Short answer: FlareSolverr still clears light JavaScript challenges, but Cloudflare Turnstile and 2026 Managed Challenges are where it breaks. Byparr is the Camoufox-backed drop-in replacement — same API, same port, better success rate. Scrapling is the Python framework that gives you three fetchers in one library: plain HTTP with TLS impersonation, Camoufox with an auto-Turnstile solver, or full Playwright.
On the six-site test I ran this week, a Byparr-plus-Scrapling stack cleared every target where FlareSolverr timed out — at 2–5× the latency and zero proxy spend. Past a few tens of thousands of requests per day, a managed actor or residential rotation still wins on cost. I ship two Apify Store actors that hit this exact wall in production, so this isn’t theoretical for me — it’s the same problem I solve every time I update the Yelp Scraper and watch DataDome’s defenses move.
FlareSolverr has been the “just use this” answer for three years — one Docker command, port 8191, done. It slots into Prowlarr, Jackett, and every scraping tutorial on YouTube, including my beginner’s guide from last year. If you’ve spent any time on r/webscraping this year you know the story: Turnstile challenges routinely 200-OK but return a blocked page, issues like #1664 have a long tail of “same here,” and Scrapfly’s 2026 guide flags the behavioral-analysis problem front and center.
Two tools from adjacent corners of the open-source world have quietly become the better answer: Byparr, a Camoufox-backed FastAPI server that speaks the FlareSolverr API, and Scrapling (v0.4.8 as of May 2026), a Python framework whose three fetcher classes cover the full range from TLS-impersonated HTTP to full-browser Playwright with a Cloudflare auto-solver. This post walks through both, benchmarks them on six real targets, and tells you honestly when open-source still wins and when you should buy managed.
Why FlareSolverr is losing in 2026
FlareSolverr’s architecture hasn’t changed since 2022: a Flask service runs Selenium with undetected-chromedriver, waits for the JS challenge to resolve, grabs the cookies, returns them. The client hits the real endpoint with a normal HTTP library. Lightweight, stateless, easy to scale.
Cloudflare’s 2025–26 detection model doesn’t care whether your cookies look valid. The broader pay-per-crawl economics Cloudflare rolled out tell you where their incentives point — harder challenges are a feature. Three things shifted:
Turnstile replaced the old JS challenge. It’s a proof-of-work-style check that runs a hardware-fingerprint probe in the client. Undetected-chromedriver still clears some Turnstile instances, but the success rate fell sharply on the “Managed Challenge” variant, and FlareSolverr has no solver of its own.
Behavioral analysis fires in under 10 milliseconds. From AlterLab’s 2026 teardown: Cloudflare’s AI Labyrinth flags the stock Playwright + Stealth stack almost instantly, because the TLS JA3 fingerprint of a Playwright-bundled Chromium doesn’t match any real Chrome release. FlareSolverr sits on the same problem.
Maintainer cadence can’t keep up. Releases still ship periodically and discussion #1416 mentions an experimental nodriver image — but main lags Cloudflare’s rollouts by weeks. For a *arr user that’s fine. For a scraper on a Turnstile-heavy SaaS site, weeks of downtime is the whole product.
None of this makes FlareSolverr useless — it’s still the fastest path to clearing a light JS challenge. What it isn’t anymore is the default.
Byparr: the drop-in, Camoufox-backed replacement
Byparr is the work of a single developer (ThePhaseless). Pitch: same API as FlareSolverr, modern stealth underneath. The v2.0.0 release swapped the browser from Selenium-plus-undetected-chromedriver to Camoufox, a Firefox-based anti-detect browser that patches fingerprints in C++ rather than via JavaScript overrides. That C++-level patching is the part that matters — detection services can read the JS heap and notice the lies; they can’t read the compiled binary. The current line is v2.1.0 (February 2026), which added Python 3.14 support and per-request proxy overrides via X-Proxy-* headers.
A few things to know about Camoufox. Firefox not Chrome, by design — more public research exists on Firefox fingerprint resistance (Tor Project, Arkenfox) and Cloudflare’s detection ML is trained heavier on Chromium signals. Camoufox’s docs report 0% detection across CreepJS, BrowserScan, and Fingerprint.com. Memory footprint ~200MB versus 400MB+ for stock Firefox. The project had a maintenance gap in 2025 and the 2026 release train is flagged experimental on the docs site, so read the release notes before pinning a version for production.
Install and run Byparr
docker run -d --name byparr -p 8191:8191 ghcr.io/thephaseless/byparr:latest
That’s it. The image is roughly 1.1GB (smaller than FlareSolverr’s), the API docs are auto-generated at http://localhost:8191/docs, and the endpoint contract is compatible with FlareSolverr’s v1 API — meaning anything that points at http://localhost:8191/v1 with a FlareSolverr-shaped JSON body will work unchanged.
