npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@mrhansamala/cf-bypass

v1.0.1

Published

Complete Cloudflare bypass engine with JS deobfuscation, hidden element detection, password extraction, and link decoding. Quantum TLS/HTTP2/DoH fingerprint spoofing.

Readme

🛡️ CLAUDFLARE BYPASS

⚠️ IMPORTANT LEGAL NOTICE - READ CAREFULLY

This tool is designed SOLELY FOR EDUCATIONAL AND AUTHORIZED SECURITY TESTING PURPOSES.

YOU MUST:

  • Obtain explicit written permission from the target owner before testing
  • Use this tool only within the defined scope of authorized testing
  • Comply with all applicable laws in your jurisdiction
  • Never use this tool for illegal activities

YOU MUST NOT:

  • Access unauthorized systems or data
  • Use for data theft, fraud, or deception
  • Use for competitive intelligence gathering
  • Bypass security controls without permission
  • Use for any malicious purpose whatsoever

LEGAL CONSEQUENCES:

  • Unauthorized use may result in criminal prosecution under CFAA and similar laws
  • Users are solely responsible for all legal consequences
  • The authors assume ABSOLUTELY NO LEGAL LIABILITY for any misuse

BY DOWNLOADING OR USING THIS SOFTWARE, YOU AGREE TO:

  • Accept full legal responsibility for your actions
  • Use this software only in compliance with all laws
  • Not hold the authors liable for any damages
  • Report all findings to the target owner

THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND.

npm version License: MIT Node.js Version Socket Badge


📋 Table of Contents


🎯 Overview

cf-bypass is an advanced educational Cloudflare security testing engine designed for authorized penetration testing. It implements 38+ sophisticated evasion techniques to help security professionals understand and test Cloudflare's security infrastructure.

Key Capabilities

| Feature | Description | |---------|-------------| | 🔐 TLS Fingerprinting | Emulates real browser TLS signatures for testing | | 🌐 HTTP/2 & HTTP/3 | Full QUIC protocol support with realistic profiles | | 🧩 PoW Solver | Solves Proof-of-Work challenges with human-like timing | | 🖥️ Hardware Spoofing | GPU, Audio, Font fingerprint emulation | | 🎭 Browser Masking | 12-layer environment protection script | | 🔄 Auto-Rotation | Automatic fingerprint and proxy rotation | | 🎯 Smart Challenge Resolution | JS, Turnstile, CAPTCHA, PoW challenges |


✅ What This Tool Can Do

| Category | Capabilities | |----------|--------------| | Cloudflare Testing | Bypass Cloudflare challenges in authorized environments | | TLS Analysis | Emulate browser TLS fingerprints (JA3/JA4) | | Protocol Testing | Test HTTP/2, HTTP/3, QUIC protocols | | Security Research | Study anti-bot mechanisms and evasion techniques | | Web Scraping | Legitimate data collection with permission | | Penetration Testing | Authorized security assessments | | Deobfuscation | Decode obfuscated JavaScript for analysis | | Hidden Element Discovery | Find hidden form fields and encoded links | | Cookie Management | Handle session cookies and clearance tokens | | Browser Simulation | Emulate human-like behavior patterns | | Network Analysis | Test network fingerprinting defenses | | CAPTCHA Testing | Analyze CAPTCHA implementations |


❌ What This Tool Cannot Do

| Category | Limitations | |----------|-------------| | Illegal Activities | Cannot be used for unauthorized access or data theft | | Magic Bypass | No tool can guarantee 100% bypass success | | New Cloudflare Versions | May not work with future Cloudflare updates | | Complex CAPTCHAs | Some audio/image CAPTCHAs may fail | | All Environments | Browser automation requires proper setup | | Rate Limits | Cannot bypass server-side rate limiting | | JavaScript Execution | Requires proper browser environment | | IP Reputation | Cannot bypass IP-based blocks | | All Websites | Some sites have additional custom protections | | Zero-day Exploits | Does not exploit security vulnerabilities |


✨ Features

🚀 Core Features

  • TLS Fingerprinting - JA3/JA4/JA3S emulation
  • HTTP/2 & HTTP/3 Support - Full QUIC protocol
  • DNS-over-HTTPS (DoH) - Secure DNS resolution
  • Cookie & Session Management - cf_clearance persistence
  • Browser Cache Simulation - ETag, 304 responses
  • JavaScript Deobfuscation - Base64, Hex, Unicode, Eval
  • Hidden Element Detection - Find hidden buttons/links
  • WAF Payload Encoding - Bypass WAF filters
  • Human Behavior Simulation - Mouse, scroll, typing

