the origin. The request hits Cloudflare's WAF and Bot Management first; if it passes, it reaches the origin where DataDome's tag runs. In logs, you will see both cf-ray and datadome cookies in the response headers. The symptoms can look like a single unified block, but the two systems are independent and require separate handling.

OmniScrape's auto mode with enable_solver addresses both layers in sequence: the Web Unlocker pipeline handles Cloudflare's edge challenge first, and browser execution with the solver handles DataDome's tag and any slider challenge on the origin. If you see a Cloudflare interstitial in the response before any DataDome content, the edge layer is blocking before DataDome even runs — see Cloudflare bypass for edge-specific configuration.

When debugging dual-layer blocks, isolate which system is blocking by checking the response headers. A Cloudflare block will have cf-ray and typically a Cloudflare-branded challenge page. A DataDome block will have the datadome cookie and DataDome's slider iframe. Treat them as sequential problems: solve the edge layer first, then address the origin layer.

10.Health metrics for DataDome-protected crawls

Track slider CAPTCHA rate per domain as a primary health signal. A spike in challenge rate almost always indicates IP pool burnout, proxy geo mismatch, or a change in the site's DataDome configuration — not selector rot or a site redesign. Correlate challenge rate with proxy country and session age to isolate the variable that changed.

Log metadata.challenge_solved, metadata.method_used, and the proxy country alongside the success boolean for every request. When an incident occurs, this lets you immediately answer whether the failure is geo-related (all failures from one country), pool-related (failures distributed across countries but correlated with specific proxy exit nodes), or timing-related (failures concentrated at specific hours).

Set up content-level validation in addition to HTTP status monitoring. A response with status 200 and data.content containing DataDome's block page HTML is a failed scrape that your HTTP status monitor will not catch. Assert that a known CSS selector from the target content is present in data.content, and alert on assertion failure rate rather than HTTP error rate alone.

Frequently asked questions

Can I bypass DataDome by replaying a datadome cookie from a manual browser session?

No, not reliably. DataDome cookies are cryptographically bound to the session context that earned them — IP address, TLS fingerprint, and behavioral history. Replaying a cookie from a residential Chrome session into a datacenter HTTP client fails within one or two requests because the IP, JA3 signature, and behavioral profile all diverge from what the cookie was issued for. The correct approach is to earn and consume the cookie within the same browser execution environment using OmniScrape's js_rendering mode with a pinned session.

Which proxy country should I use for a .co.uk site?

Start with residential:gb. DataDome's IP reputation layer is trained on the actual geographic distribution of a site's real users, so a UK fashion site with predominantly British shoppers will have a low tolerance for non-UK traffic. If the site serves cross-border EU inventory and you see blocks from residential:gb, test residential:de or residential:fr — but always match the locale shown in a manual browser session first.

Does fast mode ever work on DataDome-protected sites?

Occasionally, on lightly protected paths or static assets that DataDome does not intercept. mode auto tries fast first and escalates to browser execution when needed, so you get the cost benefit of fast on any paths where it works without having to predict which paths those are. Check metadata.method_used per URL to understand where escalation is occurring and whether fast is succeeding on any paths.

Why does the slider CAPTCHA only appear after 50 requests, not on the first one?

DataDome's behavioral model accumulates signal over time. Early requests from a residential IP may look acceptable individually, but the cumulative pattern — identical timing, no scroll events, no mouse movement variation — crosses a confidence threshold that triggers a challenge. If you see challenges appearing progressively earlier in a session over multiple runs, the IP pool is burning out. Rotate to fresh residential IPs, slow down request pacing, and vary device profiles across workers.

Does DataDome protect mobile app APIs as well as web pages?

Yes, frequently. Many mobile apps send DataDome tokens or cookies with every API request, earned during app initialization through a mobile SDK. Scraping the app's REST API directly without replicating that token flow fails the same way web scraping without JavaScript execution fails. If you need mobile app API data, either replicate the full app initialization flow or scrape the equivalent web page using browser execution with a mobile device profile.

