Bypassing anti-bots is one of the major pain points a professional web scraper faces during his career. Luckily enough, the market offers several solutions for bypassing them, but delegating the heavy-duty always comes with a price tag attached, which is not for every pocket.

As the saying goes, 'If you want something done right, do it yourself.' So, let’s continue the series of articles about bypassing well-known anti-bot protections with Open-Source tools.

After doing the same with Cloudflare, today is the turn of Kasada, the Australian anti-bot company. If you’re interested in learning more, you can watch a nice talk with Nick Rieniets, Kasada's CTO, on the TWSC YouTube channel about the anti-bot industry and its evolution.

So, let’s see which open-source tools we can use to bypass the Kasada anti-bot in 2025, keeping some dollars in our pockets.

Open Source tools for bypassing Kasada

As always, we need to choose a website on which to test our solutions. Today, it’s Canadagoose.com, the e-commerce site of the famous outerwear brand. 

The easiest way to detect when a website is using Kasada is by asking it for Wappalyzer, which has a browser extension you can use while visiting a website to detect its tech stack.

As a double check, since the Wappalyzer data can be stale, you can visit the website with the network tab of the Developers Tools open (but first, tick the “preserve log” box).

If you notice that the website first returns a 429 error and then loads correctly, this is the typical behavior of a Kasada-protected website.

This is also confirmed by the presence of this access control header on the following calls: x-kpsdk-ct,x-kpsdk-r, and x-kpsdk-c and x-kpsdk-ct token.

So calculating the token is enough?

I often hear this from people trying to bypass an anti-bot solution: We need to generate a valid token to get clearance to scrape the website's data.

While it could be interesting to learn to reverse engineer a commercial solution like Kasada, this is not the best approach if you need data soon. It takes time, and you must restart after every change in the anti-bot software. Despite the difficulties, several repositories on GitHub are trying to do it. 

Check the TWSC YouTube Channel

My preferred approach, instead, is to create a human-like request that mixes with the actual website traffic and goes unnoticed by the crowd.

Of course, this approach is slower since it requires a browser automation tool, but it’s also more ethical than bombarding the target server with hundreds of requests per second.

In this article, we’ll see three different open-source tools that allow you to bypass Kasada using Playwright and a modified browser.

The script is in the GitHub repository's folder 76.KASADA2025, which is available only to paying readers of The Web Scraping Club.

GitHub Repository

If you’re one of them and cannot access it, please use the following form to request access.

Standard Playwright ❌

Before trying more undetected tools, let’s start with a simple script using a standard version of Playwright and Brave Browser.

from playwright.sync_api import sync_playwright
import time
CHROMIUM_ARGS= [
		'--no-sandbox',
		'--disable-setuid-sandbox',
		'--no-first-run',
		'--disable-blink-features=AutomationControlled',
		'--start-maximized'
		
	]
		
with sync_playwright() as p:

	
	browser = p.chromium.launch_persistent_context(user_data_dir='./userdata/',channel='chrome',no_viewport=True,executable_path='/Applications/Brave Browser.app/Contents/MacOS/Brave Browser', headless=False,slow_mo=200, args=CHROMIUM_ARGS,ignore_default_args=["--enable-automation"])
	all_pages = browser.pages
	page = all_pages[0]
	page.goto('https://www.canadagoose.com/', timeout=0)
	time.sleep(10)
	page.goto('https://www.canadagoose.com/it/it/shop/donna/capispalla/giacche-imbottite/shop-womens-puffers', timeout=0)
	time.sleep(10)
	browser.close()

I often use Brave in these examples because it’s a browser that adds some noise to the WebGL fingerprint, even though it’s not as powerful as a real anti-detect browser.

The test miserably fails, as we get a blank screen for both URLs, another distinguishing mark of Kasada.

Patchright ✅

A stealthier version of Playwright is Patchright, which modifies some of its default arguments and fixes well-known flaws that make it more detectable by an anti-bot.