How to Bypass Akamai: The 3 Best Methods

Is your scraper hitting a "Pardon Our Interruption" screen or a 403 Forbidden error? You're likely being flagged by the Akamai Bot Manager. Unlike basic firewalls, Akamai uses an AI-powered detection engine that analyzes your TLS handshake and behavioral telemetry before you even send a data request.

If you're tired of burning through proxies and seeing your pipelines crash, you need a targeted strategy. We've looked deep into Akamai's defenses and in this guide, we'll break down the three proven methods to bypass Akamai:

1. The API edge: Using a managed infrastructure like ZenRows to handle the five layers of detection automatically.
2. The Fortified Headless Browser: Modifying Selenium, Puppeteer, or Playwright to fix bot leaks.
3. The Deep Technical Dive: Reverse-engineering Akamai's sensor data to manually mask your automation fingerprint.

Key Takeaways

• Akamai blocks scrapers across five simultaneous layers: IP reputation, TLS fingerprinting, JavaScript challenges, behavior analysis, and session monitoring.
• Fixing only one detection layer won't get you through.
• The viable Akamai bypass approaches differ significantly in scale, reliability, and maintenance cost.
• Fortified headless browsers like SeleniumBase work for one-off jobs and aren't production-safe at scale.
• JavaScript deobfuscation gives you full visibility into what Akamai's sensor data actually measures. It's useful if you're building custom tooling or need to understand why your scraper is being fingerprinted.
• If you keep getting blocked and need data now, a web scraping infrastructure like ZenRows handles all five detection layers in a single API call with zero self-maintenance.

What Is Akamai Bot Manager?

Akamai Bot Manager is an advanced web security measure that analyzes website traffic to detect, classify, and manage bot and non-bot requests. It maintains a directory of known bot fingerprints, enabling it to differentiate between legitimate and malicious traffic in real time using an AI-powered detection framework that learns bot-like patterns over time.

While analyzing incoming traffic, Akamai returns a trust score based on learned behavioral patterns, HTTP request characteristics, and other historical data. Akamai-protected websites typically use this score to determine how to handle incoming requests. Unfortunately, this configuration often blocks web scrapers, especially if their behavior mimics that of malicious bots.

How to Check if a Site is Behind Akamai

An Akamai 403 forbidden error often accompanies an Akamai block page. Depending on the website, this block page sometimes includes a CAPTCHA challenge, typically from reCAPTCHA. Messages such as "Access Denied" and "You don't have permission" are also common.

Another common but often overlooked sign of Akamai protection is getting an error 429 ("too many requests"), even when you've sent only one request. Akamai sometimes also mimics a site downtime ERR_HTTP2_PROTOCOL_ERROR, making you think the target site is unavailable. These issues often occur when accessing an Akamai-protected site using browser automation tools such as Selenium, Playwright, or Puppeteer.

Here's an example of what an Akamai block page looks like:

So, how does Akamai know you're a bot?

How Does Akamai WAF Detect Bots?

Akamai's web application firewall (WAF) employs various bot-detection techniques, making it more challenging to bypass. Understanding these detection methods will help you handle the anti-bot efficiently during web scraping.

So, before implementing the Akamai bypass methods, let's explain how it detects your web scraper.

1. IP Reputation

One of Akamai's detection methods is detecting suspicious IP addresses. If your IP has been banned in the past due to rate-limiting violations from multiple scraping activities or geo-blocking, Akamai can detect and block you easily.

The bot manager also maintains a negative trust score for certain IP types, particularly shared and datacenter IPs, as regular users don't typically use those. Residential proxies are the recommended proxy types for web scraping, as they belong to actual network users.

When you send a request to an Akamai-protected site, the bot manager scans your IP against a database of disallowed and trusted IP addresses to determine whether your traffic is genuine. If your request appears unnatural, it blocks you immediately, preventing you from accessing the target site.

2. TLS Fingerprinting

TLS (Transport Layer Security) fingerprinting is one of the advanced methods Akamai uses to detect secure client-server connections. When a client (like a browser or a scraper) connects to a web server, the communication starts with a TLS handshake.

During this handshake, the client and server exchange information, such as the cipher suite (the encryption methods), TLS version, and extensions. Each client sends a unique set of information during the handshake, forming a profiling method called a JA3 fingerprint. Akamai compares this fingerprint to a database of known, trusted ones and often blocks requests that don't match.

Even though most web scraping tools can create secure TLS connections, other issues like incorrect HTTP headers, outdated TLS versions, or unnatural browsing behavior can still cause the bot manager to flag a request. One way to avoid detection via TLS fingerprinting is to use headless browsers, such as Playwright or Puppeteer, which can spoof a real browser's TLS signatures.

