Web scraping, the process of automatically extracting data from websites, has endless applications – from price monitoring to lead generation to building datasets for machine learning. But for anyone who‘s tried their hand at scraping, one thing becomes apparent very quickly: most websites don‘t want to be scraped.
Getting your scrapers blocked or your IP addresses banned is an incredibly common problem. Websites employ numerous techniques to detect and deter automated access. As a result, extracting data at any meaningful scale requires some finesse.
In this guide, we‘ll dive deep into all the tips, tricks, and tools you need to scrape websites successfully without getting blocked. Whether you‘re a seasoned pro or a complete beginner, read on to learn how to keep your web scrapers stealthy and resilient in 2023.
Think Like a Human, Scrape Like a Human
The core principle for avoiding blocking is simple: make your scraper indistinguishable from organic human users. Websites want to serve content to real people, not bots – so the more you can make your scraper behave like a human, the better.
The first step is to use tools that actual humans use – namely, web browsers. While bare-bones HTTP clients like cURL are simple to use, modern websites can easily recognize them as artificial. Instead, you‘ll want to equip your scraper with a fully fledged browser environment.
Headless Browsers – The Scraper‘s Secret Weapon
Headless browsers are exactly what they sound like – web browsers without any graphical user interface. They can load pages, execute JavaScript, and render dynamic content just like normal browsers. For scraping, they provide an ideal middle ground – you get the sophistication of a real browser combined with the programmability of a script.
The most popular headless browser for scraping is Headless Chrome – a headless version of Google Chrome. It can be controlled programmatically using libraries like Puppeteer (Node.js) and Selenium (Python). Other browsers like Firefox offer headless modes as well.
Using a headless browser is usually as simple as launching a browser instance, instructing it to navigate to a URL, and then extracting data from the page. For dynamic sites that load content via JavaScript, you can wait for specific elements to appear before scraping.
Code snippet illustrating basic usage of Headless Chrome with Puppeteer:
const puppeteer = require(‘puppeteer‘);
(async () => {
const browser = await puppeteer.launch();
const page = await browser.newPage();
await page.goto(‘https://www.example.com‘);
// Wait for an element to appear
await page.waitForSelector(‘#data‘);
// Extract text from the element
const data = await page.evaluate(() => {
return document.querySelector(‘#data‘).textContent;
});
console.log(data);
await browser.close();
})();While headless browsers go a long way in emulating human users, they aren‘t a complete solution by themselves. Websites have grown wise to the use of headless browsers for scraping and employ additional techniques to ferret them out. Let‘s look at some of these methods and how to combat them.
Avoiding Detection through Browser Fingerprinting
Browser fingerprinting is a technique whereby websites examine various attributes of a user‘s browser environment to construct a unique "fingerprint". Everything from the user agent string to the installed fonts to the screen resolution contributes to this fingerprint.
Websites can check if a visitor‘s fingerprint matches known values associated with particular headless browsers, and subsequently block them. For example, headless Chrome has certain quirks and limitations that cause its fingerprint to diverge from regular Chrome.
To avoid detection, you need to make your headless browser‘s fingerprint mirror that of an organic user as closely as possible. Some key steps:
- Configure a realistic user agent string and resolution
- Install common fonts and plugins
- Inject realistic mouse movements and clicks
- Emulate mobile devices when appropriate
There are tools and libraries that can help automate the configuration of human-like fingerprints, such as puppeteer-extra and user-agents. However, fingerprinting techniques are constantly evolving, so some manual tweaking is often necessary.
Code snippet demonstrating setting a random user agent in Puppeteer:
const puppeteer = require(‘puppeteer‘);
const userAgent = require(‘user-agents‘);
(async () => {
const browser = await puppeteer.launch();
const page = await browser.newPage();
const agent = userAgent.random().toString();
await page.setUserAgent(agent);
await page.goto(‘https://www.example.com‘);
// ...
await browser.close();
})();Proxies and IP Rotation – Covering Your Tracks
Even if your scraper perfectly mimics human behavior, making a large number of requests from the same IP address is a huge red flag. Websites track and rate limit individual IP addresses to curtail excessive access.
