Back to Knowledge Base

    Cloudflare or WAF Blocking Screenshots: Practical Workarounds

    Learn how to work around Cloudflare and WAF blocking when capturing screenshots. Discover practical workarounds using headers, cookies, delays, and authentication.

    Troubleshooting
    5 min read
    13 Jan 2026
    advanced
    cloudflare
    security
    troubleshooting
    waf
    workarounds

    Cloudflare and Web Application Firewalls (WAF) can block automated screenshot requests. This guide explains how these protections work and provides practical workarounds you can try.

    Understanding Cloudflare/WAF Protection

    Cloudflare and WAFs protect websites by:

    • Bot detection: Identifying automated tools and browsers

    • Rate limiting: Limiting requests from the same source

    • Challenge pages: Presenting JavaScript challenges or CAPTCHAs

    • IP reputation: Blocking known data center or cloud IPs

    • Behavioral analysis: Detecting non-human browsing patterns

    Workarounds That Sometimes Work

    1. Custom Headers

    Make requests appear more browser-like:

    • User-Agent: Use a real browser user-agent string

    • Referer: Add a referer pointing to a related page

    • Accept: Set appropriate accept headers

    • Accept-Language: Add language preferences

    2. Cookies from Browser Session

    If you can access the site in a browser:

    1. Complete any challenges in your browser

    2. Extract cookies from browser developer tools

    3. Add cookies to custom headers in PeekShot

    This makes requests appear as authenticated sessions.

    3. Increased Delays

    Add delays (5-10 seconds) to:

    • Allow JavaScript challenges to complete

    • Make requests appear less automated

    • Give time for protection systems to evaluate the request

    4. Proxy URLs

    If supported, routing through a proxy can help bypass IP-based blocking by using a different IP address.

    What Usually Doesn't Work

    • Simple header changes alone: Advanced protection analyzes multiple signals

    • Just adding delays: Behavioral analysis detects patterns beyond timing

    • Disabling JavaScript: Many protections require JS to complete challenges

    • Basic user-agent spoofing: Modern protection checks many browser signals

    Best Practices for Protected Sites

    • Test combinations: Try different combinations of headers, delays, and cookies

    • Start with authentication: If you have access, use cookies from authenticated sessions

    • Monitor for changes: Protection systems may update, requiring new workarounds

    • Use appropriate delays: Balance between appearing human and processing time

    • Respect rate limits: Don't make too many requests in a short time

    When to Use Authentication vs Workarounds

    Use authentication (cookies/headers) when:

    • You have legitimate access to the site

    • The site requires login for the content you need

    • You can maintain authenticated sessions

    Use workarounds when:

    • The site is public but protected

    • You don't have login credentials

    • You're trying to access publicly available content

    See: How to Capture Screenshots of Logged-In Pages for authentication setup.

    Related Issues

    If you're experiencing related problems:

    Need Help?

    Can't find what you're looking for?

    Submit FeedbackBrowse All Articles

    Comments (0)

    Sign in to comment

    You need to be logged in to post a comment on this article.

    No comments yet. Be the first to share your thoughts!