A minimal request:
curl -L -X POST 'http://localhost:8191/v1' \
-H 'Content-Type: application/json' \
--data-raw '{
"cmd": "request.get",
"url": "https://protected-site.example",
"maxTimeout": 60000
}'
For a real deployment, Docker Compose is cleaner:
services:
byparr:
image: ghcr.io/thephaseless/byparr:latest
container_name: byparr
environment:
- LOG_LEVEL=INFO
- USE_HEADLESS=true
ports:
- "8191:8191"
restart: unless-stopped
If you’re migrating from FlareSolverr, the change in any existing Prowlarr / Jackett / custom scraper config is one line — swap the base URL. No code changes, no payload differences.
What Byparr fixes, and what it doesn’t
Turnstile clearance rate. Independent benchmarks through 2026 (Roundproxies, ZenRows, Scrapfly, Web Scraping Club’s LAB #95) consistently rank Byparr at the top of the open-source pile — with the caveat that “top” still trails managed platforms on the same sites.
Behavioral fingerprint quality. Camoufox modifies navigator, screen, webgl, canvas, and audio fingerprints at the C++ level, so the JS-heap inspection that catches Playwright + Stealth in 10ms finds nothing to flag. Passes CreepJS clean.
Active maintenance. Byparr’s release cadence is weekly-ish; patches land fast when Cloudflare ships a new detection signal. Hardest part to quantify in a one-day benchmark, matters most over a quarter.
What it doesn’t fix: latency. A Camoufox instance takes 3–6 seconds to boot and 2–4 seconds to render a Turnstile page. For light-challenge sites FlareSolverr was faster because undetected-chromedriver boots quicker. Pool sizing helps but the per-request cost is real. And Byparr has no solver for hard CAPTCHAs — if the site escalates past Managed Challenge, you’ll bolt on CapSolver/2Captcha or rotate residential proxies until escalation stops.
Scrapling: the Python-native stack
Byparr is a service. Scrapling is a framework you import — the problem it solves is slightly different. For a Python scraper that needs one library to gracefully handle the range from “public JSON endpoint” to “TLS-impersonated HTTP” to “full browser with stealth patches and a Turnstile auto-solver,” Scrapling — v0.4.8 as of May 2026 — is the cleanest answer shipping right now.
Three fetcher classes, each a level deeper in sophistication:
Fetcher — fast async HTTP with TLS browser-impersonation, HTTP/3 support, and persistent session management. Use this for sites that don’t challenge, or sites that challenge only on the first request but happily serve to any session with a real Chrome-ish TLS signature.
from scrapling.fetchers import Fetcher
page = Fetcher.get("https://example.com", impersonate="chrome")
for product in page.css(".product"):
print(product.css_first(".title").text, product.css_first(".price").text)
Passing impersonate="chrome" tracks whatever the latest Chrome TLS fingerprint is, so you don’t have to bump a hardcoded version every time curl_cffi adds one — pin a specific target ("chrome136") only if you need reproducible behavior.
StealthyFetcher — Camoufox-backed (same browser as Byparr), with optional automatic Cloudflare solving via solve_cloudflare=True. The one to reach for when the Fetcher starts getting blocked.
from scrapling.fetchers import StealthyFetcher
page = StealthyFetcher.fetch(
"https://protected-site.example",
headless=True,
network_idle=True,
solve_cloudflare=True,
)
for review in page.css(".review"):
author = review.css_first(".author").text
body = review.css_first(".body").text
print(author, "—", body[:60])
DynamicFetcher — full Playwright-managed Chrome or Chromium for sites that genuinely need JavaScript execution against the real DOM (infinite scroll, SPA routing, authenticated flows). Use this when StealthyFetcher can’t render the page you need.
Three session-flavored variants too — FetcherSession, StealthySession, DynamicSession — keep cookies and browser state across requests. The AsyncDynamicSession / AsyncStealthySession pair handles concurrency with a max_pages knob that rotates browser tabs so you don’t boot a Camoufox instance per request.
The adaptive part
The feature that got Scrapling its 2026 attention isn’t the fetchers — it’s adaptive=True on the parser. Mark a selector as adaptive and Scrapling tracks the element’s structural fingerprint (tag, attributes, siblings, text signature) at scrape time. When the site renames .price-tag to .price-tag-new three weeks later, Scrapling relocates by similarity and your scraper keeps working. Enough drift still breaks it — but it buys months of uptime between fixes on volatile sites.
price = page.css_first(".price-tag", auto_save=True)
# Three weeks later, on the same page structure but renamed classes,
# the same line finds the element — Scrapling matches on the saved fingerprint.
This is the part I wish I’d had when Google migrated <a href> → <button data-href> on review-author links in April and silently broke reviewerUrl for every customer of my Google Reviews Scraper until I caught it weeks later. No managed scraping API I know offers the same thing — they hand you a DOM and hope your selectors still match.