What is the difference between DataDome and Cloudflare Bot Management?

Both are bot detection systems, but they operate at different layers and use different primary signals. Cloudflare Bot Management runs at the edge CDN layer and relies heavily on IP reputation, TLS fingerprinting, and JavaScript challenges served before the origin is reached. DataDome runs on the origin and focuses more on behavioral scoring — mouse movement, touch events, timing patterns — collected by its client-side JavaScript tag. Some sites run both in sequence. OmniScrape's auto mode with enable_solver handles both layers, but if you see a Cloudflare interstitial before any DataDome content, address the edge layer first.

How do I validate that I received real product content and not a DataDome block page?

Do not rely on HTTP status codes alone. A DataDome block page can be served with a 200 status. After each request, assert that a CSS selector specific to the target content — product title, price element, inventory count — is present in data.content. If the assertion fails, you received a block page. Track assertion failure rate as your primary scrape health metric, and alert on it independently of HTTP error rate.

Related guides

  • Web Scraping Proxy Guide: Types, Sessions, Geo, and OmniScrape Integration
  • Solve CAPTCHAs While Web Scraping
  • How to Bypass PerimeterX (HUMAN Security) When Web Scraping
  • Web Scraping Without Getting Blocked

Ready to scrape without blocks?

Get your API key in minutes. Test protected URLs from the dashboard — no credit card required to start.

Ready to get started?

Start scraping protected sites today — no credit card required.

OmniScrape

Web scraping infrastructure for developers. One API call to bypass any protection.

All systems operational

Product

  • Web Unlocker
  • Browser-as-a-Service
  • Residential Proxies
  • Pricing

Developers

  • API Reference ↗
  • Quickstart ↗
  • All Guides
  • Use Cases
  • Status

Company

  • About
  • Contact

Legal

  • Privacy Policy
  • Terms of Service
  • Refund Policy
  • Cookie Policy
  • Acceptable Use

Solutions

  • E-commerce Web Scraping: Catalog Intelligence at Production Scale
  • Real Estate Web Scraping: Listings, Comps, and Market Data
  • SERP Web Scraping: Agency Rank Tracking Workflow
  • Job Board Web Scraping: HR Tech Pipeline for Labor Market Intelligence
  • Price Monitoring with Web Scraping: A Practical Developer Guide
  • Lead Generation Web Scraping: Compliant Inbound Enrichment for Sales Teams
  • Market Research Web Scraping: Multi-Geo Data Collection for Research Firms
  • Sentiment Analysis Web Scraping: Build a Production Review Pipeline
  • Logistics Web Scraping: Carrier Rates, Port ETAs, and Sailing Schedules
  • Social Media Web Scraping: Brand Mention Monitoring from Public Pages
  • LLM Training Data Scraping: Building Clean Web Corpora
  • Travel Web Scraping: Hotel Rates, Flight Fares & Parity Monitoring

Web Scraping by Language

  • Web Scraping with Python
  • Web Scraping with Node.js: fetch, Cheerio, and the OmniScrape API
  • Web Scraping with Java: HttpClient, Jsoup, and OmniScrape API
  • Web Scraping with PHP
  • Web Scraping with Go (Golang)
  • Web Scraping with Ruby: Faraday, Nokogiri, Sidekiq & OmniScrape
  • Web Scraping with C#: HttpClient, AngleSharp, and OmniScrape API
  • Web Scraping with Rust
  • Web Scraping with R: httr2, rvest, and the OmniScrape API
  • Web Scraping with C++
  • Web Scraping with Elixir
  • Web Scraping with Perl: Mojo::UserAgent, Mojo::DOM, and OmniScrape

