Cloudflare cf-mitigated: challenge - Anyone else seeing increased blocking?

[rsforbes]

I'm working on data collection from public sports websites and running into consistent blocking with cf-mitigated: challenge responses, even with curl_cffi's browser impersonation (www.prosportstransactions.com).

The Problem

Getting HTTP 403 responses with this header pattern: cf-mitigated: challenge

This happens regardless of:

• Different browser impersonation settings (Chrome, Firefox, Safari)
• Header variations and user-agent matching
• Request timing modifications
• Various TLS configuration attempts

What I've Tried

• Multiple impersonate browser profiles
• Custom header configurations to match real browsers
• Different request patterns and timing
• Various timeout and retry strategies

The same URL works fine in a regular browser, but get blocked via curl_cffi.

Context
This seems to be a growing issue - I've seen similar reports on Reddit and other forums where people mention that what used to work with curl_cffi is now getting blocked more frequently. The ads.txt crawling community has similar issues where legitimate business tools get blocked.

Questions

1. Is anyone else seeing increased blocking recently? Wondering if Cloudflare updated their detection methods.
2. Any configuration changes that have helped? New impersonation settings, specific headers, or other approaches?
3. Alternative strategies? Should I be looking at different approaches entirely, or are there curl_cffi configurations I might be missing?

Any insights or shared experiences would be really helpful!

[lexiforest]

Do you have any reproducible code?

[rsforbes]

@lexiforest - Code might be helpful. 😉

#!/usr/bin/env python3
"""
Minimal example demonstrating curl_cffi failing to bypass prosportstransactions.com
JA3/JA4 fingerprinting. This shows why advanced fingerprinting detection is needed.
"""

import json
import sys
from curl_cffi import requests


def test_curl_cffi():
    """Test curl_cffi with various browser impersonations"""
    print("Testing curl_cffi with prosportstransactions.com...")
    print("-" * 60)

    # Target URL
    url = (
        "https://www.prosportstransactions.com/basketball/Search/"
        "SearchResults.php?Player=&Team=&BeginDate=&EndDate="
        "&PlayerMovementChkBx=yes&submit=Search"
    )

    # Try different browser impersonations
    browsers = ["chrome110", "chrome120", "firefox120", "safari17_0"]
    results = []

    for browser in browsers:
        print(f"\n{'='*60}")
        print(f"Testing with {browser} impersonation")
        print(f"{'='*60}")
        try:
            # Create session with browser impersonation
            session = requests.Session(impersonate=browser)

            # Make request
            response = session.get(url, timeout=30, allow_redirects=True)

            # Print detailed response info
            print(f"\nStatus Code: {response.status_code}")
            print(f"URL (after redirects): {response.url}")
            print(f"Content Length: {len(response.content)} bytes")

            # Print response headers
            print("\nResponse Headers:")
            for key, value in response.headers.items():
                print(f"  {key}: {value}")

            # Print cookies if any
            if response.cookies:
                print("\nCookies:")
                for cookie in response.cookies:
                    print(f"  {cookie.name}: {cookie.value} (domain: {cookie.domain})")

            # Check if blocked
            if "Checking your browser" in response.text or response.status_code == 403:
                print(f"\n[BLOCKED] Cloudflare challenge detected!")
                results.append((browser, False))
                # Show challenge page content
                print("\nChallenge page preview (first 500 chars):")
                print(response.text[:500])
            else:
                print(f"\n[SUCCESS] Request completed!")
                results.append((browser, True))
                # Show first 300 chars of successful response
                print(f"\nContent preview: {response.text[:300]}...")

        except Exception as e:
            print(f"\n[ERROR] Failed with {browser}: {type(e).__name__}: {e}")
            results.append((browser, False))

    return results


def test_diagnostics():
    """Test with verbose diagnostics to capture request details"""
    print("\n\n" + "=" * 60)
    print("Diagnostic Test - Capturing Request Details")
    print("=" * 60)

    try:
        # Use chrome120 as example
        session = requests.Session(impersonate="chrome120")

        # Test a simpler endpoint first
        print("\nTesting homepage first...")
        response = session.get("https://www.prosportstransactions.com/", timeout=30)

        print(f"Homepage Status: {response.status_code}")
        print(f"Homepage Headers:")
        for k, v in response.headers.items():
            print(f"  {k}: {v}")

        # Check for cf-ray header (Cloudflare indicator)
        if "cf-ray" in response.headers:
            print(f"\nCloudflare Ray ID: {response.headers['cf-ray']}")