Scrapling also ships a built-in MCP server (the v0.4.7 release added a screenshot tool to it), which turns it into an extraction layer Claude Desktop or Cursor can call directly — useful for anyone building pay-per-use MCP servers without writing a REST wrapper.
Byparr vs Scrapling: which one?
Overlapping problems from different angles. Rough decision tree:
| If you’re… | Use this |
|---|---|
Running *arr stack, Jackett, Prowlarr, or any FlareSolverr-API client |
Byparr — one-line swap |
| Writing a Python scraper from scratch | Scrapling — unified API, adaptive selectors |
| Running non-Python workloads (Node, Go, Ruby) | Byparr — hit its HTTP endpoint from anywhere |
| Doing a mix — light HTTP, stealth browser, full Playwright | Scrapling — three fetchers in one library |
| Need Turnstile auto-solving | Either — service level or solve_cloudflare=True |
| Sharing a bypass layer across scrapers / languages / teammates | Byparr — one service, many clients |
If you have the budget for both, run Byparr as a fleet-wide protection layer and use Scrapling inside your Python scrapers, with StealthyFetcher pointed at Byparr for heavy targets and Fetcher handling the rest.
The six-site success matrix
Every bypass article with a table cheats somewhere — either the targets are too easy, the methodology is hand-wavy, or the numbers come from a vendor whose success rate is structurally higher than what you’ll see. Here’s what I actually ran this week against each target, one request per tool, headless, no residential proxies, from a single home IP:
| Target (anonymized) | FlareSolverr (latest) | Byparr (v2.1) | Scrapling Fetcher |
Scrapling StealthyFetcher |
|---|---|---|---|---|
| Cloudflare-protected SaaS dashboard | Timeout after 2× retries | Success, 7.2s | Blocked instantly (JA3) | Success, 6.9s |
| Google Maps place page (Limited View era) | Partial HTML (reviews missing) | Success, 5.8s | Blocked after 3 requests | Success, 6.1s |
| Amazon product page (anti-bot gauntlet) | Blocked | Blocked | Blocked (403) | Intermittent (solve_cloudflare off) |
| National news site (Managed Challenge) | Timeout | Success, 8.4s | Blocked | Success, 7.9s |
| Ticketing site (heavy Turnstile) | Blocked | Success, 11.2s | Blocked | Success, 10.8s |
| Retail site (soft JS challenge only) | Success, 3.1s | Success, 6.0s | Success, 1.2s (fastest) | Success, 5.7s |
A few honest caveats:
- Single IP, single run. Scaling up needs proxies and the results shift accordingly. A pattern that works once from your laptop can fail at scale once Cloudflare’s behavioral signals notice repetition.
- Amazon is a special case. Nothing here cleared it without residential proxies or a managed platform. Don’t build a product that depends on open-source-only against Amazon.
- Latency is real. Byparr is 2–4× slower than FlareSolverr on sites where FlareSolverr succeeds. Invisible to a
*arruser; meaningful for a scraper doing tens of thousands of requests. - Scrapling’s plain
Fetcheris very fast on soft-challenge sites — faster than spinning up a browser at all. The trick is knowing when to escalate.
Third-party benchmarks point the same direction: Byparr leads the open-source pile on Turnstile, managed platforms (Scrapfly 98–100%, ZenRows 99.7%) lead overall, FlareSolverr has slipped out of the top tier.
Pairing with residential proxies
Open-source bypass and residential proxies are complementary, not alternatives. Bypass tools clear the fingerprint and challenge layer. Proxies clear the IP-reputation layer. Cloudflare looks at both — and so does DataDome, which is what taught me this the hard way when I first ran the Yelp Scraper on Apify and watched yelp.com and yelp.ca return 403 instantly from the Apify residential pool, even with apifyProxyCountry: "US". Same actor, same code, yelp.de and yelp.co.uk scrape fine. The fingerprint stack was identical. The IP reputation wasn’t.
Rough pricing reality, April 2026:
- Budget-tier residential (IPRoyal, Webshare): $1.75–3 / GB
- Mid-tier (Decodo, formerly Smartproxy): $3–4 / GB
- Premium (Bright Data, Oxylabs): $8.40 / GB at 10GB, drops to $3.30 / GB at 10TB
In practice: at low volume, a $10/month IPRoyal or Decodo pay-as-you-go plan plus Byparr will outperform FlareSolverr-plus-datacenter-IPs by a lot, for almost no money. At high volume, the proxy bill dominates the decision and the choice of bypass tool barely moves it.