3. JavaScript Challenge and Execution

When a client visits a website protected by Akamai, the system may prompt it to run a client-side JavaScript in the background within a specified time frame. This script is usually a crypto challenge, which puts what Akamai calls a "burden of proof" on bots, leaving humans out.

The result of the script helps determine whether the client is legitimate. Akamai may block the request or trigger a CAPTCHA if the script is executed incorrectly or returns a suspicious result.

Regular HTTP clients, such as Python's Requests and JavaScript's Axios, typically fail this challenge because they can't execute JavaScript. Even browser automation tools like Puppeteer and Playwright often get detected because their fingerprints are incomplete and unrealistic enough to meet the demands of solving the challenge correctly.

4. Behavior Analysis

To differentiate between bots and humans, Akamai also analyzes user behavioral patterns, such as navigation, clicking, hovering, scrolling, typing, mouse movement, and more.

The anti-bot can detect if a request is from an automated script if it spots a consistent interaction pattern, such as scrolling the same height repeatedly and rapidly within a short time or clicking the same element multiple times in a row.

Unlike bots, human interactions are typically dynamic and unpredictable, making it easy for Akamai to distinguish bots from real users. For example, users can visit products directly from time to time. But if they never go to a category or search page, it might trigger an alert.

You can limit the effect of this detection technique by varying your scraper's interaction with the target website or by limiting the number of requests with retry mechanisms.

That said, Akamai uses other detection mechanisms, such as session monitoring (to track session cookies), honeypots, browser fingerprinting, direct HTTP request header analysis, and more. However, the ones discussed above are the most important.

In the next sections, you'll understand the three techniques to bypass Akamai Bot Manager.

Which Akamai Bypass Method Is Right for Your Use Case?

If you're short on time and want to decide quickly, use the following table to pick your method and jump straight to the implementation. Each method is covered in full detail below if you need to dig deeper.

Next, let's see how each method works in detail and how to implement it.

Method 1 (Best): Use a Web Scraping API for Akamai Bypass

The easiest way to avoid Akamai's security measures while web scraping is to use a web scraping API, such as the ZenRows Universal Scraper API. ZenRows is a top-scraping solution that provides all the essential toolkits to bypass sophisticated anti-bots, such as Akamai, at scale with zero infrastructure overhead.

ZenRows handles all the complexities of evading Akamai blocks with minimal effort and zero self-maintenance. With ZenRows' Adaptive Stealth Mode, your scraper gets the optimal configuration required for the highest success at the lowest possible cost. This way, you can focus on data fine-tuning and analysis rather than wasting time and resources guessing configurations and fixing bugs and broken pipelines.

ZenRows also integrates seamlessly with AI-powered workflow tools like Clay, Lindy, Make, n8n, and more. This enables you to streamline complex scraping operations and quickly build scalable automation pipelines with minimal or zero coding experience. With its headless browsing features, ZenRows enables you to execute human interactions and scrape dynamic websites easily.

ZenRows' implementation is straightforward. It only requires sending a single API call with your chosen programming language. Let's see how it works by scraping the full-page HTML of Similarweb, an Akamai-protected website.

Sign up for free and open the ZenRows Playground. Paste the target URL in the link box, and activate Adaptive Stealth Mode.

Select your programming language (Python, in this case) and choose the API connection mode. Then, copy and paste the generated code into your scraper file.

Here's what the generated Python code looks like:

# pip install requests
import requests

url = "https://www.similarweb.com/"
apikey = "<YOUR_ZENROWS_API_KEY>"
params = {
    "url": url,
    "apikey": apikey,
    "mode": "auto",
}
response = requests.get("https://api.zenrows.com/v1/", params=params)
print(response.text)

The code above outputs the protected site's full-page HTML, as shown:

<html lang="en">
    <head>
        <!-- ... -->
         <title>
            Similarweb Digital Intelligence: Unlock Your Digital Growth
        </title>
        <!-- ... -->
    </head>

    <body>
        <!-- ... -->
    </body>
</html>

That was super-easy 🎉! Using a few code lines, you just scraped an Akamai-protected website with the ZenRows scraper API.

While this technique remains the best ready-made solution, there are other methods if you want to do it yourself.

Method 2: Use a Fortified Headless Browser

Browser automation libraries like Puppeteer, Playwright, and Selenium let you perform user interactions, execute JavaScript, and run the browser in headless and GUI modes.

Unfortunately, these standard browser automation tools can't bypass Akamai bot detection because they expose bot-like signals, such as the HeadlessChrome flag in headless mode. They also present browser fingerprinting issues like the presence of an automated WebDriver, missing plugins, and more.

