Playwright Stealth Mode in 2026: The 7 Patches That Actually Matter
Published: (April 3, 2026 at 12:52 AM EDT)
5 min read
Source: Dev.to
Source: Dev.to
The original playwright‑stealth npm package hasn’t been updated in over a year.
If you use it unchanged, many of the most important detections remain unpatched.
Below are the 7 browser‑fingerprint patches that matter in 2026, together with working code that you can inject via page.addInitScript().
1. navigator.webdriver → undefined
await page.addInitScript(() => {
Object.defineProperty(navigator, 'webdriver', {
get: () => undefined, // note: undefined, not false
configurable: true
});
});2. navigator.plugins & navigator.mimeTypes
await page.addInitScript(() => {
const plugins = [
{
name: 'PDF Viewer',
description: 'Portable Document Format',
filename: 'internal-pdf-viewer'
},
{
name: 'Chrome PDF Viewer',
description: '',
filename: 'internal-pdf-viewer'
},
{
name: 'Chromium PDF Viewer',
description: '',
filename: 'internal-pdf-viewer'
},
{
name: 'Microsoft Edge PDF Viewer',
description: '',
filename: 'internal-pdf-viewer'
},
{
name: 'WebKit built-in PDF',
description: '',
filename: 'internal-pdf-viewer'
}
];
Object.defineProperty(navigator, 'plugins', {
get: () =>
Object.assign(plugins, {
item: i => plugins[i],
namedItem: n => plugins.find(p => p.name === n),
refresh: () => {}
}),
configurable: true
});
Object.defineProperty(navigator, 'mimeTypes', {
get: () => ({
length: 2,
item: i => null,
namedItem: n => null
}),
configurable: true
});
});3. window.chrome (including loadTimes & csi)
await page.addInitScript(() => {
if (!window.chrome) window.chrome = {};
window.chrome.app = {
isInstalled: false,
InstallState: {
DISABLED: 'disabled',
INSTALLED: 'installed',
NOT_INSTALLED: 'not_installed'
},
RunningState: {
CANNOT_RUN: 'cannot_run',
READY_TO_RUN: 'ready_to_run',
RUNNING: 'running'
}
};
window.chrome.runtime = {
OnInstalledReason: {
CHROME_UPDATE: 'chrome_update',
INSTALL: 'install',
SHARED_MODULE_UPDATE: 'shared_module_update',
UPDATE: 'update'
},
OnRestartRequiredReason: {
APP_UPDATE: 'app_update',
OS_UPDATE: 'os_update',
PERIODIC: 'periodic'
},
PlatformArch: {
ARM: 'arm',
ARM64: 'arm64',
MIPS: 'mips',
MIPS64: 'mips64',
X86_32: 'x86-32',
X86_64: 'x86-64'
},
PlatformOs: {
ANDROID: 'android',
CROS: 'cros',
LINUX: 'linux',
MAC: 'mac',
OPENBSD: 'openbsd',
WIN: 'win'
},
RequestUpdateCheckStatus: {
NO_UPDATE: 'no_update',
THROTTLED: 'throttled',
UPDATE_AVAILABLE: 'update_available'
},
id: undefined,
connect: () => {},
sendMessage: () => {}
};
// Required: loadTimes and csi (missing from most stealth libraries)
window.chrome.loadTimes = function () {
return {
requestTime: Date.now() / 1000,
startLoadTime: Date.now() / 1000,
commitLoadTime: Date.now() / 1000,
finishDocumentLoadTime: 0,
finishLoadTime: 0,
firstPaintTime: 0,
firstPaintAfterLoadTime: 0,
navigationType: 'Other',
wasFetchedViaSpdy: false,
wasNpnNegotiated: false,
npnNegotiatedProtocol: 'unknown',
wasAlternateProtocolAvailable: false,
connectionInfo: 'http/1.1'
};
};
window.chrome.csi = function () {
return {
startE: Date.now(),
onloadT: Date.now(),
pageT: 3000 + Math.random() * 1000,
tran: 15
};
};
});4. navigator.permissions (notifications)
await page.addInitScript(() => {
const originalQuery = navigator.permissions.query.bind(navigator.permissions);
navigator.permissions.query = parameters =>
parameters.name === 'notifications'
? Promise.resolve({ state: Notification.permission })
: originalQuery(parameters);
});5. WebGL fingerprint (vendor & renderer)
await page.addInitScript(() => {
const getParameter = WebGLRenderingContext.prototype.getParameter;
WebGLRenderingContext.prototype.getParameter = function (parameter) {
// 37445 → UNMASKED_VENDOR_WEBGL
// 37446 → UNMASKED_RENDERER_WEBGL
if (parameter === 37445) return 'Intel Inc.'; // replace with your target GPU vendor
if (parameter === 37446) return 'Intel Iris OpenGL Engine'; // replace with your target GPU renderer
return getParameter.call(this, parameter);
};
});Tip: Replace the GPU strings with values that match your target audience (e.g., NVIDIA for power users, Intel for typical laptops).
