Scraping Central is reader-supported. When you buy through links on our site, we may earn an affiliate commission.

Guide

Bypassing PerimeterX (HUMAN Security) for Scraping

Learn how to bypass PerimeterX (now HUMAN Security) bot detection for web scraping. Covers cookie validation, sensor data, and bypass techniques.

PerimeterX, now part of HUMAN Security, is a widely deployed bot management platform. You will recognize it by the _px cookies and the interstitial "Press & Hold" challenge pages.

How PerimeterX Detects Bots

PerimeterX (PX) collects data through a JavaScript sensor that evaluates:

  1. Browser Environment, Checks for headless browser indicators, missing APIs, and automation flags
  2. Behavioral Biometrics, Mouse movements, keystroke dynamics, and touch events
  3. Device Fingerprinting, Canvas, WebGL, audio context, and font enumeration
  4. Network Signals, IP reputation, ASN, and geolocation consistency
  5. Cookie Chain, The _px3, _pxvid, and _pxhd cookies form a validation chain

Method 1: ScraperAPI (Recommended)

ScraperAPI provides automatic PerimeterX bypass.

import requests

API_KEY = "YOUR_SCRAPERAPI_KEY"

response = requests.get(
    "http://api.scraperapi.com",
    params={
        "api_key": API_KEY,
        "url": "https://px-protected-site.com/catalog",
        "render": "true"
    }
)
print(response.text[:500])

Method 2: ScrapingAnt

ScrapingAnt handles PerimeterX challenges through its browser rendering.

import requests

response = requests.get(
    "https://api.scrapingant.com/v2/general",
    params={
        "url": "https://px-protected-site.com/catalog",
        "x-api-key": "YOUR_SCRAPINGANT_KEY",
        "browser": "true"
    }
)
print(response.text[:500])

Method 3: Stealth Browser with Residential Proxy

from playwright.sync_api import sync_playwright

PROXY = "http://user:pass@residential-proxy.com:8080"

with sync_playwright() as p:
    browser = p.chromium.launch(
        headless=False,
        proxy={"server": PROXY}
    )
    page = browser.new_page()
    page.goto("https://px-protected-site.com/catalog")

    # Wait for PX sensor to complete
    page.wait_for_load_state("networkidle")

    # Check for the "Press & Hold" challenge
    if page.locator("#px-captcha").is_visible():
        print("PX challenge detected - manual intervention or API needed")
    else:
        print("Page loaded successfully")
        print(page.content()[:500])

    browser.close()

The "Press & Hold" Challenge

PerimeterX's most visible feature is the "Press & Hold" button challenge. This requires:

  • A mouse down event at the correct coordinates
  • Holding for a specific duration (usually 3-8 seconds)
  • Natural mouse movement during the hold
  • Valid sensor data from the preceding page load

Automating this reliably is complex, which is why managed APIs are the practical choice.

Key Considerations

  • PerimeterX cookies expire and cannot be transferred between different browser fingerprints
  • The sensor script URL changes between deployments, so hardcoded intercepts break often
  • Residential proxies are almost mandatory since datacenter IPs are heavily flagged
  • HUMAN Security updates their detection regularly, requiring ongoing maintenance