The good news is that you can fortify them with evasion tweaks to increase the chances of bypassing Akamai's anti-bot detection. That's where fortified headless browsers come in.

Fortified headless browsers patch bot-like properties such as the browser runtime and other automation flags, allowing you to run the browser instance like a regular browser.

Common fortified headless browsers like include:

• Puppeteer Stealth: A stealth plugin with anti-bot evasions for Puppeteer.
• Playwright Stealth: To bypass anti-bots in Playwright.
• SeleniumBase and Undetected ChromeDriver (UC): To bypass Akamai with Selenium.

Featured

What Is a Stealth Browser and Which One Should You Use for Web Scraping?

Learn how a stealth browser works. Compare options based on benchmarked reliability, and discover which stealth browser is best for your web scraping setup.

That said, SeleniumBase is more adequately patched and has a higher success rate than Puppeteer Stealth and Playwright Stealth.

Let's use SeleniumBase with Undetected ChromeDriver in Python to bypass the previous target website (similarweb).

First, install SeleniumBase using pip:

pip3 install seleniumbase

The following code uses SeleniumBase with UC to run the browser in headless mode. It then visits the protected website and takes a screenshot:

# pip3 install seleniumbase
from seleniumbase import Driver

# initialize driver with UC mode enabled
driver = Driver(uc=True, headless=True)

# set target URL
url = "https://www.similarweb.com/website/facebook.com/"

# open URL using UC mode with 4 second reconnect time to bypass initial detection
driver.uc_open_with_reconnect(url, reconnect_time=4)

# screenshot the page
page_html = driver.save_screenshot("similarweb.png")
print(page_html)

# close the browser and end the session
driver.quit()

The above code returns a screenshot of the protected page, indicating that SeleniumBase bypassed Akamai:

Awesome! You bypassed Akamai with SeleniumBase.

Want to learn about bypassing Akamai with the other headless browsers? Check out our tutorial on bypassing Akamai with Playwright.

However, open-source stealth tools like SeleniumBase and Undetected ChromeDriver aren't suitable for large-scale scraping. They rely on browser instances, which results in huge memory overhead.

Since they're open-source, they also struggle to keep up with the evolving complexity of anti-bots like Akamai. Additionally, they introduce memory overhead from heavy browser instances. So, they don't guarantee sustained success and are unreliable at scale.

Method 3: JavaScript Deobfuscation (Advanced)

"Most developers see a 20,000-line obfuscated script and walk away. But deobfuscation isn't just about curiosity; it's about seeing exactly which 'bot signals' Akamai is looking for this week. It turns a guessing game into a precise engineering task."---Jonathan Nebot, Senior Scraping Browser Engineer at ZenRows.

As seen in the image below, the Akamai script triggers a POST request with a considerable payload. Understanding this payload is crucial to bypassing Akamai Bot Detection. However, it won't be easy.

As we can see in the image below, the Akamai script triggers a POST request with a considerable payload. This payload is obfuscated, and understanding it is crucial to bypass Akamai Bot Detection. However, it won't be easy.

You can download the obfuscated script here. To see it live, visit KICKZ and look for the file on DevTools. You won't understand a thing, don't worry; that's the idea of obfuscation!

First, run the above script on a JavaScript Deobfuscator to convert the weird characters into strings. Then, we need to replace the references to the initial array with those strings.

To complicate things, the Akamai script doesn't declare variables or object keys with a straight name. It uses indirection: referencing an array with the corresponding index.

We haven't found an online tool that nails the replacement process. But you can do the following:

1. Cut the _acxj variable from the generated code.
2. Create a file and place that variable inside it.
3. Then, add the rest of the code to another variable.
4. Replace (not perfect) all references to the array; see the code below.
5. Review since some of them will fail.

var _acxj = ['csh', 'RealPlayer Version Plugin', 'then' /* ... */];
const code = `var _cf = _cf || [], ...`;
const result = code
    .replace(/\[_acxj\[(\d+)\]\]/g, (_, i) => `.${_acxj[i]}`)
    .replace(/_acxj\[(\d+)\]/g, (_, i) => JSON.stringify(_acxj[i]));

The code requires some manual adjustments, as the approach above is clumsy. A proper replacement would need more details and exceptions.

We've done that to save you time. Download our final version to see how it looks. The original file changes frequently, and the result might be different now. But it'll help you understand what data and ID Akamai sends and how it sends it to the server.

Akamai's Sensor Data

See the data sent for processing below. Take the items highlighted in red as examples. We can guess where the first two come from: user agent and screen size. The third one looks like a JSON object, but we can't know what it represents just by its keys. But let's find out!

