Most teams running playwright-extra with the stealth plugin haven't checked the GitHub repo recently. The last meaningful commit landed in March 2023. Three years of Cloudflare updates, Akamai Bot Manager v4, and DataDome's behavioral analysis later — and the plugin most Node.js scrapers rely on is quietly losing the detection war.
If your scraper is getting blocked and you're unsure whether to patch harder or switch tools entirely, this guide gives you a decision framework, benchmarks, and a plain comparison of the four main playwright stealth 2026 approaches: playwright-extra, Camoufox, Patchright, and noDriver.
Choose Before You Read: The Decision Framework
Skip the deep dives if you need an answer fast:
| Your situation | Recommended tool |
|---|---|
| Python stack, simpler sites (no heavy WAF) | playwright-stealth v2.x (Python) |
| Node.js stack, you need maintained stealth | Patchright |
| High-security targets (Cloudflare Enterprise, PerimeterX) | Camoufox |
| Lightweight crawls, no Chromium overhead | noDriver |
| Production scale, 10K+ pages/day, team < 5 engineers | Managed scraper infrastructure |
The rest of this post explains the reasoning behind each row.
The Stealth Patching Landscape in 2026
When Playwright runs in headless mode, it leaks signals. The original playwright-extra stealth plugin addresses this by injecting JavaScript patches before page load: removing navigator.webdriver, spoofing navigator.plugins, faking WebGL renderer strings, and a dozen similar tweaks.
The problem: these are JS-layer patches. Anti-bot systems have moved up the stack. Cloudflare's current detection fires on TLS fingerprint mismatches and HTTP/2 SETTINGS frames — signals that exist before JavaScript runs. No amount of navigator.webdriver = undefined fixes a Chrome/115+ TLS fingerprint coming from a headless binary.
This is why the tool landscape split in two clear directions:
- JS-patch tools (playwright-extra, playwright-stealth): effective against simpler detection, cheap to run
- Browser-patch tools (Patchright, Camoufox): modify the browser binary or its build to remove headless signals at the C++ level — far harder to detect, far more resource-intensive
Understanding this split is the entire framework for choosing a stealth tool. Everything else is implementation detail. If you're still choosing between Playwright and Puppeteer as base frameworks, our Playwright vs Puppeteer comparison for e-commerce scraping covers those tradeoffs first.
playwright-extra (Node.js): Effectively Unmaintained
playwright-extra is a plugin-based wrapper around Playwright for Node.js. The puppeteer-extra-plugin-stealth port provides around 20 JavaScript evasion patches.
Status in 2026: The core package has not had a meaningful update since March 2023. The stealth plugin's patches were written for Chrome 109–112 era detection patterns. Sites running Cloudflare Bot Fight Mode or DataDome's 2024+ behavioral analysis consistently detect it.
What it still handles: Basic bot detection on sites using dated scripts — user-agent checks, navigator.webdriver flags, rudimentary plugin and renderer checks. It works for scraping sites with no active WAF or sites that haven't updated their detection stack.
What it fails against: Cloudflare Turnstile, Cloudflare Bot Fight Mode (2024+), DataDome behavioral analysis, Akamai Bot Manager v4, PerimeterX/HUMAN.
Maintenance status: Community-only. No active lead maintainer has stepped in since the original author archived activity. Open issues accumulate without resolution.
When to use it: Legacy Node.js codebases scraping low-security targets where blocking isn't happening. Don't build new infrastructure around it.
- Detection rate on Cloudflare Enterprise: High (blocked)
- Memory per instance: ~180MB
- Maintenance status: Unmaintained
playwright-stealth (Python): Still Active
The Python equivalent — playwright-stealth — is a separate codebase maintained by a different team. Version 2.0.2 shipped in April 2026, meaning it's actively maintained and tracks current detection patterns more closely than its Node.js counterpart.
If your stack is Python, playwright-stealth v2.x is a valid starting point. It applies equivalent JS patches — navigator.webdriver removal, screen resolution spoofing, language and plugin array normalization — with the maintainer actively updating patch coverage as new detection vectors emerge.