The solution is to distribute your scraping requests across a wide pool of IP addresses using proxy servers. By routing requests through proxies, you can control what IP address the target website sees. With each request coming from a different IP, your scraping is much harder to detect and block.
There are many different types of proxies, but in general you‘ll want to choose a rotating proxy service that automatically assigns a new IP address to each request. Proxies can be sourced from data centers or from residential internet connections for greater authenticity.
Using proxies is simple – just prepend your requests with the proxy server‘s hostname and port, or configure your headless browser to tunnel traffic through a proxy.
Code snippet illustrating the use of proxies with Python‘s requests library:
import requests
proxies = {
‘http‘: ‘http://user:[email protected]:3128‘,
‘https‘: ‘http://user:[email protected]:1080‘,
}
response = requests.get(‘https://www.example.com‘, proxies=proxies)
print(response.text)While proxies are an essential tool, they aren‘t infallible. The IP addresses of known proxy services are often blocklisted, so it‘s important to use reputable providers and potentially fall back to residential proxies if needed.
Realistic Request Patterns – Slow and Steady
Rapid-fire requests are a dead giveaway of automated scraping. No human browses a website at a constant rate of several pages per second. To avoid drawing suspicion, you need to intentionally slow down your scrapers and introduce variability into your request patterns.
At the most basic level, you can insert pauses between requests using a timer. A randomized delay of a few seconds to a minute between requests is a good baseline. For more advanced rate limiting, you can implement adaptive throttling that adjusts based on signs of rate limiting from the target site.
It‘s also important to randomize the order and frequency of your requests. Rather than churning through URLs sequentially, select them randomly. Throw in occasional repeat requests to the same page. Vary parameters and query strings.
The goal is to create a request pattern that would plausibly be generated by a human casually browsing the site. The more organic your request stream looks, the less likely it is to be flagged as scraping.
Here‘s an example of how to insert random delays between requests in Python:
import requests
import random
import time
urls = [
‘https://www.example.com/page1‘,
‘https://www.example.com/page2‘,
‘https://www.example.com/page3‘,
]
for url in urls:
response = requests.get(url)
print(response.text)
time.sleep(random.uniform(1, 5)) # Random delay between 1-5 secondsCAPTCHAs – The Bane of Scrapers
CAPTCHAs, those ubiquitous challenge-response tests involving garbled text or image grids, are designed to be simple for humans but exceedingly difficult for bots. Many sites employ CAPTCHAs to gate access to content behind a test of "humanity."
Solving CAPTCHAs is one of the more complex aspects of scraping. While some types of CAPTCHAs can be solved through machine vision techniques like optical character recognition (OCR), the most secure variants are extremely resistant to automated solving.
There are a few approaches to tackling CAPTCHAs in scrapers:
Use a CAPTCHA-solving service like 2Captcha or DeathByCaptcha. These services maintain API endpoints that you can submit CAPTCHAs to; human workers then solve the CAPTCHAs and return the solution.
Train your own machine learning models for CAPTCHA solving. With enough training data, convolutional neural networks can achieve decent accuracy on certain types of CAPTCHAs. However, this approach requires significant investment.
Outsource CAPTCHA solving to your own human workers through a system like Amazon Mechanical Turk.
In some cases, you may be able to reuse CAPTCHA solutions across sessions or bypass CAPTCHAs entirely by reverse-engineering the application‘s API endpoints (more on this in the next section).
Regardless of approach, you‘ll want to architect your scraper to gracefully handle CAPTCHAs. Detect when a CAPTCHA is encountered, pause the crawl, solve the CAPTCHA, and then resume.