A simple rotation pattern in Scrapling: build a ProxyRotator, hand it to a session via proxy_rotator=, and every fetch call inside the session draws the next proxy automatically.
from scrapling.fetchers import StealthySession, ProxyRotator
rotator = ProxyRotator([
"http://user:pass@residential-pool.provider.com:10000",
"http://user:pass@residential-pool.provider.com:10001",
"http://user:pass@residential-pool.provider.com:10002",
])
with StealthySession(proxy_rotator=rotator, solve_cloudflare=True) as session:
for url in target_urls:
page = session.fetch(url)
# page.meta["proxy"] tells you which proxy served this request
Rotation is cyclic by default. For browser sessions Scrapling opens a fresh context per proxy under the hood, since a browser can’t change proxy per tab. Don’t combine proxy_rotator with a static proxy argument on the same session — it’s one or the other.
One thing worth knowing: mobile proxies are 3–5× more expensive than residential but push success rates close to 100% on aggressive targets. On a site where even Byparr-plus-residential fails consistently, a mobile pool is usually the next lever before giving up or going managed.
When to just buy managed
Open-source gets you moving, keeps your cost floor near zero, and teaches you what’s under the hood. It also has a ceiling, and the ceiling is closer than most tutorials admit.
Stop tinkering and buy a managed layer when any of these is true:
- You’re doing more than ~50K requests per day on a protected target. Your time fixing bypass breakage exceeds what Scrapfly, ZenRows, or an Apify actor charges for the same requests. ZenRows and Scrapfly’s published pricing starts around $69–$99/month for meaningful volume, and at that tier you’re paying someone else to babysit Cloudflare’s weekly updates.
- Your target is in the “fortress” tier — Amazon, LinkedIn, Instagram, TikTok, DoorDash. Nothing in this article will hold up against those in production without either a human-in-the-loop or a platform that specializes in them. (Agentic AI browsers like ChatGPT Atlas don’t fix this either — see the ChatGPT Atlas vs scraping-stack breakdown for where that crossover actually ends.)
- You’re selling data downstream. If your revenue depends on uptime, the open-source stack is a risk you’re taking unpaid. A managed platform shifts the SLA burden off you.
- Your team isn’t scrapers. A product engineer who needs 1,000 Google Maps records a day for an internal tool shouldn’t build a Byparr-plus-Scrapling-plus-proxy pipeline — that’s a distraction. Buy an actor, parse the JSON, move on with your week. I ship a Google Maps one, a Google Reviews one, and a Yelp one; there are 24,000+ others on the Apify Store. If you’re planning to ship your own actor and sell it, the Apify pay-per-event migration playbook is the piece to pair with this one.
If none of those apply, open-source wins on cost and learning. The Byparr-plus-Scrapling combo is in better shape today than any FlareSolverr-era stack was a year ago.
The bottom line
FlareSolverr isn’t dead — it’s just no longer the default. If you’re clearing light JS challenges on a tracker or a low-traffic target, it’ll keep working fine. If you’re hitting Turnstile, Managed Challenge, or any site whose behavioral checks have tightened since 2024, run Byparr instead — the swap is one line. If you’re building a new Python scraper, start with Scrapling and pick the right fetcher per target: plain Fetcher for the easy stuff, StealthyFetcher with solve_cloudflare=True for the challenged pages, DynamicFetcher only when you genuinely need a real DOM. Pair either with residential proxies at whatever volume makes the math work.
The honest framing I keep coming back to, having shipped the actors that hit this wall: open-source isn’t free, it’s unpaid labor deferred. The 90 minutes you save not patching Cloudflare’s latest detection update is the entire reason managed platforms and Apify actors exist. Know your inflection point and don’t cross it by accident — that’s the whole post.
References:
- Byparr on GitHub / release notes (current: v2.1.0)
- Scrapling on GitHub / release notes (current: v0.4.8) / docs / proxy rotation guide
- Camoufox project site / Camoufox on GitHub
- THE LAB #95: Bypassing Cloudflare in 2026
- Scrapfly: Bypass Cloudflare 2026
- ZenRows: Bypass Cloudflare / Web Scraping with Byparr
- Roundproxies: Byparr guide / Scrapling guide
- AlterLab: Playwright anti-bot detection in 2026
- FlareSolverr issue #1664 / discussion #1416
- Bright Data / IPRoyal / Oxylabs pricing