Security News
The Unpaid Backbone of Open Source: Solo Maintainers Face Increasing Security Demands
Solo open source maintainers face burnout and security challenges, with 60% unpaid and 60% considering quitting.
cloudscraper
Advanced tools
Node.js library to bypass Cloudflare's anti-ddos page.
If the page you want to access is protected by Cloudflare, it will return special page, which expects client to support Javascript to solve challenge.
This small library encapsulates logic which extracts challenge, solves it, submits and returns the request page body.
You can use cloudscraper even if you are not sure if Cloudflare protection is turned on.
In general, Cloudflare has 4 types of common anti-bot pages:
If you notice that for some reason cloudscraper stops working, do not hesitate and get in touch with me ( by creating an issue here, for example), so i can update it.
npm install cloudscraper
Saving the request
module as a dependency is compulsory.
# Pin the request version
npm install --save request
Support for Brotli encoded responses is enabled by default when using Node.js v10 or later. If you wish to enable support for older Node.js versions, you may install brotli. It is recommended but not required.
Cloudscraper uses request-promise
by default since v3. You can find the migration guide here.
var cloudscraper = require('cloudscraper');
cloudscraper.get('https://website.com/').then(console.log, console.error);
or for POST
action:
var options = {
uri: 'https://website.com/',
formData: { field1: 'value', field2: 2 }
};
cloudscraper.post(options).then(console.log).catch(console.error);
Examples live in the docs directory of the Github repo and can be found here.
A generic request can be made with cloudscraper(options)
. The options object should follow request's options. Not everything is supported however, for example http methods other than GET and POST. If you wanted to request an image in binary data you could use the encoding option:
var options = {
method: 'GET',
url:'http://website.com/',
};
cloudscraper(options).then(console.log);
Cloudscraper allows you to specify your own requester, one of either request
or request-promise
.
Cloudscraper wraps the requester and accepts the same options, so using cloudscraper is pretty much like using those two libraries.
cloudscraper.get(options, callback)
cloudscraper.post(options, callback)
cloudscraper(uri)
cloudscraper(options)
.then(function (htmlString) {
})
.catch(function (err) {
});
Please refer to the requester's documentation for further instructions.
Cloudscraper can also identify and automatically bypass Sucuri WAF. No actions are required.
Cloudscraper may help you with the reCAPTCHA page. Take a look at this example and an example using promises.
Cloudflare may send a reCAPTCHA depending on the negotiated TLS cipher suite and extensions. Reducing the default cipher suite to only ciphers supported by Cloudflare may mitigate the problem: https://developers.cloudflare.com/ssl/ssl-tls/cipher-suites/
Only specifying the Cloudflare preferred TLSv1.2 cipher is also an option:
var cloudscraper = require('cloudscraper').defaults({
agentOptions: {
ciphers: 'ECDHE-ECDSA-AES128-GCM-SHA256'
}
})
More information on TLS issues can be found here.
cloudscraper.defaults
is a very convenient way of extending the cloudscraper requests with any of your settings.
var cloudscraper = require('cloudscraper').defaults({ 'proxy': 'http://localproxy.com' });
// Overriding headers to remove them or using uncommon headers will cause reCAPTCHA responses
var headers = { /* ... */ };
var cloudscraper = require('cloudscraper').defaults({ headers: headers });
cloudscraper(options).then(console.log);
Cloudscraper exposes the following options that are required by default but might be changed. Please note that the default values eliminate the chance of getting sent a CAPTCHA.
var options = {
uri: 'https://website',
jar: requestModule.jar(), // Custom cookie jar
headers: {
// User agent, Cache Control and Accept headers are required
// User agent is populated by a random UA.
'User-Agent': 'Ubuntu Chromium/34.0.1847.116 Chrome/34.0.1847.116 Safari/537.36',
'Cache-Control': 'private',
'Accept': 'application/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,image/png,*/*;q=0.5'
},
// Cloudscraper automatically parses out timeout required by Cloudflare.
// Override cloudflareTimeout to adjust it.
cloudflareTimeout: 5000,
// Reduce Cloudflare's timeout to cloudflareMaxTimeout if it is excessive
cloudflareMaxTimeout: 30000,
// followAllRedirects - follow non-GET HTTP 3xx responses as redirects
followAllRedirects: true,
// Support only this max challenges in row. If CF returns more, throw an error
challengesToSolve: 3,
// Remove Cloudflare's email protection, replace encoded email with decoded versions
decodeEmails: false,
// Support gzip encoded responses (Should be enabled unless using custom headers)
gzip: true,
// Removes a few problematic TLSv1.0 ciphers to avoid CAPTCHA
agentOptions: { ciphers }
};
cloudscraper(options).then(console.log);
You can access the default configuration with cloudscraper.defaultParams
Cloudscraper error object inherits from Error
has following fields:
name
- RequestError
/CaptchaError
/CloudflareError
/ParserError
options
- The request optionscause
- An alias for error
response
- The request responseerrorType
- Custom error code
Where errorType
can be following:0
if request to page failed due to some native reason as bad url, http connection or so. error
in this case will be error event1
Cloudflare returned CAPTCHA. Nothing to do here. Bad luck2
Cloudflare returned page with some inner error. error
will be Number
within this range 1012, 1011, 1002, 1000, 1004, 1010, 1006, 1007, 1008
. See more here3
this error is returned when library failed to parse and solve js challenge. error
will be String
with some details. :warning: :warning: Most likely it means that Cloudflare have changed their js challenge.4
CF went into a loop and started to return challenge after challenge. If number of solved challenges is greater than 3
and another challenge is returned, throw an errorErrors are descriptive. You can find a list of all known errors here.
Do not always rely on error.cause
to be an error, it can be a string.
Clone this repo, do npm install
and then just npm test
Let me know, by opening an issue in this repo and I will update library asap. Please, provide url and body of page where cloudscraper failed.
Current Cloudflare implementation requires browser to respect the timeout of 5 seconds and cloudscraper mimics this behaviour. So everytime you call cloudscraper.get/post
you should expect it to return result after minimum 6 seconds. If you want to change this behaviour, you would need to make a generic request as described in above and pass cloudflareTimeout
options with your value. But be aware that Cloudflare might track this timeout and use it against you ;)
followAllRedirects
paramIn the beginning cloudscraper was a port of python module cloudflare-scrape. Thank you Anorov for an inspiration.
4.6.0 (12/02/2020)
&
FAQs
Bypasses cloudflare's anti-ddos page
The npm package cloudscraper receives a total of 38,122 weekly downloads. As such, cloudscraper popularity was classified as popular.
We found that cloudscraper demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Solo open source maintainers face burnout and security challenges, with 60% unpaid and 60% considering quitting.
Security News
License exceptions modify the terms of open source licenses, impacting how software can be used, modified, and distributed. Developers should be aware of the legal implications of these exceptions.
Security News
A developer is accusing Tencent of violating the GPL by modifying a Python utility and changing its license to BSD, highlighting the importance of copyleft compliance.