Anti-detection features for the Chrome extension relay — fingerprint masking and behavioral humanization

Browser Relay Stealth

The Chrome extension relay includes a stealth module that makes automated browser actions appear human. This helps avoid bot detection when automating tasks on websites.

Configuration

Set the stealth level in your zirkabot.json:

{
  "browser": {
    "relayStealth": "full"
  }
}

Or via environment variable:

export ZIRKABOT_RELAY_STEALTH=full

Stealth Levels

Level Fingerprints Timing Delays Use Case
off No No Debugging, trusted internal sites
light Yes No QA/testing where speed matters
full Yes Yes Outreach, account creation, external sites

Default: full

Fingerprint Protections

The stealth module includes 21 fingerprint protections that run before any page JavaScript:

Navigator & Runtime

  1. navigator.webdriver — Hidden (set to undefined)
  2. Chrome automation flagscdc_ / $cdc_ properties removed
  3. Plugins array — Populated with standard Chrome plugins (PDF Viewer, etc.)
  4. Languages — Ensured non-empty (['en-US', 'en'] fallback)
  5. Permissions API — Notifications return default instead of denied
  6. window.chrome object — Stubbed with app, csi, loadTimes

Graphics & Media

  1. WebGL vendor/renderer — Only spoofs if headless GPU detected (SwiftShader/llvmpipe); passes through real GPU otherwise
  2. Canvas fingerprint noise — Imperceptible pixel noise on toDataURL/toBlob
  3. AudioContext fingerprint noise — Tiny noise in short audio buffers
  4. WebRTC IP leak prevention — Forces relay-only ICE transport

Hardware

  1. navigator.hardwareConcurrency — Normalized to 8 if unusual
  2. navigator.deviceMemory — Normalized to 8GB if low
  3. navigator.maxTouchPoints — Set to 0 for desktop
  4. Battery API — Returns consistent charging state
  5. Screen dimensions — Normalized if 0x0

Behavioral

  1. Scroll behavior — Forces smooth scrolling (no instant jumps)
  2. Visibility state — Always reports visible
  3. Error stack traces — Filters automation-related frames
  4. Iframe consistency — Propagates webdriver hiding to iframes
  5. Performance.now() precision — Reduced to ~100μs
  6. Function.toString() — Patched functions return [native code]

Behavioral Humanization

When stealth level is full, timing delays are added to make interactions look natural:

Mouse Movement

  • Bézier curves — 4-30 intermediate positions along a curved path before clicks
  • Distance scaling — More points for longer movements
  • Ease-in-out — Speed increases in the middle, slows at endpoints
  • Idle jitter — 1-3px micro-drift when mouse is still (300ms+ gaps)

Click Timing

  • Hover dwell — ~140ms (±50ms) pause before clicking
  • Press/release delay — ~82ms (±22ms) between mousedown and mouseup
  • Double-click — ~120ms (±25ms) inter-click interval
  • Right-click — Faster press, longer hold pattern

Typing Cadence

  • Regular keys — ~68ms (±22ms) delay
  • Fast digraphs — ~48ms (±15ms) for common letter pairs (th, he, in, er…)
  • Word boundaries — ~95ms (±30ms) at spaces
  • Punctuation — ~110ms (±35ms)
  • Enter — ~280ms (±90ms)
  • Thinking pauses — Every 15-40 keystrokes, 15% chance of extra 200ms pause

Scroll Humanization

  • Large scrolls broken into 3-8 incremental wheel events
  • Each step has slight delta variation
  • ~25ms (±10ms) between wheel ticks

Test Results

Tested against major bot detection sites:

Test Site Score
SannySoft bot detection 28/29 passed (only webdriver=true from CDP)
Antoine Vastel headless test ✅ "You are not Chrome headless"
CreepJS 20% stealth detection, 33% headless confidence
Fingerprint Scanner 20/20 all tests OK

Note: navigator.webdriver=true is inherent to Chrome's debugger protocol (CDP). It cannot be fully hidden from JavaScript when a debugger is attached. Most real anti-bot systems (Cloudflare, DataDome) weight behavioral signals more heavily than this single flag.