Cloudflare and Web Application Firewalls (WAF) can block automated screenshot requests. This guide explains how these protections work and provides practical workarounds you can try.

Understanding Cloudflare/WAF Protection

Cloudflare and WAFs protect websites by:

  • Bot detection: Identifying automated tools and browsers

  • Rate limiting: Limiting requests from the same source

  • Challenge pages: Presenting JavaScript challenges or CAPTCHAs

  • IP reputation: Blocking known data center or cloud IPs

  • Behavioral analysis: Detecting non-human browsing patterns

Workarounds That Sometimes Work

1. Custom Headers

Make requests appear more browser-like:

  • User-Agent: Use a real browser user-agent string

  • Referer: Add a referer pointing to a related page

  • Accept: Set appropriate accept headers

  • Accept-Language: Add language preferences

2. Cookies from Browser Session

If you can access the site in a browser:

  1. Complete any challenges in your browser

  2. Extract cookies from browser developer tools

  3. Add cookies to custom headers in PeekShot

This makes requests appear as authenticated sessions.

3. Increased Delays

Add delays (5-10 seconds) to:

  • Allow JavaScript challenges to complete

  • Make requests appear less automated

  • Give time for protection systems to evaluate the request

4. Proxy URLs

If supported, routing through a proxy can help bypass IP-based blocking by using a different IP address.

What Usually Doesn’t Work

  • Simple header changes alone: Advanced protection analyzes multiple signals

  • Just adding delays: Behavioral analysis detects patterns beyond timing

  • Disabling JavaScript: Many protections require JS to complete challenges

  • Basic user-agent spoofing: Modern protection checks many browser signals

Best Practices for Protected Sites

  • Test combinations: Try different combinations of headers, delays, and cookies

  • Start with authentication: If you have access, use cookies from authenticated sessions

  • Monitor for changes: Protection systems may update, requiring new workarounds

  • Use appropriate delays: Balance between appearing human and processing time

  • Respect rate limits: Don’t make too many requests in a short time

When to Use Authentication vs Workarounds

Use authentication (cookies/headers) when:

  • You have legitimate access to the site

  • The site requires login for the content you need

  • You can maintain authenticated sessions

Use workarounds when:

  • The site is public but protected

  • You don’t have login credentials

  • You’re trying to access publicly available content