Its ceiling is the same as the Node.js version: JS-layer patches don't stop TLS fingerprinting. But for Python teams hitting mid-tier targets, it remains the simplest path.
- Detection rate on Cloudflare Enterprise: High (blocked)
- Memory per instance: ~180MB
- Maintenance status: Active (v2.0.2, April 2026)
Patchright: Chromium-Level Patching for Node.js
Patchright is a drop-in replacement for Playwright's Node.js API that patches the Chromium binary at build time. Instead of injecting JavaScript before page load, it removes headless detection signals from the browser itself: the HeadlessChrome user-agent string in the binary, the WebDriver capability exposure, and the Runtime.enable CDP leak that Cloudflare's current detection specifically watches for.
Key technical difference from playwright-extra: Patchright's patches happen before the browser process starts, not in the page context. This means:
- No JavaScript injection overhead at page load
- Patches survive
Object.definePropertyguards that can detect JS-injection tricks - TLS fingerprint is closer to a real Chrome session
Detection rate: Patchright consistently passes the standard nowsecure headless detection test used by most Cloudflare implementations. Against Akamai Bot Manager and PerimeterX, results vary by target — behavioral analysis (mouse movement patterns, event timing) still catches it on the highest-security configurations.
Resource profile: ~200MB per instance, similar to standard Chromium. No additional overhead vs normal Playwright.
When to use Patchright: Node.js codebases targeting Cloudflare-protected sites where playwright-extra fails. It's the most practical upgrade path for teams already on Playwright + Node.js who don't want to adopt Firefox or change language ecosystems.
- Detection rate on Cloudflare BotFight/Enterprise: Low (passes most targets)
- Detection rate on Akamai/PerimeterX: Variable
- Memory per instance: ~200MB
- Maintenance status: Active
Camoufox: Maximum Stealth, Maximum Cost
Camoufox takes the most aggressive approach: it forks Firefox's source code and applies stealth patches at the C++ level. Every detection signal that anti-bot systems look for — canvas fingerprinting, WebGL renderer, AudioContext behavior, font metrics, network timing — is controlled at the binary level, not the JavaScript layer.
The benchmark: Camoufox achieves 0% headless detection rate on standard bot detection tests. No other open-source playwright stealth tool matches this result.
The cost: That 0% detection rate comes with real resource overhead:
- Average bypass time: 42.49 seconds (Cloudflare Turnstile + challenge solving)
- Memory per instance: 200MB+ per browser context
- Firefox-only: Target sites that behave differently in Firefox vs Chrome (JS engine quirks, rendering differences) may require additional handling
- Maintenance risk: Camoufox is a Firefox fork maintained by a small team. Keeping pace with Firefox security releases creates a potential lag on newly-discovered detection vectors
When to use Camoufox: High-security targets where detection is genuinely costly — price intelligence on Cloudflare Enterprise-protected retailers, brand monitoring on PerimeterX-guarded marketplace platforms, or any target where a single block means losing a critical data source. European retailers like Zalando, About You, and ASOS UK run enterprise-grade bot protection across their catalog endpoints; Camoufox is the appropriate tool for these targets.
When not to use Camoufox: High-volume crawls. At 42 seconds per solved Cloudflare challenge and 200MB RAM per instance, collecting product data at scale across tens of thousands of SKUs daily requires significant infrastructure investment. The economics rarely support using Camoufox for commodity data collection.
- Detection rate on Cloudflare Enterprise: Very Low (passes)
- Detection rate on PerimeterX/HUMAN: Low (passes)
- Memory per instance: 200MB+
- Average bypass time: 42.49 seconds
- Maintenance status: Active (small team)
noDriver: Lightweight, Limited
noDriver takes the opposite approach from Camoufox: instead of adding more patches, it removes Playwright entirely and drives Chrome directly via the Chrome DevTools Protocol without the automation flags that expose headless status.
