DataDome Bot Protection: What Developers Need to Know

DataDome is a real-time bot protection platform that specializes in detecting and blocking automated traffic on e-commerce, media, and classified listing sites. Unlike CAPTCHA-first systems that rely primarily on puzzle challenges, DataDome uses a multi-layered detection engine that combines device fingerprinting, behavioral analysis, and machine learning to classify every request in real time. CAPTCHAs appear only as a secondary enforcement mechanism when the detection engine is uncertain about a visitor’s classification.

This guide covers how DataDome’s detection works, what developers encounter when interacting with DataDome-protected sites, and how to solve its challenge pages programmatically. For the broader picture of how DataDome fits alongside other anti-bot platforms, see our pillar guide on understanding anti-bot systems.

How DataDome Detection Works

DataDome processes every HTTP request through its detection engine and returns a classification decision in under 2 milliseconds. The engine evaluates multiple signal categories simultaneously.

JavaScript Sensor and Device Fingerprinting

DataDome deploys a JavaScript sensor (commonly loaded from js.datadome.co) that collects extensive client-side data:

• Browser fingerprint — Canvas hash, WebGL renderer, installed fonts, screen properties, timezone, language, and navigator properties.
• API behavior — How the browser responds to specific JavaScript API calls. DataDome tests for inconsistencies between claimed browser identity and actual API behavior.
• Automation markers — Presence of navigator.webdriver, Selenium-specific properties, Puppeteer hooks, and other automation framework artifacts.
• Plugin and extension data — Information about installed browser plugins and their behavior.

This fingerprint data is sent to DataDome’s servers as an encoded payload, where it is compared against known patterns of real browsers, headless browsers, and bot frameworks.

Behavioral Analysis

Beyond the static fingerprint, DataDome monitors dynamic behavior:

• Request patterns — Rate of requests, timing regularity, and URL access patterns. Bots that crawl pages in predictable sequences or at machine-regular intervals are flagged.
• Session behavior — Navigation patterns, referrer consistency, and whether the visitor interacts with the page like a human (scrolling, mousing, clicking) or simply fetches resources.
• Header analysis — The order and presence of HTTP headers, Accept-Language values, and encoding preferences. Different HTTP clients produce characteristic header patterns.

Machine Learning Classification

DataDome feeds all collected signals into machine learning models that classify each request as human, bot, or uncertain. The models are trained on traffic patterns from across DataDome’s customer base, giving them broad exposure to bot techniques and tool signatures.

The DataDome Cookie

A critical component of DataDome’s system is the datadome cookie. This cookie is set on the first visit and updated with each subsequent request. It serves as a session identifier and carries encoded information about the visitor’s classification status.

If the datadome cookie is missing, invalid, or expired, the request is treated as a new session and evaluated from scratch. Maintaining this cookie across requests is essential for any interaction with DataDome-protected sites.

DataDome Challenge Pages

When DataDome’s detection engine classifies a request as suspicious but not definitively a bot, it responds with an interstitial challenge page instead of the requested content. There are several types:

Slider CAPTCHA

The most common DataDome challenge is a slider CAPTCHA. The visitor sees a page with DataDome branding and must complete a slider interaction to prove they are human. This slider is distinct from GeeTest’s slider — it is DataDome’s own implementation integrated with its fingerprinting system.

Block Pages

If DataDome is confident the visitor is a bot, it serves a hard block page with no CAPTCHA. This page typically displays a message like “Access denied” or “Automated requests are not permitted.” There is no solving mechanism for block pages — the session must be restarted with different parameters.

Geo-Block Pages

Some DataDome configurations restrict access by geography. Requests from certain regions may receive block pages regardless of other signals.

Identifying DataDome on a Site

Several indicators reveal that a site uses DataDome:

• JavaScript source — Look for scripts loaded from js.datadome.co or api.datadome.co.
• Cookie — Check for a datadome cookie in your browser or request headers.
• Challenge page — DataDome’s interstitial pages carry distinctive branding and reference datadome in their HTML source and URL parameters.
• Response headers — DataDome-protected sites may include x-datadome or similar headers in responses.

Solving DataDome Challenges via API

When DataDome serves a slider CAPTCHA challenge, you can solve it using the DataDomeSliderTask task type. The solver interacts with the challenge page and returns a valid datadome cookie that you can use to continue your session.

Required Parameters

Parameter	Type	Required	Description
type	string	Yes	DataDomeSliderTask
websiteURL	string	Yes	The original URL you were trying to access
captchaUrl	string	Yes	The full URL of the DataDome challenge page
userAgent	string	Yes	The User-Agent string your client is using
proxyType	string	Yes	http, https, or socks5
proxyAddress	string	Yes	Proxy hostname or IP
proxyPort	integer	Yes	Proxy port number
proxyLogin	string	No	Proxy username
proxyPassword	string	No	Proxy password

DataDome challenges require a proxy because the solution (the datadome cookie) is tied to the IP address. The solver must use the same proxy that your scraper uses so that the resulting cookie is valid for your subsequent requests.