🎯 38 Evasion Layers

| Category | Features | |----------|----------| | Network Transport | TLS/TCP/IP/QUIC Spoofing | | Protocol Fidelity | HTTP/2, HTTP/3, H2C | | Cryptographic | JA3/JA4/GREASE/PoW | | Behavioral | Mouse/Keys/Nav Simulation | | Hardware Telemetry | GPU/Audio/Screen Spoofing | | Environmental | 12-layer browser masking | | Challenge Resolution | JS/Turnstile/CAPTCHA | | Cookie Management | Session persistence | | Cache Simulation | Browser cache emulation | | Geo-Routing | Multi-country proxy routing |


📦 Installation

# Install from NPM
npm install @mrhansamala/cf-bypass

# Or using yarn
yarn add @mrhansamala/cf-bypass

Requirements

# Node.js >= 16.0.0 required
node -v

🚀 Quick Start

const CFBypass = require('@mrhansamala/cf-bypass');

// Make a request with automatic Cloudflare bypass
async function main() {
  try {
    const result = await CFBypass.bypass('https://example.com');
    console.log('✅ Success! Status:', result.status);
    console.log('📄 Page content length:', result.html.length);
    console.log('🍪 Clearance:', result.clearance);
  } catch (error) {
    console.error('❌ Failed:', error.message);
  }
}

main();

📚 Usage Examples

Example 1: Basic GET Request

const CFBypass = require('@mrhansamala/cf-bypass');

const result = await CFBypass.bypass('https://example.com');
console.log(result.html);

Example 2: Deobfuscate JavaScript

const CFBypass = require('@mrhansamala/cf-bypass');

// Decode base64, hex, unicode, eval, etc.
const decoded = CFBypass.deobfuscate('eval(atob("SGVsbG8gV29ybGQh"))');
console.log(decoded); // "Hello World"

Example 3: Scan for Hidden Elements

const CFBypass = require('@mrhansamala/cf-bypass');

const html = `
  <input type="hidden" name="token" value="abc123">
  <button disabled>Submit</button>
  <a href="javascript:void(0)">Link</a>
`;

const results = CFBypass.scan(html);
console.log('Hidden inputs:', results.hiddenInputs);
console.log('Disabled buttons:', results.disabledButtons);
console.log('Encoded links:', results.encodedLinks);

Example 4: Scan URL for Hidden Elements

const CFBypass = require('@mrhansamala/cf-bypass');

const results = await CFBypass.scanURL('https://example.com');
console.log('Hidden inputs:', results.hiddenInputs);
console.log('Passwords:', results.passwords);
console.log('Suspicious scripts:', results.suspiciousScripts);

Example 5: Encode Payload for WAF Testing

const CFBypass = require('@mrhansamala/cf-bypass');

// Base64, Unicode, Hex, CharCode encoding
const encoded = CFBypass.encodePayload('alert(1)', ['base64', 'unicode']);
console.log('Encoded:', encoded.encoded);
console.log('Methods:', encoded.methods);

// Generate XSS variants
const variants = CFBypass.generateXSSVariants('<script>alert(1)</script>');
console.log('XSS variants:', variants.length);

Example 6: Decode Encoded Payload

const CFBypass = require('@mrhansamala/cf-bypass');

const decoded = CFBypass.decodePayload('eval(atob("YWxlcnQoMSk="))');
console.log('Decoded:', decoded);

Example 7: Cookie Management

const CFBypass = require('@mrhansamala/cf-bypass');

const jar = CFBypass.createCookieJar();
jar.setCookie('cf_clearance=abc123; Domain=example.com', 'example.com');
console.log('Has clearance:', jar.hasValidClearance());
console.log('Cookies:', jar.getAll());

Example 8: Browser Cache Simulation

const CFBypass = require('@mrhansamala/cf-bypass');

const cache = CFBypass.createBrowserCache();
cache.updateCache('https://example.com', { 'etag': 'abc123' });
const headers = cache.getCachedHeaders('https://example.com');
console.log('Cache headers:', headers);

Example 9: Spoofers (Fingerprint Generation)

const CFBypass = require('@mrhansamala/cf-bypass');

const spoofers = CFBypass.createSpoofers();

// Timezone spoofing
console.log('Timezone:', spoofers.timezone.getTimezone('US'));
console.log('Language:', spoofers.timezone.getLanguage('US'));