By skipping Playwright's WebSocket bridge, noDriver avoids the Runtime.enable CDP call that modern detection systems specifically flag. The result is a significantly lighter process — no Playwright binary overhead, lower memory use — with a baseline level of stealth that passes simple detection.
What it handles well: Basic anti-bot measures, sites that detect the automation flag but don't run behavioral analysis. It's actively maintained and used widely in the Python scraping community.
What it doesn't handle: Behavioral scoring. noDriver does not fake mouse movements, scroll events, or keystroke timing patterns. Against DataDome, Akamai Bot Manager v4, or PerimeterX/HUMAN — all of which score behavioral signals heavily — it gets blocked quickly.
- Detection rate on basic bot detection: Low (passes)
- Detection rate on Akamai/PerimeterX behavioral: High (blocked)
- Memory per instance: ~80–120MB (significantly lighter)
- Maintenance status: Active
Anti-Bot Compatibility Matrix
| Anti-bot system | playwright-extra | playwright-stealth (Py) | Patchright | Camoufox | noDriver |
|---|---|---|---|---|---|
| Cloudflare BotFight (free tier) | ✓ Often passes | ✓ Often passes | ✓ Passes | ✓ Passes | ✓ Passes |
| Cloudflare Enterprise / Turnstile | ✗ Blocked | ✗ Blocked | ✓/✗ Variable | ✓ Passes | ✗ Blocked |
| Akamai Bot Manager v4 | ✗ Blocked | ✗ Blocked | ✓/✗ Variable | ✓ Passes | ✗ Blocked |
| PerimeterX / HUMAN | ✗ Blocked | ✗ Blocked | ✓/✗ Variable | ✓ Passes | ✗ Blocked |
| DataDome | ✗ Blocked | ✓/✗ Variable | ✓/✗ Variable | ✓ Passes | ✗ Blocked |
| Basic bot detection (no WAF) | ✓ Passes | ✓ Passes | ✓ Passes | ✓ Passes | ✓ Passes |
✓/✗ Variable = passes technical fingerprint checks but behavioral analysis may still block depending on the target site's implementation depth.
Where Stealth Infrastructure Breaks Down at Scale
Even Camoufox's 0% detection rate becomes a bottleneck at volume. At 42 seconds per solved Cloudflare challenge and 200MB RAM per instance, running a competitor price tracking pipeline across 50,000 SKUs daily requires either significant infrastructure spend or accepting data gaps from rate-limited and blocked sessions.
This is the point at which maintaining stealth infrastructure stops being a scraping problem and becomes an engineering resource problem. Most teams hit this ceiling within 3–6 months of reaching meaningful production volume. The recurring cost isn't the initial setup — it's the weekly maintenance cycle as anti-bot systems update their detection signatures and each tool requires patches to keep up.
The alternative is treating stealth, proxy rotation, and challenge solving as infrastructure rather than application code. This is what the anti-bot arms race ultimately forces on teams that want reliable data without a dedicated scraping engineering function.
ScrapeWise handles this infrastructure layer as a managed service — fingerprint rotation, residential proxy pools, challenge solving — so engineering cycles go toward building on top of the data rather than maintaining the collection layer underneath it.
The Playwright Stealth Decision in 2026
The playwright stealth landscape is not "install this plugin and you're done." It's a spectrum from lightweight JS patches (playwright-extra, noDriver) to binary-level browser forks (Camoufox), with meaningfully different cost and detection tradeoffs at each level.
The honest summary:
- playwright-extra (Node.js): Use only if you're locked into legacy infrastructure and your targets haven't upgraded their WAF. Don't build new systems on it.
- playwright-stealth (Python): Solid maintained option for Python teams on mid-tier targets without enterprise-grade anti-bot.
- Patchright: The practical upgrade for Node.js teams hitting Cloudflare, without adopting Firefox or changing language stacks.
- Camoufox: Best-in-class detection avoidance for the hardest targets, expensive at volume — right tool for high-value, low-frequency scraping.
- noDriver: Lightest memory footprint, appropriate only for targets with basic or no active WAF.
For teams who need reliable data at scale without the maintenance overhead, start free on ScrapeWise.