HeadlinesBriefing favicon HeadlinesBriefing.com

Fortress Stealth Chromium Engine Blocks Bot Detection

Hacker News •
×

Fortress is a Chromium fork that defeats bot detection by correcting browser fingerprints inside the engine's C++ layer rather than through JavaScript patches. The project maintains 34 single-purpose C++ patches across Blink, V8, and BoringSSL that make automated browsers present as ordinary Chrome installs — passing Creep JS, Sannysoft, Browser Scan, and live Cloudflare Turnstile checks with zero headless signals. Every spoofed getter resolves to a real C++ implementation, so `toString()` returns `[native code]` and remains realm-invariant across main frames, iframes, and Web Workers.

The engine exposes a standard CDP endpoint on port 9222, allowing existing Playwright, Puppeteer, or any CDP client to connect with a single line of code change. Fortress ships prebuilt binaries for Linux x64 and Windows x64 via `pip install tilion-fortress` or `npm install tilion-fortress`, plus a Docker image (`tilion/fortress:latest`) and Debian package. Two release channels track Chromium 149 (stable, matches mass-user Chrome) and Chromium 151 (latest engine), both with reproducible, gauntlet-gated builds.

Per-launch coherent personas are configurable through `--uxr-*` switches that synchronize GPU, screen, timezone, keyboard layout, media devices, and Client Hints as a single Windows identity. The SDK integrates with browser-use, Crawl4AI, Stagehand, and LangChain for AI-agent workflows, and the source includes a `tools/gauntlet.py` verification suite that reproduces all detector results.

Engine-level patching eliminates the detection surface that JavaScript stealth layers leave behind — pages inspecting `navigator.vendor` or re-grabbing primitives from workers see stock Chromium. Real-world tests show Fortress clearing Akamai Bot Manager on aa.com, Lowes, Macy's, and Kohl's from the same residential IP where stock headless Chrome receives Access Denied. The variable is the fingerprint, not the proxy.