        # Check for challenge
        if "Checking your browser" in response.text:
            print("\n[BLOCKED] Homepage also showing challenge")
            # Extract any JavaScript challenge info
            if "window._cf_chl_opt" in response.text:
                print("Cloudflare JavaScript challenge detected")
        else:
            print("\n[SUCCESS] Homepage accessible")

    except Exception as e:
        print(f"\n[ERROR] Diagnostic test failed: {type(e).__name__}: {e}")


if __name__ == "__main__":
    # Run tests
    results = test_curl_cffi()
    test_diagnostics()

    # Summary
    print("\n" + "=" * 60)
    print("SUMMARY:")
    print("Browser impersonation results:")
    for browser, success in results:
        print(f"  {browser}: {'PASSED' if success else 'FAILED'}")

    # Overall result
    any_success = any(success for _, success in results)
    print(
        f"\nOverall: {'At least one method succeeded' if any_success else 'All methods FAILED'}"
    )

    sys.exit(0 if any_success else 1)

Results:

Testing curl_cffi with prosportstransactions.com...
------------------------------------------------------------

============================================================
Testing with chrome110 impersonation
============================================================

Status Code: 403
URL (after redirects): https://www.prosportstransactions.com/basketball/Search/SearchResults.php?Player=&Team=&BeginDate=&EndDate=&PlayerMovementChkBx=yes&submit=Search
Content Length: 7714 bytes

Response Headers:
  date: Sun, 06 Jul 2025 13:39:38 GMT
  content-type: text/html; charset=UTF-8
  accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
  cf-mitigated: challenge
  critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
  cross-origin-embedder-policy: require-corp
  cross-origin-opener-policy: same-origin
  cross-origin-resource-policy: same-origin
  origin-agent-cluster: ?1
  permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
  referrer-policy: same-origin
  server-timing: chlray;desc="95af8262bb0d5d07", cfL4;desc="?proto=TCP&rtt=8578&min_rtt=8346&rtt_var=2481&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1247&delivery_rate=349868&cwnd=252&unsent_bytes=0&cid=709afa403bac4070&ts=35&x=0"
  x-content-type-options: nosniff
  x-frame-options: SAMEORIGIN
  cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  expires: Thu, 01 Jan 1970 00:00:01 GMT
  report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TdLhPALPdGy2dJH8idtYA1gZWNWNzUd%2B0q0LowGR%2F2mg5tdo8HhImeUuX%2ByezzjlegzF9K0fGcINgaQIkc%2Bpkcyq7ydmHZmUk33Kq6FP2jojYZAlpfcUqfVaOndy5oo4crrcMW3lo8RBrG8qFDL7Tw%3D%3D"}],"group":"cf-nel","max_age":604800}
  nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
  vary: Accept-Encoding
  server: cloudflare
  cf-ray: 95af8262bb0d5d07-ORD
  content-encoding: br
  alt-svc: h3=":443"; ma=86400

[BLOCKED] Cloudflare challenge detected!

Challenge page preview (first 500 chars):
<!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewport" content="width=device-width,initial-scale=1"><style>*{box-sizing:border-box;margin:0;padding:0}html{line-height:1.15;-webkit-text-size-adjust:100%;color:#313131;font-family:system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetic

============================================================
Testing with chrome120 impersonation
============================================================

Status Code: 403
URL (after redirects): https://www.prosportstransactions.com/basketball/Search/SearchResults.php?Player=&Team=&BeginDate=&EndDate=&PlayerMovementChkBx=yes&submit=Search
Content Length: 8119 bytes

Response Headers:
  date: Sun, 06 Jul 2025 13:39:38 GMT
  content-type: text/html; charset=UTF-8
  accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
  cf-mitigated: challenge
  critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
  cross-origin-embedder-policy: require-corp
  cross-origin-opener-policy: same-origin
  cross-origin-resource-policy: same-origin
  origin-agent-cluster: ?1
  permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
  referrer-policy: same-origin
  server-timing: chlray;desc="95af82631cebda16", cfL4;desc="?proto=TCP&rtt=8774&min_rtt=8647&rtt_var=2566&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2913&recv_bytes=1307&delivery_rate=320210&cwnd=252&unsent_bytes=0&cid=2e13d00d19a6bdd6&ts=34&x=0"
  x-content-type-options: nosniff
  x-frame-options: SAMEORIGIN
  cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  expires: Thu, 01 Jan 1970 00:00:01 GMT
  report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bfo7gXPVgMHHcPKRyutSCpSjJKaXbKtIYju6IyoC6LykQZUYb6VZP%2BurguvY%2B04sO1dREzh%2FLJwK%2F0E9UadHHHIBdO8EXRyETOrHFkUXndEhWf9yAWVt2YKJoKlrgkf%2FisCe5qMirK44YC8JgW8O9Q%3D%3D"}],"group":"cf-nel","max_age":604800}
  nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
  vary: Accept-Encoding
  server: cloudflare
  cf-ray: 95af82631cebda16-ORD
  content-encoding: br
  alt-svc: h3=":443"; ma=86400

[BLOCKED] Cloudflare challenge detected!

