Configure a Stealth Browser

Stealth is mostly about not contradicting yourself. BCTRL runs Kameleo underneath, which picks a real, internally coherent fingerprint - your job in the config is to keep the parts you control (proxy geo, locale, WebRTC) telling the same story.

1
import { Bctrl } from "@bctrl/sdk";
2
import { chromium } from "playwright";
3
4
const bctrl = new Bctrl({ apiKey: process.env.BCTRL_API_KEY! });
5
6
const runtime = await bctrl.runtimes.create({
7
type: "browser",
8
name: "stealth-recipe",
9
config: {
10
stealth: "ultra",
11
proxy: {
12
type: "managed-rotating",
13
country: "US",
14
rotation: "sticky", // one exit IP for the whole session
15
stickyKey: "stealth-recipe",
16
preference: "quality",
17
},
18
fingerprint: {
19
device: "desktop",
20
os: "windows",
21
browser: "chrome",
22
locale: ["en-US", "en"], // agree with the proxy country
23
},
24
webRtcProxyOnly: true, // WebRTC can't leak your real IP around the proxy
25
},
26
});
27
const { connectUrl } = await bctrl.runtimes.start(runtime.id);
28
29
// See what websites see.
30
const browser = await chromium.connectOverCDP(connectUrl);
31
const context = browser.contexts()[0] ?? (await browser.newContext());
32
const page = context.pages()[0] ?? (await context.newPage());
33
34
await page.goto("https://pixelscan.net");
35
await page.waitForTimeout(15_000); // let the checks finish
36
await page.screenshot({ path: "pixelscan.png", fullPage: true });
37
38
await browser.close();
39
await bctrl.runtimes.stop(runtime.id);

📸 Content TODO: run this once and embed the resulting pixelscan screenshot (a clean “consistent” result). A CreepJS capture works too. Date-stamp it in the caption - detection checkers evolve and readers will re-test.

Why these knobs

• stealth: "ultra" - the anti-detection hardening level. medium/high/ultra trade resource use for depth; start with high and move up if a target still challenges you.
• Sticky rotating proxy - rotation between sessions, one exit IP within a session. An IP that changes mid-session is itself a signal.
• fingerprint filters, not values - BCTRL defaults to a desktop Windows search and randomly selects Chrome, Edge, or Safari when browser is omitted. You can narrow Kameleo’s search further (desktop + windows + chrome), and it picks a real fingerprint where canvas, WebGL, fonts, and UA already agree. Never hand-build the parts yourself.
• locale matches the proxy country - a US exit IP with a de-DE language stack is a contradiction detectors look for.
• webRtcProxyOnly - WebRTC is the classic side channel that reveals the real IP behind a proxy; force it through the proxy.

Keep the identity across sessions

A fingerprint that’s brand new on every visit is also a signal. For flows that return to the same site, use a profile-backed runtime (config.profile: true): cookies, logins, and the fingerprint identity persist across starts, so you come back as the same browser - not a fresh stranger.

Next

• Runtime configuration - every config option
• Proxies - pools, static IPs, and bring-your-own
• Solve CAPTCHAs - for the challenges that still get through