6. navigator.language & navigator.languages
await page.addInitScript(() => {
Object.defineProperty(navigator, 'language', {
get: () => 'en-US' // adjust to your proxy location
});
Object.defineProperty(navigator, 'languages', {
get: () => ['en-US', 'en'] // adjust as needed
});
});7. Iframe‑based detection (patched webdriver inside nested frames)
await page.addInitScript(() => {
const origCreateElement = document.createElement.bind(document);
document.createElement = function (...args) {
const element = origCreateElement(...args);
if (args[0].toLowerCase() === 'iframe') {
const origContentWindow = Object.getOwnPropertyDescriptor(
HTMLIFrameElement.prototype,
'contentWindow'
).get;
Object.defineProperty(element, 'contentWindow', {
get: function () {
const win = origContentWindow.call(this);
if (win) {
Object.defineProperty(win.navigator, 'webdriver', {
get: () => undefined,
configurable: true
});
}
return win;
},
configurable: true
});
}
return element;
};
});Helper: Apply All Patches in One Call
async function applyStealthPatches(page) {
// Patch 1 – webdriver
await page.addInitScript(() => {
Object.defineProperty(navigator, 'webdriver', {
get: () => undefined,
configurable: true
});
});
// Patch 2 – plugins & mimeTypes
await page.addInitScript(/* code from section 2 */);
// Patch 3 – window.chrome (including loadTimes & csi)
await page.addInitScript(/* code from section 3 */);
// Patch 4 – permissions (notifications)
await page.addInitScript(/* code from section 4 */);
// Patch 5 – WebGL vendor/renderer
await page.addInitScript(/* code from section 5 */);
// Patch 6 – language & languages
await page.addInitScript(/* code from section 6 */);
// Patch 7 – iframe detection
await page.addInitScript(/* code from section 7 */);
}You can inline the snippets directly or keep them in separate helper files for readability.
Example Usage
import { chromium } from 'playwright';
const browser = await chromium.launch({ headless: true });
const context = await browser.newContext({
userAgent:
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36',
viewport: { width: 1920, height: 1080 }
});
const page = await context.newPage();
await applyStealthPatches(page);
// Now navigate to the target site
await page.goto('https://example.com');These patches cover the most common failure modes observed in 2026 (WebGL, permissions, window.chrome, HTTP/2 JA3 leaks, iframe detection, etc.). Adjust the values (GPU strings, language, user‑agent, etc.) to match the profile of the proxy or device you are emulating.
TL;DR
Even with perfect browser patching, the TLS fingerprint at the network level still exposes Node.js/Playwright (e.g., against Kasada).
Options
- Playwright + residential proxies + CAPTCHA services – Approx. $3‑$8 per 1 K requests
- Pre‑built cloud actors that handle the whole stack for you
Ready‑made Solutions
Apify Scrapers Bundle – $29
Includes actors pre‑configured with stealth settings for the most common scraping targets (LinkedIn, Amazon, Google Maps, Twitter), saving you the debugging cycle.n8n AI Automation Pack – $39
Provides 5 production‑ready workflows.
Need help?
Which anti‑bot system are you trying to work around? Drop a comment with the domain — I’ll tell you whether patches are enough or if you need a different approach.
Related Tools
facebook-public-scraperthreads-profile-scraper