Challenge page preview (first 500 chars):
<!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewport" content="width=device-width,initial-scale=1"><style>*{box-sizing:border-box;margin:0;padding:0}html{line-height:1.15;-webkit-text-size-adjust:100%;color:#313131;font-family:system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetic

============================================================
Testing with firefox120 impersonation
============================================================

[ERROR] Failed with firefox120: ImpersonateError: Impersonating firefox120 is not supported

============================================================
Testing with safari17_0 impersonation
============================================================

Status Code: 403
URL (after redirects): https://www.prosportstransactions.com/basketball/Search/SearchResults.php?Player=&Team=&BeginDate=&EndDate=&PlayerMovementChkBx=yes&submit=Search
Content Length: 7522 bytes

Response Headers:
  date: Sun, 06 Jul 2025 13:39:38 GMT
  content-type: text/html; charset=UTF-8
  accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
  cf-mitigated: challenge
  critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
  cross-origin-embedder-policy: require-corp
  cross-origin-opener-policy: same-origin
  cross-origin-resource-policy: same-origin
  origin-agent-cluster: ?1
  permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
  referrer-policy: same-origin
  server-timing: chlray;desc="95af82637e78125d", cfL4;desc="?proto=TCP&rtt=9366&min_rtt=8782&rtt_var=3497&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3668&recv_bytes=1042&delivery_rate=396451&cwnd=253&unsent_bytes=0&cid=06401f61d4272bdb&ts=41&x=0"
  x-content-type-options: nosniff
  x-frame-options: SAMEORIGIN
  cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  expires: Thu, 01 Jan 1970 00:00:01 GMT
  report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H48ZyDpJWe9%2B%2BjMPFMn5XfO%2BsUKlHMQ%2F%2BUXbfkbc0LPWGIgClNxp5xWFbpCPYslGnA7cXxDNoBmtxvk%2BSEpRW7ovjxmiQ%2F8KxHVWg0SkBjrft9aYFRVLjPquCx3GR7DvBCU7i6ypGqquWhBgjTvfTg%3D%3D"}],"group":"cf-nel","max_age":604800}
  nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
  vary: Accept-Encoding
  server: cloudflare
  cf-ray: 95af82637e78125d-ORD
  content-encoding: br
  alt-svc: h3=":443"; ma=86400

[BLOCKED] Cloudflare challenge detected!

Challenge page preview (first 500 chars):
<!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewport" content="width=device-width,initial-scale=1"><style>*{box-sizing:border-box;margin:0;padding:0}html{line-height:1.15;-webkit-text-size-adjust:100%;color:#313131;font-family:system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetic


============================================================
Diagnostic Test - Capturing Request Details
============================================================

Testing homepage first...
Homepage Status: 403
Homepage Headers:
  date: Sun, 06 Jul 2025 13:39:38 GMT
  content-type: text/html; charset=UTF-8
  accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
  cf-mitigated: challenge
  critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
  cross-origin-embedder-policy: require-corp
  cross-origin-opener-policy: same-origin
  cross-origin-resource-policy: same-origin
  origin-agent-cluster: ?1
  permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
  referrer-policy: same-origin
  server-timing: chlray;desc="95af8263eb6ef92b", cfL4;desc="?proto=TCP&rtt=8658&min_rtt=8254&rtt_var=2568&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2912&recv_bytes=1161&delivery_rate=353767&cwnd=252&unsent_bytes=0&cid=a758924e0fba516a&ts=30&x=0"
  x-content-type-options: nosniff
  x-frame-options: SAMEORIGIN
  cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  expires: Thu, 01 Jan 1970 00:00:01 GMT
  report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=32TQU3P%2FHFBuvVjh9cVmOBCheoY%2BtoBSF8MAJiSEx2d1yKAZiz389DrEl6U3kEM%2FbNqk6cxl%2FNIVfQHtqEvqft9sUIV6%2FxaxexOSehu9hNbxMvgb4DVqqGY4n90fQrYcGut7QvPJThY0csMFx04wYw%3D%3D"}],"group":"cf-nel","max_age":604800}
  nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
  vary: Accept-Encoding
  server: cloudflare
  cf-ray: 95af8263eb6ef92b-ORD
  content-encoding: br
  alt-svc: h3=":443"; ma=86400

Cloudflare Ray ID: 95af8263eb6ef92b-ORD

[SUCCESS] Homepage accessible

============================================================
SUMMARY:
Browser impersonation results:
  chrome110: FAILED
  chrome120: FAILED
  firefox120: FAILED
  safari17_0: FAILED

Overall: All methods FAILED