well fuck me ... The project need way more work than I thought. Standard tools like Puppeteer get clapped instantly because sites check under the hood for automation flags. I ma be deep in the actual browser source code changing things from the root.

​Here is the plan for the five layers I need to fix:

​JS and DOM stuff: Standard scripts try to hide flags using basic JS injection, but sites catch that by checking prototype chains. I have to change the actual C++ files so navigator.webdriver looks clean from the start. Also need to fill up the plugins and mimeTypes arrays with real data so they aren't empty, and sync the languages array with the system clock so it doesn't look sus.

​Headless mode flags: Running without a UI changes how the browser starts up. Things like window.chrome don't even load right in headless. I'm rewriting how frames are made to force them to load normally, and keeping the User-Agent and client hints completely matching.

​Graphics and hardware: Virtual servers are an instant ban. If a site checks WebGL and sees a software renderer like SwiftShader or Mesa instead of a real GPU, you're done. I'm changing those queries to report real graphics cards and fixing how canvas renders text and pixels so it matches a normal 1080p desktop baseline.

​Input and prototype checks: If you change a native function, calling .toString() on it leaks the wrapper. I'm patching the engine to keep the native formatting clean so checks don't flag it, and making sure permission states respond like a normal browser.

​Network stack: This is the hardest part. TLS fingerprinting (JA3/JA4) and HTTP/2 settings frames give you away instantly. I have to tweak the crypto settings, cipher suites, and stream window sizes to match standard browser releases perfectly.

​I am not sure how I will handle all the custom compilation runs yet. Well I ma fuck around,"The more you fuck around the more you find out".

Well unfuck me cuz ... Change of plans on the browser source code rewrite grind.
​Straight up, trying to manually rebuild five layers of a browser engine to spoof WebGL, clean up prototype chains, and trick JA4 fingerprints is a massive, endless rabbit hole. It’s a total brain melt, and honestly, even if I spent months custom-compiling a franken-browser, a single edge update from Cloudflare would probably still clap it instantly.
​So, I’m shifting gears. We are working smarter, not harder.
​Instead of fighting the WAF like a random intruder and wasting weeks on custom compilation runs that might look sus anyway, I’m implementing a clean, institutional-grade architecture. We’re going the fully authorized route—exactly how platforms like HackerOne or Burp Suite handle it.
​Here is the new move:
The backend will support direct Cloudflare API Token Integration. Users will provide a token to prove they fully own the domain, our app validates it natively with Cloudflare's infrastructure, and then we can programmatically whitelist our scanner's IP to pull the data directly without getting blocked. No spoofing required, completely ironclad, and zero WAF drama.
​This lets us stop fighting engine internals 24/7 and actually focus on building out the core scanning logic and vulnerability features for the engine.
​Guess I fucked around and found out that building an enterprise-style auth flow is way more alpha than fighting a losing war against edge firewalls. Updates soon.