Python Example

import requests
import time

API_KEY = "YOUR_UCAPTCHA_API_KEY"
BASE_URL = "https://api.ucaptcha.net"

# When DataDome blocks your request, capture the challenge URL
# The challenge URL is the URL you were redirected to
CHALLENGE_URL = "https://geo.captcha-delivery.com/captcha/?initialCid=..."
TARGET_URL = "https://www.example.com/products"
USER_AGENT = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"

# Step 1: Create the DataDome task
task_response = requests.post(f"{BASE_URL}/createTask", json={
    "clientKey": API_KEY,
    "task": {
        "type": "DataDomeSliderTask",
        "websiteURL": TARGET_URL,
        "captchaUrl": CHALLENGE_URL,
        "userAgent": USER_AGENT,
        "proxyType": "http",
        "proxyAddress": "proxy.example.com",
        "proxyPort": 8080,
        "proxyLogin": "user",
        "proxyPassword": "pass"
    }
}).json()

if task_response.get("errorId") != 0:
    raise Exception(f"Task creation failed: {task_response.get('errorDescription')}")

task_id = task_response["taskId"]
print(f"Task created: {task_id}")

# Step 2: Poll for the result
while True:
    time.sleep(5)
    result = requests.post(f"{BASE_URL}/getTaskResult", json={
        "clientKey": API_KEY,
        "taskId": task_id
    }).json()

    if result["status"] == "ready":
        datadome_cookie = result["solution"]["cookie"]
        print(f"Solved! Cookie: {datadome_cookie[:60]}...")
        break
    elif result["status"] == "processing":
        print("Solving...")
    else:
        raise Exception(f"Error: {result.get('errorDescription')}")

# Step 3: Use the cookie in your subsequent requests
session = requests.Session()
session.headers.update({"User-Agent": USER_AGENT})
session.cookies.set("datadome", datadome_cookie, domain=".example.com")

response = session.get(TARGET_URL, proxies={
    "http": "http://user:pass@proxy.example.com:8080",
    "https": "http://user:pass@proxy.example.com:8080"
})
print(f"Status: {response.status_code}")

JavaScript Example

const API_KEY = "YOUR_UCAPTCHA_API_KEY";
const BASE_URL = "https://api.ucaptcha.net";

async function solveDataDome(targetURL, challengeURL, userAgent, proxy) {
  const createRes = await fetch(`${BASE_URL}/createTask`, {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({
      clientKey: API_KEY,
      task: {
        type: "DataDomeSliderTask",
        websiteURL: targetURL,
        captchaUrl: challengeURL,
        userAgent,
        proxyType: proxy.type,
        proxyAddress: proxy.address,
        proxyPort: proxy.port,
        proxyLogin: proxy.login,
        proxyPassword: proxy.password,
      },
    }),
  });

  const { taskId, errorId, errorDescription } = await createRes.json();
  if (errorId !== 0) throw new Error(errorDescription);

  while (true) {
    await new Promise((r) => setTimeout(r, 5000));

    const resultRes = await fetch(`${BASE_URL}/getTaskResult`, {
      method: "POST",
      headers: { "Content-Type": "application/json" },
      body: JSON.stringify({ clientKey: API_KEY, taskId }),
    });

    const data = await resultRes.json();

    if (data.status === "ready") return data.solution.cookie;
    if (data.status !== "processing") throw new Error(data.errorDescription);
  }
}

Working with the DataDome Cookie

The datadome cookie returned by the solver is a session token that tells DataDome your client has been verified. To use it effectively:

Use the same User-Agent. The cookie is tied to the fingerprint that was presented during the challenge. Changing your User-Agent after solving will invalidate the cookie.

Use the same proxy. The cookie is associated with the IP address used during the solve. Requests from a different IP with the same cookie will be flagged.

Set the cookie on the correct domain. DataDome cookies are typically scoped to the target site’s domain. Set it on the root domain (e.g., .example.com) so it is sent with all requests to that site.

Monitor cookie expiration. DataDome cookies have a limited lifetime. If your requests start getting challenged again, the cookie has likely expired and you need to solve a new challenge.

Maintain the cookie across requests. Use a session or cookie jar that persists the datadome cookie between requests. DataDome updates the cookie value with each response, so always use the latest value.

Tips for DataDome-Protected Sites

Do not ignore the JavaScript sensor. If you are using a headless browser, let the DataDome JavaScript load and execute normally. Blocking it or failing to execute it properly will result in immediate detection.

Avoid regular request patterns. DataDome’s behavioral analysis is particularly sensitive to machine-like regularity. Randomize your request timing, vary the pages you access, and avoid predictable crawl patterns.

Handle redirects carefully. When DataDome challenges a request, it redirects to a captcha-delivery.com URL. Capture this full URL including all query parameters — they contain session information needed for the solve.

Check for soft blocks. DataDome sometimes serves modified content instead of a hard block. If the page content seems truncated, missing data, or different from what a browser shows, you may be receiving a soft-blocked response.

Conclusion

DataDome is a sophisticated bot protection platform that goes well beyond simple CAPTCHA challenges. Its real-time classification engine, JavaScript sensor, and behavioral analysis create a multi-layered defense that requires careful handling at every level — from request headers and IP selection to cookie management and behavioral patterns.

When DataDome does present a slider CAPTCHA challenge, uCaptcha solves it through the DataDomeSliderTask task type at api.ucaptcha.net. The solver handles the challenge interaction through your proxy and returns a valid datadome cookie for your session. Combined with proper session management and realistic request patterns, this provides a reliable path through DataDome’s defenses.