Anti-Bot Bypass

  • How to Bypass Cloudflare When Web Scraping
  • How to Bypass DataDome When Web Scraping
  • How to Bypass Akamai Bot Manager When Web Scraping
  • How to Bypass PerimeterX (HUMAN Security) When Web Scraping
  • Bypassing AWS WAF When Web Scraping: Rate Rules, Bot Control, and Residential Proxies
  • How to Bypass Imperva (Incapsula) When Web Scraping
  • How to Bypass Kasada Bot Protection When Web Scraping
  • How to Bypass F5 BIG-IP Bot Defense When Web Scraping
  • How to Bypass Distil Networks When Web Scraping
  • How to Bypass reCAPTCHA When Web Scraping

Scraping Tools

  • Playwright Web Scraping: Practical Patterns for Protected Sites
  • Puppeteer Web Scraping: Patterns, Anti-Bot Limits, and BaaS Integration
  • Selenium Web Scraping: Practical Patterns for Real-World Projects
  • Scrapy Web Scraping with OmniScrape: Download Middleware, Pipelines, and Scale
  • Beautiful Soup Web Scraping: A Practical Guide
  • cURL Web Scraping: Shell-Native Patterns with OmniScrape
  • HTTPX Web Scraping: Async Python with OmniScrape
  • Cheerio Web Scraping: A Practical Guide

Site-Specific Scrapers

  • Amazon Scraper: Product Data, Buy Box, Reviews, and Multi-Marketplace
  • Google Search Scraper: Extract SERP Rankings and Features
  • Google Maps Scraper: Extract Business Listings and Place Data
  • LinkedIn Scraper: Companies, Jobs, and Public Profiles
  • Walmart Scraper: Prices, Stock, Rollback Deals, and Fulfillment Data
  • eBay Scraper: Extract Listings, Auctions, and Sold Prices
  • Shopify Scraper: Products, Variants, and JSON Endpoints
  • Indeed Scraper: Extract Job Listings, Salaries, and Company Data
  • Zillow Scraper: Extract Listings, Zestimates, and Price History
  • Reddit Scraper: Posts, Comments, and Subreddit Data
  • X (Twitter) Scraper: Tweets, Profiles, and Hashtags
  • Instagram Scraper: Posts, Reels, and Profile Metrics
  • TikTok Scraper: Extract Videos, Hashtags, and Trend Data
  • YouTube Scraper: Extract Video Metadata, Comments, and Channel Stats
  • Booking.com Scraper: Hotel Rates, Room Types, and Availability
  • Airbnb Scraper: Listings, Calendars, and Nightly Rates
  • Crunchbase Scraper: Extract Funding Rounds, Companies, and Investors
  • Yelp Scraper: Extract Business Listings, Ratings, and Reviews
  • Glassdoor Scraper: Employer Ratings, Salaries, and Review Data
  • Trustpilot Scraper: TrustScore, Star Distribution, and Review Monitoring

How We Compare

  • OmniScrape vs ScrapingBee
  • OmniScrape vs ZenRows
  • OmniScrape vs ScraperAPI: A Practical Developer Comparison
  • OmniScrape vs Bright Data: Which Web Scraping Platform Fits Your Team?
  • OmniScrape vs Oxylabs
  • OmniScrape vs Smartproxy
  • OmniScrape vs Crawlbase: API Design, Observability, and Migration Guide
  • OmniScrape vs Apify

Web Scraping Guides

  • Web Scraping Without Getting Blocked
  • Web Scraping Proxy Guide: Types, Sessions, Geo, and OmniScrape Integration
  • Solve CAPTCHAs While Web Scraping
  • Web Scraping vs Web Crawling: Architecture, Patterns, and When to Use Each
  • Headless Browser Scraping: When to Use It and How to Do It Right
  • Web Scraping API: Endpoint, Modes, Output Formats & Integration Patterns
  • Rotating Proxies for Web Scraping: Policies, Session Binding, and Geo Pools
  • Scrape JavaScript-Rendered Pages: SPAs, Hydration, and Hidden APIs

© 2026 OmniScrape. All rights reserved.

PrivacyTermsRefundsAcceptable Use