https://github.com/CloakHQ/CloakBrowser
CloakBrowser: The Stealth Chromium That Actually Beats Bot Detection What if you could run browser automation that websites literally cannot tell apart from a real human? That's the promise of CloakBrowser, and judging by the test scores, it delivers. CloakBrowser is a free, open-source project by CloakHQ that takes a fundamentally different approach to browser stealth. While tools like playwright-stealth, undetected-chromedriver, and puppeteer-extra try to hide automation by injecting JavaScript or flipping Chrome flags at runtime, CloakBrowser goes much deeper — it patches the Chromium source code itself, at the C++ level, before compilation. The result is a binary that anti-bot systems score as a normal browser. Because, technically, it is one. What Makes It Special Source-Level Patching (the Real Differentiator) This is the headline feature. CloakBrowser applies 49 patches directly to Chromium's C++ source covering canvas fingerprinting, WebGL renderer strings, audio fingerprinting, font enumeration, GPU vendor/renderer reporting, WebRTC, screen properties, hardware concurrency, WebGPU adapter info, CDP (Chrome DevTools Protocol) input signals, and more. The crucial difference: these modifications are compiled into the binary. They aren't injected at runtime via JavaScript, and they aren't set via command-line flags that detection systems can inspect. When a website like FingerprintJS probes the browser, the returned values look legitimate because they originate from compiled code — identical in structure to what a real Chrome installation would return, just with modified values. This also means the patches survive Chromium version upgrades. JavaScript-injection approaches break constantly because Google changes internal APIs; CloakBrowser's maintainers rebase their patches onto new Chromium releases instead.
The Test Scores Speak
| Detection Test | Stock Playwright | CloakBrowser |
| -------------------------------------- | ----------------------- | ------------------------- |
| reCAPTCHA v3 | 0.1 (bot) | 0.9 (human) |
| Cloudflare Turnstile (non-interactive) | FAIL | PASS |
| Cloudflare Turnstile (managed) | FAIL | PASS |
| ShieldSquare | BLOCKED | PASS |
| FingerprintJS | DETECTED | PASS |
| BrowserScan | DETECTED | NORMAL (4/4) |
| navigator.webdriver | true | false |
| window.chrome | undefined | object |
| CDP detection | Detected | Not detected |
| TLS fingerprint (JA3/JA4/Akamai) | Mismatch | Identical to Chrome |
Behavioral detection sites like deviceandbrowserinfo.com pass 24/24 human signals when this is enabled. It's the layer that covers what fingerprint patches can't: how the browser interacts. Persistent Profiles launch_persistent_context() maintains cookies, localStorage, IndexedDB, service workers, and cached fonts across sessions. This bypasses incognito detection (some sites flag empty, ephemeral profiles) and lets you stay logged in across runs. Browser Profile Manager A companion Docker image (cloakhq/cloakbrowser-manager) provides a web GUI for creating and managing isolated browser profiles — each with unique fingerprints, proxies, and persistent sessions. It's positioned as a free, self-hosted alternative to commercial anti-detect browsers like Multilogin ($29–199/month), GoLogin ($24–199/month), and AdsPower. You access profiles through noVNC in your browser. Auto-Updating Binary On first run, CloakBrowser downloads a pre-built stealth Chromium binary (~200MB, SHA-256 verified). It checks for updates in the background, so you always run the latest patched build without manual intervention. ─── What's Better • Actually works against Cloudflare Turnstile and reCAPTCHA v3. Most free tools fail here. This is the bar that matters for real-world scraping. • Zero cost, zero usage limits. MIT licensed. No subscriptions, no API keys, no usage caps. • No new SDK to learn. If you know Playwright or Puppeteer, you already know CloakBrowser. • Chromium updates don't break it. Patches are rebased, not injected. • Two-layer stealth. C++ patches handle static fingerprinting; the stealth driver eliminates CDP automation leaks. Most tools only address one. • Cross-platform. Linux (x64/ARM64), macOS (Intel/Apple Silicon), Windows (x64). Plus Docker. • Python + JavaScript + Docker. Covers the three main automation ecosystems. • Active development. 1.5K+ GitHub stars, regular releases, responsive maintainers. • Privacy-respecting. Data stays on your machine — unlike commercial alternatives that route your traffic through their cloud. ─── What's Worse / What's Missing • 200MB binary download. Stock Playwright's Chromium is also heavy, but the auto-download adds friction on first setup and consumes disk space. • Chromium only. No Firefox or WebKit support. Camoufox (Firefox-based, also C++-patched) is the alternative if you need Gecko. • No built-in proxy rotation. You bring your own proxies. The project recently added a ProxyRotator PR, but it's not core functionality yet. • Doesn't solve CAPTCHAs — only prevents them. If a CAPTCHA does appear (rare edge cases, aggressive rate limiting), you need a separate solving service. • Relatively young. 44 open issues on GitHub, smaller community than established tools. Edge cases still being discovered. • Headless mode less tested. The most impressive test results are in headed mode. Headless detection is a harder problem and the gap is narrower. • Auto-updating may be a liability. In air-gapped or strictly version-controlled environments, background update checks can be unwanted. This is configurable but worth noting. • Not battle-tested at enterprise scale. Commercial tools like Multilogin have years of production use behind them. CloakBrowser's long-term reliability across thousands of concurrent sessions is unproven. • One remaining detection signal. bot.incolumitas.com still flags 1/14 tests (the WEBDRIVER spec check). It's 13→1 improvement, not perfection. • GeoIP dependency optional but recommended. Without geoip=True, timezone/locale won't match your proxy, which is a detection vector. Requires pip install cloakbrowser[geoip]. ─── The Bottom Line
CloakBrowser is the most technically sound approach to browser automation stealth I've seen in the open-source space. Patching at the source level is the right architecture — everything else is playing whack-a-mole with detection scripts that evolve faster than JavaScript injections can keep up.
For anyone doing web scraping, automated testing behind Cloudflare, or running AI browser agents against protected sites, this is currently the best free tool available. The 0.9 reCAPTCHA score and Turnstile pass rate put it in the same league as $200/month commercial products. The tradeoffs are real — it's Chromium-only, you manage your own proxies, and the project is still maturing. But for the price (free), those are reasonable compromises.