Google patches 100% precise Cloudflare Turnstile bot check

Bypassing Cloudflare Turnstile captcha is not easy for DIY scrapers. Recently, Cloudflare has been upping its game by releasing innovative bot detection solutions that might feel undefeatable. Most bots are based on Chrome, and one of the best approaches to detect them is to check whether the browser is automated using Chrome Devtools Protocol (CDP). No regular Chrome user would have this protocol enabled, while 99% of bots will be using this to automate Chrome. Cloudflare came up with a new way to detect this by exploiting a bug in the Chrome browser, and Google is fixing it.

How Cloudflare Turnstile captcha works

When visiting a site with Cloudflare Bot manager enabled, a new visitor will not get access to the target page immediately. Instead, he will be redirected to a browser validation page that will check whether the browser is running on real hardware and whether it is not being automated. The test will also verify that the client isn’t lying about their environment. For example, the client could be running in a Docker container in a Linux server while presenting itself as a Windows laptop. If all checks out, the client's browser will receive a cookie which will allow navigating the site without interruptions.

The detection method

The difference between a bot and a human lies within the turnstile captcha when a mouse click is performed to symbolize human behavior.

The clickable checkbox is placed within a small cross-domain iframe. Cross-domain is key here if you are trying to reproduce this. During the mouse click, a MouseEvent event object is received in JavaScript with screenX and screenY parameters. When a real mouse click is performed, these coordinates are relative to the main frame. The numbers are in the hundreds. But when the click is performed via CDP protocol, the coordinates are relative to the iframe and thus less than 100. 

Here is an example code for the test:

page.html:

<iframe src="https://crossdomain.com/iframe.html"></iframe>
<script>
window.addEventListener('message', function (ev) {
	if (ev.data.screenY > 100) {
		// success
	} else {
		// fail
	}
});
</script>

Iframe.html:

<input id="click-me-box" type="checkbox"/>
<script>
   document.getElementById('click-me-box').addEventListener('click', (e) => {
      parent.postMessage({
         type: 'bot-check-click',
         screenX: e.screenX,
         screenY: e.screenY
      }, '*');
   });
</script>

We built a playground where you can test your bot. Test your bot here in the Web Scraper bot check page.

Why are most Cloudflare websites still accessible?

This is an active check that requires user interaction. Only a handful of websites enforce turnstile captcha completion for every visitor. Most websites would lose more than they gain by slowing down access for users.

Who is this method detecting?

Since the detection method is based on a Chrome bug, only Chrome browser-based bots are affected. We did some tests with the most popular frameworks - puppeteer, playwright, patchright, selenium, nodriver, and, as expected, all of them got detected. Web Scraper Cloud isn’t affected by this detection method. Here are the results:

Here is an example code for detection tests:

// const {chromium} = require('playwright');
const {chromium} = require('patchright');


(async () => {


   let browser = await chromium.launch({channel: 'chrome', headless: false});
   const page = await browser.newPage();
   await page.goto('https://webscraper.io/bot-check');


   await new Promise(r => setTimeout(r, 1000));


   const iframePosition = await page.evaluate(() => {
      const r = document.querySelector('#test-wrapper-click-me iframe').getBoundingClientRect();
      return {x: r.x, y: r.y};
   });


   await page.mouse.click(iframePosition.x + 50, iframePosition.y + 50);


   await page.waitForTimeout(60e3);
   await browser.close();
})();

How to bypass Cloudflare Turnstile CAPTCHA?

Only a handful of sites enforce Cloudflare Turnstile captcha. Your bot still might be getting detected by something else. So when the visitor is slightly suspicious, it will also get the turnstile captcha. If, when visiting the site with cleared cookies from your own browser, you get the Cloudflare page without captcha, you are getting detected by something else. Otherwise, you can simulate the click with external tools or libraries.

Bypass CDP click detection with these tools:

For example, perform a click like this:

xdotool mousemove 500 500 click 1

Google is fixing this

While the Chrome bug has been around since 2023, Cloudflare rolled out the bot check around February 2025. This is when activity in the bug report page became more active. The bug was fixed by a Google employee in September 2025, but it hasn’t been merged yet.