Here‘s an example of how you might integrate CAPTCHA solving into a Puppeteer-based scraper:
const puppeteer = require(‘puppeteer‘);
(async () => {
const browser = await puppeteer.launch();
const page = await browser.newPage();
await page.goto(‘https://www.example.com‘);
// Check if there‘s a CAPTCHA on the page
const captchaElement = await page.$(‘.g-recaptcha‘);
if (captchaElement) {
console.log(‘CAPTCHA detected!‘);
// Extract the CAPTCHA challenge data
const sitekey = await page.$eval(‘.g-recaptcha‘, el => el.getAttribute(‘data-sitekey‘));
// Here you would submit the CAPTCHA to a solving service
// and retrieve the solution token
const token = await solveCaptcha(sitekey, page.url());
// Inject the solution token back into the page
await page.evaluate((token) => {
document.getElementById(‘g-recaptcha-response‘).innerHTML = token;
}, token);
// Submit the CAPTCHA form
await page.click(‘.submit-captcha‘);
}
// ...
await browser.close();
})();The API Backdoor – Skipping the Frontend
Many modern web applications are powered by APIs – webhooks that transmit raw data in formats like JSON or XML. Web pages make AJAX requests to these APIs to fetch content, which is then rendered in the browser.
For scrapers, APIs represent a tantalizing backdoor – a way to access data directly, without needing to navigate and parse web pages. By reverse-engineering an application‘s API, you can often extract the same data as traditional scraping, but with greater efficiency and fewer roadblocks.
To uncover an API, use your browser‘s developer tools to monitor network requests while interacting with a page. Look for XHR (XMLHttpRequest) or Fetch requests that return structured data. Examine the request URLs, methods, headers, and bodies to understand how the API works.
Once you‘ve mapped out the API endpoints and parameters, you can replicate those requests from your scraper. This usually involves crafting HTTP requests that mimic the headers and payloads sent by the browser.
Here‘s an example of making an API request using Python‘s requests library, based on a reverse-engineered endpoint:
import requests
headers = {
‘User-Agent‘: ‘MyApp/1.0‘,
‘Authorization‘: ‘Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9‘,
‘Content-Type‘: ‘application/json‘,
}
payload = {
‘query‘: ‘scraping‘,
‘page‘: 1,
}
response = requests.post(‘https://api.example.com/search‘, headers=headers, json=payload)
print(response.json())APIs often have rate limits and access controls of their own, so you‘ll still need to be judicious in your request volume. However, APIs tend to be much more scraper-friendly than web frontends, since they‘re intended for programmatic access.
Other Techniques and Best Practices
Beyond the major techniques covered above, there are numerous other tactics and best practices that can help keep your scrapers under the radar:
Respect robots.txt: While not a strict requirement, obeying a site‘s robots.txt directives can avoid unnecessary friction.
Use appropriate user agents: When making requests directly (outside of a headless browser), use a user agent string that matches your target audience. For example, if you‘re scraping mobile-optimized pages, use a popular mobile browser user agent.
Avoid honeypot traps: Some websites include hidden links that aren‘t visible to regular users but are detectable to scrapers. Avoid following links indiscriminately to prevent falling into these traps.
Monitor for signs of blocking: Keep an eye out for increases in CAPTCHA occurrences, 403 Forbidden responses, or drops in content volume. These can indicate your scraper is being throttled or blocked.
Distribute across multiple machines: Running scrapers on a single server can create a conspicuous traffic pattern. Spreading your scrapers across multiple hosts, potentially in different data centers or cloud regions, can help disperse the load.
Stay up to date: Web scraping is an ongoing arms race. Stay apprised of the latest techniques and countermeasures employed by websites to keep your scrapers ahead of the curve.
Conclusion
Web scraping at scale requires a delicate balance of technical acumen and artfulness. By carefully emulating human behavior, judiciously distributing your bot traffic, and skillfully sidestepping roadblocks, you can build scrapers that are both effective and resilient.
The techniques covered in this guide – headless browsers, IP rotation, realistic request patterns, CAPTCHA solving, and API exploitation – form the core of any serious scraping operation. But scraping is a dynamic and adversarial pursuit. As websites evolve their defenses, scrapers must continually adapt and innovate.
At the end of the day, there‘s no silver bullet for web scraping without getting blocked. It requires a combination of best practices, clever workarounds, and continuous refinement. But equipped with the right tools and mindset, you can keep your scrapers running smoothly and extracting valuable data.
Happy scraping!