The first key, cpen, is present in the obfuscated script. A quick look at the deobfuscated file will tell us so. Here's the line that references it:

var t = [],
    a = window.callPhantom ? 1 : 0;
t.push(',cpen:' + a);

What does it mean? The script checks if callPhantom exists. A quick search on Google tells us that it's a feature that PhantomJS introduced to communicate with browser contexts. So, sending cpen:1 is probably an alert for Akamai because no legitimate browser implements that function.

You'll see that Akamai keeps sending browser data even in the next lines of the payload. window.opera, for example, should never be true if the browser isn't Opera. Similarly, mozInnerScreenY only exists on Firefox browsers. Do you see a pattern? No single data point is a deal breaker (well, maybe the PhantomJS one), but they reveal a lot when analyzed together!

The function called bd generates all these data points. If we look for its usage, we arrive at a line with many concatenated variables, as shown:

n + "," + o + "," + m + "," + r + "," + c + "," + i + "," + b + "," + bmak.bd().

Believe it or not, but o is the screen's available height.

How can we know that? Go to the definition of the variable. Control + click or similar on an IDE will take you there.

The definition itself tells us nothing useful: o = -1. But look at a few lines below:

try {
    o = window.screen ? window.screen.availHeight : -1;
} catch (t) {
    o = -1;
}

There you have it! You followed what browser/sensor data Akamai sends and how it sends it for backend processing.

We won't cover all the items, but you get the idea. Apply the same process for any data point you're interested in.

However, the most crucial question is: why do this? 🤔

To bypass Akamai's defenses, you must understand how it works by checking what data it uses for detection. With that knowledge, you can find ways to access an Akamai-protected page without blocks.

Mask Your Sensor Data

If all your machines send similar data during web scraping, Akamai might fingerprint them, allowing it to detect and group them. Using the same browser vendor, screen size, processing times, and browser data for all machines reveals a pattern.

You can avoid this pattern by improving the evasions of Puppeteer Stealth. Take a look at the Puppeteer Stealth evasions for inspiration!

There are no evasions for availHeight, so we'll switch to hardwareConcurrency for simplicity.

Let's say all your production machines share the same specs, hardware, software, etc. Their concurrency would be the same, for example, hardwareConcurrency: 4.

The hardwareConcurrency is only a fraction of the available evasions. But remember that Akamai Bot Manager processes hundreds of data points. You can make your scraper harder to detect by tweaking some of these evasions.

For example, the code below spoofs different hardware concurrency values for different machines:

// somewhere in your config.
// there should be a helper function called `sample`.
const options = { hardwareConcurrency: sample([4, 6, 8, 16]) };


// the evasion itself.
// proxy navigator.hardwareConcurrency getter and return a custom value.
utils.replaceGetterWithProxy(
    Object.getPrototypeOf(navigator),
    'hardwareConcurrency',
    utils.makeHandler().getterValue(options.hardwareConcurrency)
);

In this case, the proxy is an intermediary for the hardwareConcurrency function on the object navigator. When called, instead of returning the original, it'll replace it with the one we set in the options. It can be, for example, a random number from a list of typical values.

What do we get with this approach? Akamai would see different random values for hardwareConcurrency. It's hard to see a pattern if we do it for several parameters.

Isn't this a complicated process for Akamai to run on each visit? The good part for everyone is that Akamai does it only once and sets cookies to avoid running all the processes again.

Cookies to Avoid Continuous Challenges

Why is setting cookies good for you? Once you obtain the cookies, you can use them for Akamai WAF bypass when making subsequent HTTP requests!

For security reasons, we suggest using the same IP to simulate an actual user session.

The standard cookies used by Akamai are _abck, ak_bmsc, bm_sv, and bm_mi. It's not easy to find what these mean. Thanks to cookie policies, some sites list and explain them.

Note that ak_bmsc is HTTP-only. That means that you can't access its content from JavaScript. You'll need to check the response headers on the sensor data call. You can check the headers or call document.cookie on the browser for the others.

That cookie content is critical! The sensor call will allow your first request and generate that cookie for your session. Once obtained, send it every time to avoid new checks.

Conclusion

Akamai breaks the data pipeline by blocking access to your data source. In this article, you've learned three ways to bypass Akamai and scrape without getting blocked. Although Akamai employs several detection mechanisms, you can avoid them using a scraper API or manual approaches, including fortified headless browsers and JavaScript deobfuscation.

However, the manual methods are complex and often unreliable at scale. The easiest solution for Akamai bypass is to use the ZenRows Scraper API, which provides an all-in-one toolkit for scraping any website without limitations.

Try ZenRows for free now or speak with sales!