DataDome is a real-time bot detection and protection service that blocks automated requests before they reach the target website. Unlike traditional CAPTCHA providers (reCAPTCHA, hCaptcha, Cloudflare Turnstile), DataDome acts as a full bot management layer — it analyzes every request using machine learning, device fingerprinting, and behavioral analysis, and only presents CAPTCHA challenges when it suspects automation. If your scraper or bot receives a 403 response with a redirect to geo.captcha-delivery.com or sees a JavaScript challenge page branded "DataDome," you are dealing with DataDome protection.
This explainer covers how DataDome works, how to identify it, and what developers need to understand about its approach to bot detection.
How DataDome works
DataDome operates at the network edge, processing requests before they reach the origin server:
- Request interception — DataDome installs as a server-side module (Nginx, Apache, CDN edge) or a JavaScript tag. Every incoming request passes through DataDome's detection engine.
- Signal analysis — DataDome evaluates 200+ signals per request: IP reputation, TLS fingerprint, HTTP header consistency, request timing, session patterns, and JavaScript execution capability.
- Real-time scoring — Each request receives a bot probability score in under 2 milliseconds. The score determines whether the request is allowed, challenged, or blocked.
- Challenge presentation — Suspicious requests receive either a JavaScript challenge (transparent), a CAPTCHA challenge (interactive), or a hard block (403 Forbidden).
- Continuous learning — DataDome's models update in real time across all protected sites, so detection patterns from one site apply across the network.
DataDome challenge types
| Challenge type | Description | User experience |
|---|---|---|
| JavaScript challenge | A transparent JS test that verifies browser execution capability | Invisible — the page loads normally after a brief delay |
| Interstitial page | A challenge page that requires interaction before proceeding | Visible — user sees a waiting screen or simple interaction |
| CAPTCHA challenge | An image-based CAPTCHA similar to reCAPTCHA or hCaptcha | Visible — user must solve an image classification challenge |
| Hard block | 403 Forbidden with no challenge option | Blocked — request is denied entirely |
How to identify DataDome on a target site
Method 1: Check response headers
DataDome adds specific headers to HTTP responses:
import requests
response = requests.get("https://example.com/products", allow_redirects=False)
# Check for DataDome headers
datadome_headers = {k: v for k, v in response.headers.items()
if 'datadome' in k.lower()}
if datadome_headers:
print("DataDome detected via headers:")
for k, v in datadome_headers.items():
print(f" {k}: {v}")
# Check for DataDome cookie
if 'datadome' in response.headers.get('Set-Cookie', '').lower():
print("DataDome cookie detected")
Method 2: Check for challenge redirects
response = requests.get("https://example.com/products")
if 'captcha-delivery.com' in response.url:
print("Redirected to DataDome challenge page")
elif 'captcha-delivery.com' in response.text:
print("DataDome challenge script found in page")
Method 3: Inspect page scripts
// In Puppeteer
const scripts = await page.evaluate(() => {
return Array.from(document.querySelectorAll('script'))
.map(s => s.src)
.filter(src => src.includes('datadome') || src.includes('captcha-delivery'));
});
if (scripts.length > 0) {
console.log('DataDome scripts detected:', scripts);
}
Key identifiers
| Signal | Detection pattern |
|---|---|
| Cookie name | datadome |
| Challenge domain | geo.captcha-delivery.com |
| Script source | *.datadome.co/tags.js |
| Response header | X-DataDome or x-datadome-cid |
| Challenge page | HTML containing captcha-delivery.com iframe |
DataDome vs other protection systems
| Factor | DataDome | Cloudflare Bot Management | reCAPTCHA | hCaptcha |
|---|---|---|---|---|
| Type | Bot management platform | Bot management + CDN | CAPTCHA widget | CAPTCHA widget |
| Scope | Every request analyzed | Every request through Cloudflare | Only widget-protected pages | Only widget-protected pages |
| Detection layer | Server-side + client-side | Edge network + client-side | Client-side only | Client-side only |
| CAPTCHA provider | Own CAPTCHA or third-party | Cloudflare Turnstile | reCAPTCHA | hCaptcha |
| ML model | Real-time cross-customer learning | Cloudflare network intelligence | Google's risk scoring | Intuition Machines models |
| Integration | Server module, CDN, JS tag | Cloudflare DNS proxy | JavaScript widget embed | JavaScript widget embed |
| Major clients | e-commerce, media, airlines | Broad web | Broad web | Cloudflare customers |
How DataDome affects scraping workflows
Why DataDome is different from CAPTCHA widgets
Traditional CAPTCHA solving works by extracting a sitekey, sending it to a solver API, and injecting the returned token. DataDome is harder because:
- Full request analysis — DataDome checks every HTTP request, not just form submissions. Even API calls and page loads can be blocked.