// Screen spoofing
console.log('Screen:', spoofers.screen.getScreenProperties());

// Navigator spoofing
console.log('UserAgent:', spoofers.navigator.getUserAgent());

Example 10: DNS-over-HTTPS Resolution

const CFBypass = require('@mrhansamala/cf-bypass');

const resolver = CFBypass.createDoHResolver();
const ips = await resolver.resolve('example.com');
console.log('IPs:', ips);

Example 11: Human Behavior Simulation

const CFBypass = require('@mrhansamala/cf-bypass');

// Simulates mouse movements, scrolling (browser only)
CFBypass.simulateHuman();

Example 12: Request Interval Management

const CFBypass = require('@mrhansamala/cf-bypass');

const manager = CFBypass.createRequestIntervalManager();
const delays = manager.getBatchDelays(5);
console.log('Human-like delays:', delays);

Example 13: Throttle Simulation

const CFBypass = require('@mrhansamala/cf-bypass');

const throttle = CFBypass.createThrottleSimulator();
throttle.setSpeed('4g');
const time = throttle.simulateSpeed(1024 * 1024, 'download');
console.log('Download time:', time, 'ms');

Example 14: Page Events Simulation

const CFBypass = require('@mrhansamala/cf-bypass');

const events = CFBypass.createPageEventsSimulator();
console.log('Document state:', events.getDocumentState());
console.log('Event sequence:', events.getEventSequence());

Example 15: Render Simulation

const CFBypass = require('@mrhansamala/cf-bypass');

const render = CFBypass.createRenderSimulator();
console.log('Render metrics:', render.getRenderMetrics());
console.log('Performance score:', render.getPerformanceScore());

Example 16: Service Worker Spoofing

const CFBypass = require('@mrhansamala/cf-bypass');

const sw = CFBypass.createServiceWorkerSpoofer();
console.log('Worker state:', sw.getWorkerState());

Example 17: WebAssembly Spoofing

const CFBypass = require('@mrhansamala/cf-bypass');

const wasm = CFBypass.createWebAssemblySpoofer();
console.log('WASM info:', wasm.getWasmInfo());

Example 18: Font Loading Simulation

const CFBypass = require('@mrhansamala/cf-bypass');

const fonts = CFBypass.createFontLoaderSimulator();
const timing = fonts.getFontLoadTiming('google');
console.log('Font load time:', timing);

Example 19: Client Hints Spoofing

const CFBypass = require('@mrhansamala/cf-bypass');

const hints = CFBypass.createSpoofers().clientHints;
console.log('Client hints:', hints.getClientHints());

Example 20: Content Encoding Handling

const CFBypass = require('@mrhansamala/cf-bypass');

const handler = CFBypass.createContentEncodingHandler();
const encoding = handler.getPreferredEncoding('gzip, deflate, br');
console.log('Preferred encoding:', encoding);

Example 21: HTTP Pipeline Management

const CFBypass = require('@mrhansamala/cf-bypass');

const pipeline = CFBypass.createPipelineManager();
pipeline.addRequest({ url: '/api/data' });
pipeline.addRequest({ url: '/api/users' });
console.log('Pipeline status:', pipeline.getPipelineStatus());

Example 22: QUIC Connection Management

const CFBypass = require('@mrhansamala/cf-bypass');

const quic = CFBypass.createQUICManager();
console.log('QUIC config:', quic.getQUICConfig());
console.log('QUIC transport params:', quic.getQUICTransportParams());

Example 23: TLS Session Spoofing

const CFBypass = require('@mrhansamala/cf-bypass');

const tls = CFBypass.createSpoofers().tls;
console.log('TLS session info:', tls.getSessionInfo());

Example 24: OCSP Stapling Simulation

const CFBypass = require('@mrhansamala/cf-bypass');

const ocsp = CFBypass.createSpoofers().ocsp;
const response = ocsp.getOCSPStapling('example.com');
console.log('OCSP status:', response.status);

Example 25: ALPN Protocol Negotiation

const CFBypass = require('@mrhansamala/cf-bypass');

const alpn = CFBypass.createSpoofers().alpn;
console.log('ALPN protocols:', alpn.getALPNProtocols('chrome'));
console.log('Selected protocol:', alpn.getSelectedProtocol('chrome'));

Example 26: TCP Options Spoofing

const CFBypass = require('@mrhansamala/cf-bypass');

const tcp = CFBypass.createSpoofers().tcp;
console.log('TCP options:', tcp.getTCPOptions('windows'));

