A headless browser is a web browser that runs without a graphical user interface, driven entirely by code through a programmatic API. Headless browsers are widely used for test automation, web scraping, and rendering pipelines, but they are also common in credential stuffing, bot-driven fraud, and other automated abuse because they can execute JavaScript like a real browser.
Unlike a traditional browser opened by a human, a headless browser has no visible window, no GPU-rendered display, and typically runs on server infrastructure without access to real audio or GPU hardware. These constraints cause it to produce fingerprint signals that differ from those of a genuine user device: missing or software-emulated GPU data, absent media devices, and a narrower range of platform characteristics.
Detection works by looking for the combination of signals that is unlikely in a real user session but common in headless environments. A session with no GPU rendering capability, missing real audio hardware, a narrow range of platform characteristics, and patterns in how APIs respond to queries is more likely to be headless than a session that reports a full hardware profile.
In doorman-benny
doorman-benny's automation score evaluates a range of behavioural and hardware-consistency signals to estimate the probability that a session is being driven programmatically rather than by a human in a real browser.
Detect bots and anti-detect browsersFrequently asked questions
Are all headless browsers bots?
No. Headless browsers have many legitimate uses, including continuous integration test suites, screenshot services, and server-side rendering pipelines. The presence of a headless browser is a risk signal, not definitive proof of fraud, and should be evaluated alongside other signals.
Can a headless browser be configured to look like a real browser?
Modern automation frameworks include modes designed to reduce detectable differences. However, a headless environment still typically lacks real GPU hardware, real audio devices, and the full range of user-interaction signals that genuine browsers generate, leaving detectable gaps.
How does headless detection relate to bot detection?
Headless detection is one input into a broader bot detection system. A session identified as headless is a candidate for bot classification, but a complete bot detection system also considers behavioural signals, interaction patterns, and cross-signal consistency alongside the headless indicator.
