Camoufox Stealth Browser 🦊

C++ level anti-bot evasion using Camoufox — a custom Firefox fork with stealth patches compiled into the browser itself, not bolted on via JavaScript.

Why Camoufox > Chrome-based Solutions

Camoufox patches Firefox at the source code level — WebGL, Canvas, AudioContext fingerprints are genuinely spoofed, not masked by JavaScript overrides that anti-bot systems can detect.

Key Advantages

1. 1. C++ Level Stealth — Fingerprint spoofing compiled into the browser, not JS hacks
2. Container Isolation — Runs in distrobox, keeping your host system clean
3. Dual-Tool Approach — Camoufox for browsers, curl_cffi for API-only (no browser overhead)
4. Firefox-Based — Less fingerprinted than Chrome (everyone uses Chrome for bots)

When to Use

• - Standard Playwright/Selenium gets blocked
• Site shows Cloudflare challenge or "checking your browser"
• Need to scrape Airbnb, Yelp, or similar protected sites
• INLINECODE0 or undetected-chromedriver stopped working
• You need actual stealth, not JS band-aids

Tool Selection

Quick Start

All scripts run in pybox distrobox for isolation.

⚠️ Use python3.14 explicitly - pybox may have multiple Python versions with different packages installed.

1. Setup (First Time)

CODEBLOCK0

2. Fetch a Protected Page

Browser (Camoufox):
CODEBLOCK1

API only (curl_cffi):
CODEBLOCK2

Architecture

CODEBLOCK3

Tool Details

Camoufox

• - What: Custom Firefox build with C++ level stealth patches
• Pros: Best fingerprint evasion, passes Turnstile automatically
• Cons: ~700MB download, Firefox-based
• Best for: All protected sites - Cloudflare, Datadome, Yelp, Airbnb

curl_cffi

• - What: Python HTTP client with browser TLS fingerprint spoofing
• Pros: No browser overhead, very fast
• Cons: No JS execution, API endpoints only
• Best for: Known API endpoints, mobile app reverse engineering

Critical: Proxy Requirements

Datacenter IPs (AWS, DigitalOcean) = INSTANT BLOCK on Airbnb/Yelp

You MUST use residential or mobile proxies:

CODEBLOCK4

See references/proxy-setup.md for proxy configuration.

Behavioral Tips

Sites like Airbnb/Yelp use behavioral analysis. To avoid detection:

1. 1. Warm up: Don't hit target URL directly. Visit homepage first, scroll, click around.
2. Mouse movements: Inject random mouse movements (Camoufox handles this).
3. Timing: Add random delays (2-5s between actions), not fixed intervals.
4. Session stickiness: Use same proxy IP for 10-30 min sessions, don't rotate every request.

Headless Mode Warning

⚠️ Old --headless flag is DETECTED. Options:

1. 1. New Headless: Use headless="new" (Chrome 109+)
2. Xvfb: Run headed browser in virtual display
3. Headed: Just run headed if you can (most reliable)

CODEBLOCK5

Troubleshooting

Python Version Issues (NixOS/pybox)

The pybox container may have multiple Python versions with separate site-packages:

CODEBLOCK6

If you get segfaults or import errors, always use python3.14 explicitly.

Examples

Scrape Airbnb Listing

CODEBLOCK7

Scrape Yelp Business

CODEBLOCK8

API Scraping with TLS Spoofing

CODEBLOCK9

Session Management

Persistent sessions allow reusing authenticated state across runs without re-logging in.

Quick Start

CODEBLOCK10

Flags

Storage

• - Location: INLINECODE24
• Permissions: Directory 700, files INLINECODE26
• Profile names: Letters, numbers, _, - only (1-63 chars)

Cookie Handling

• - Save: All cookies from all domains stored in browser profile
• Restore: Only cookies matching target URL domain are used
• SSO: If redirected to Google/auth domain, re-authenticate once and profile updates

Login Wall Detection

The script detects session expiry using multiple signals:

1. 1. HTTP status: 401, 403
2. URL patterns: /login, /signin, INLINECODE31
3. Title patterns: "login", "sign in", etc.
4. Content keywords: "captcha", "verify", "authenticate"
5. Form detection: Password input fields

If detected during --headless mode, you'll see:
CODEBLOCK11

Re-run with --login to refresh the session.

Remote Login (SSH)

Since --login requires a visible browser, you need display forwarding:

X11 Forwarding (Preferred):
CODEBLOCK12

VNC Alternative:
CODEBLOCK13

Security Notes

⚠️ Cookies are credentials. Treat profile directories like passwords:

• - Profile dirs have chmod 700 (owner only)
• Cookie exports have INLINECODE36
• Don't share profiles or exported cookies over insecure channels
• Consider encrypting backups

Limitations

References

• - references/proxy-setup.md — Proxy configuration guide
• references/fingerprint-checks.md — What anti-bot systems check