Example 27: IP Fragmentation

const CFBypass = require('@mrhansamala/cf-bypass');

const ip = CFBypass.createSpoofers().ipFragment;
console.log('Fragment info:', ip.getFragmentInfo('windows'));

Example 28: Mouse Events Simulation

const CFBypass = require('@mrhansamala/cf-bypass');

const mouse = CFBypass.createMouseSimulator();
const events = mouse.getMouseEventSequence();
console.log('Mouse events:', events.length);

Example 29: Configure Settings

const CFBypass = require('@mrhansamala/cf-bypass');

CFBypass.configure({
  debug: true,
  timeout: 60000,
  humanSim: true,
  antiDetection: {
    webdriver: true,
    chrome: true,
    webgl: true
  }
});

Example 30: Get Stats

const CFBypass = require('@mrhansamala/cf-bypass');

const stats = CFBypass.getStats();
console.log('Requests:', stats.requests);
console.log('Success:', stats.success);
console.log('Failed:', stats.failed);

CFBypass.resetStats();

Example 31: CLI Usage

# Bypass Cloudflare (Authorized testing only)
node cf-bypass-ultimate.js --url https://example.com

# Deobfuscate code
node cf-bypass-ultimate.js --deobfuscate "eval(atob('SGVsbG8='))"

# Scan for hidden elements
node cf-bypass-ultimate.js --scan https://example.com

# Encode payload
node cf-bypass-ultimate.js --encode "alert(1)"

# Run self-test
node cf-bypass-ultimate.js --test

Example 32: Complete Bypass Pipeline

const CFBypass = require('@mrhansamala/cf-bypass');

async function completeWorkflow() {
  // 1. Configure
  CFBypass.configure({
    debug: true,
    humanSim: true
  });
  
  // 2. Bypass Cloudflare
  const result = await CFBypass.bypass('https://example.com');
  
  // 3. Scan for hidden elements
  const hidden = CFBypass.scan(result.html);
  
  // 4. Deobfuscate any suspicious scripts
  if (hidden.suspiciousScripts.length > 0) {
    const decoded = CFBypass.deobfuscate(
      hidden.suspiciousScripts[0].preview
    );
    console.log('Decoded script:', decoded);
  }
  
  // 5. Check for encoded links
  console.log('Encoded links:', hidden.encodedLinks);
  
  // 6. Check for hidden inputs
  console.log('Hidden inputs:', hidden.hiddenInputs);
  
  return result;
}

completeWorkflow();

🔧 API Reference

Core Functions

| Function | Description | |----------|-------------| | bypass(url) | Bypass Cloudflare on target URL (authorized only) | | exec(url) | Alias for bypass() | | deobfuscate(code, options) | Deobfuscate JavaScript code | | scan(root) | Scan for hidden elements in HTML | | scanURL(url) | Scan URL for hidden elements | | encodePayload(payload, methods) | WAF-encode a payload (testing only) | | decodePayload(encoded) | Decode WAF-encoded payload | | generateXSSVariants(base) | Generate XSS payload variants (testing only) | | simulateHuman() | Simulate human behavior | | applyAntiDetection() | Apply anti-detection measures | | configure(config) | Update configuration | | getStats() | Get statistics | | resetStats() | Reset statistics | | getVersion() | Get version string |

Factory Functions

| Function | Description | |----------|-------------| | createCookieJar() | Create cookie manager | | createBrowserCache() | Create browser cache simulator | | createDoHResolver() | Create DNS-over-HTTPS resolver | | createQUICManager() | Create QUIC connection manager | | createHSTSCache() | Create HSTS cache | | createContentEncodingHandler() | Create content encoding handler | | createPipelineManager() | Create HTTP pipeline manager | | createMouseSimulator() | Create mouse events simulator | | createRequestIntervalManager() | Create request interval manager | | createThrottleSimulator() | Create throttle simulator | | createPageEventsSimulator() | Create page events simulator | | createRenderSimulator() | Create render simulator | | createServiceWorkerSpoofer() | Create service worker spoofer | | createWebAssemblySpoofer() | Create WebAssembly spoofer | | createFontLoaderSimulator() | Create font loader simulator | | createSpoofers() | Create all spoofer instances |