- TLS fingerprinting — DataDome fingerprints the TLS handshake. Python
requestsand Node.jsfetchhave recognizable TLS fingerprints that differ from real browsers. - Cookie persistence — DataDome requires a valid
datadomecookie across the session. The cookie is generated by JavaScript execution and validated on subsequent requests. - IP reputation — DataDome maintains a real-time IP reputation database. Datacenter IPs and known proxy ranges have higher baseline risk scores.
- Behavioral patterns — Request timing, navigation patterns, and JavaScript execution consistency all factor into the risk score.
Strategies for handling DataDome
| Strategy | When to use |
|---|---|
| Browser automation | When you need full JavaScript execution and realistic browser fingerprints |
| TLS fingerprint matching | When using HTTP clients — libraries like curl_cffi or tls-client can match browser TLS fingerprints |
| Residential proxies | To avoid datacenter IP reputation penalties |
| Session management | Maintain consistent sessions with proper cookie handling |
| Rate limiting | Avoid aggressive request patterns that trigger behavioral detection |
| CAPTCHA solving | When DataDome presents its interactive CAPTCHA challenge, a solving API can handle the image challenge |
For solving the CAPTCHA challenges that DataDome sometimes presents, the approach is similar to solving other image-based CAPTCHAs. For solving the CAPTCHA types CaptchaAI specializes in:
Frequently asked questions
Is DataDome a CAPTCHA provider?
No. DataDome is a bot management platform that sometimes uses CAPTCHA challenges as one of its defense mechanisms. Most DataDome protection is invisible — it blocks requests at the network level without presenting any challenge.
Can I solve DataDome challenges the same way as reCAPTCHA?
When DataDome presents an interactive CAPTCHA (image selection), the solving approach is similar to other image CAPTCHAs. However, DataDome's primary defense is not the CAPTCHA — it is the full request analysis layer. Solving the CAPTCHA alone may not be sufficient if other signals (TLS fingerprint, IP reputation, cookie state) still indicate automation.
Which sites use DataDome?
DataDome protects major e-commerce platforms, airline booking sites, ticketing platforms, and media companies. Specific customers include Foot Locker, AllBirds, TripAdvisor, and Reddit.
Does DataDome block all automated requests?
No. DataDome uses a risk-based model. Low-risk automated requests (legitimate API calls, monitoring bots with proper identification) may pass through. High-risk patterns (rapid scraping, credential stuffing indicators) are blocked or challenged.
How fast does DataDome make decisions?
DataDome processes each request in under 2 milliseconds, making its detection nearly imperceptible to end users and very difficult to avoid through timing manipulation.
Summary
DataDome is a bot management platform, not a standalone CAPTCHA widget. It analyzes every request using ML, device fingerprinting, and behavioral signals. Identifying DataDome involves checking for datadome cookies, captcha-delivery.com challenge redirects, and datadome.co script loads. When DataDome presents interactive CAPTCHA challenges, they can be solved like other image-based CAPTCHAs. For the CAPTCHA types you encounter most, explore the CaptchaAI solver API.
Discussions (0)
Join the conversation
Sign in to share your opinion.
Sign InNo comments yet.