🌐 Available Fingerprints

Browser Fingerprints

| Fingerprint | Browser | OS | |-------------|---------|-----| | chrome_125_win | Chrome 125 | Windows 11 | | chrome_125_mac | Chrome 125 | macOS 14 | | firefox_124_win | Firefox 124 | Windows 11 | | safari_173_mac | Safari 17.3 | macOS 14 | | edge_125_win | Edge 125 | Windows 11 |

OS Types

| OS Type | Description | |---------|-------------| | windows | Windows 10/11 | | darwin | macOS | | linux | Linux | | ios | iOS | | android | Android |


✅ Authorized Use Cases

Legitimate Uses

| Use Case | Description | |----------|-------------| | Security Testing | Authorized penetration testing with written permission | | Research | Academic research on anti-bot mechanisms | | Education | Learning about web security and evasion techniques | | Bug Bounty | Testing within authorized bug bounty programs | | Defense Testing | Testing your own WAF/Cloudflare configurations | | Forensic Analysis | Analyzing malicious traffic patterns |

Prohibited Uses

| Prohibited Use | Why It's Prohibited | |----------------|---------------------| | Unauthorized Access | Violates computer fraud laws | | Data Theft | Criminal offense | | Denial of Service | Criminal offense | | Fraud | Criminal offense | | Competitive Intelligence | Unethical and potentially illegal | | Bypassing Security Without Permission | Illegal in most jurisdictions |


📜 Legal Disclaimer

⚠️ LEGAL DISCLAIMER - READ CAREFULLY

THIS SOFTWARE IS PROVIDED FOR EDUCATIONAL AND AUTHORIZED TESTING PURPOSES ONLY.

IMPORTANT: This tool is designed to help security professionals understand
and test Cloudflare's security infrastructure. It should ONLY be used on
systems you own or have explicit written permission to test.

The authors, contributors, and distributors of this software assume 
ABSOLUTELY NO LEGAL LIABILITY for any misuse, damages, or legal consequences 
arising from the use of this software.

USERS ARE SOLELY RESPONSIBLE FOR:
1. Obtaining explicit written permission from target owners
2. Ensuring they are authorized to perform security testing
3. Complying with all applicable laws and regulations
4. Using this software only within defined scope of testing
5. Reporting all findings to the target owner

PROHIBITED USES (NON-EXHAUSTIVE):
- Unauthorized access to any system
- Data theft or exfiltration
- Denial of service attacks
- Fraud or deception
- Any malicious purpose
- Competitive intelligence gathering
- Bypassing security without permission

BY USING THIS SOFTWARE, YOU AGREE TO:
- Accept full legal responsibility for your actions
- Indemnify and hold harmless the authors
- Use this software only in compliance with all laws
- Not hold the authors liable for any damages

VIOLATIONS MAY RESULT IN:
- Civil liability
- Criminal prosecution under CFAA (Computer Fraud and Abuse Act)
- Account suspension
- Legal action by affected parties

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND.

📝 License

MIT License

Copyright (c) 2024 cf-bypass Contributors

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

📦 Package Information

{
  "name": "@mrhansamala/cf-bypass",
  "version": "1.0.0",
  "description": "Advanced Cloudflare security bypass engine for authorized penetration testing with 38+ evasion features",
  "main": "cf-bypass-ultimate.js",
  "keywords": [
    "cloudflare",
    "bypass",
    "security",
    "tls",
    "ja3",
    "fingerprint",
    "challenge",
    "turnstile",
    "captcha",
    "pow",
    "automation",
    "testing",
    "penetration-testing",
    "web-security",
    "scraping",
    "anti-detection",
    "deobfuscate",
    "waf"
  ],
  "author": "mrhansamala",
  "license": "MIT",
  "engines": {
    "node": ">=16.0.0"
  }
}

📖 Educational Resources

Recommended Reading

  1. Web Security Fundamentals - Understand the basics of web security
  2. Cloudflare Architecture - Learn how Cloudflare protects websites
  3. Ethical Hacking Guidelines - Understand legal and ethical boundaries
  4. Penetration Testing Standards - Follow industry best practices
  5. Computer Fraud Laws - Understand legal implications

Ethical Guidelines

  1. Always Get Permission - Never test without explicit written permission
  2. Document Everything - Keep detailed records of all testing activities
  3. Report Findings - Promptly report vulnerabilities to the target owner
  4. Limit Scope - Only test within the defined scope
  5. Protect Data - Never exfiltrate or misuse discovered data

🔒 Built with ❤️ for the security community 📚 For educational and authorized testing purposes only ⚖️ Please respect the law and use responsibly


Last Updated: June 30, 2026