AI agents summarize Cloudflare's block pages as fact
The 200 status HTML body of the block page reads as real content, and Fortress, an open source Chromium engine, shows why every AI agent now needs stealth browser primitives.
The 200 status HTML body of the block page reads as real content, and Fortress, an open source Chromium engine, shows why every AI agent now needs stealth browser primitives.
An AI agent hits a Cloudflare-protected site with a standard HTTP request. The response comes back as a 200 with a full HTML block page. The agent confidently summarizes the block page as if it were the real content, then ships that summary to the user. The user never knows the difference.
Cloudflare enabled default bot-blocking for new domains on July 1, 2025, turning away hundreds of billions of bot requests in its early months under the policy, per the maker's framing. The block is not what breaks AI agents. The 200-class response is. Cloudflare returns a full HTML body that looks like the page the agent asked for, and agents built on standard HTTP stacks parse it, read it, and produce a confident, sourced-looking summary that was actually written by Cloudflare's challenge layer.
Arman Luthra, posting as tilion.dev, built Fortress after watching his own agent fall into that hole. The project ships as an open-source stealth Chromium engine, wrapping the browser with a layer of fingerprint work meant to look like a normal human visit. The GAUNTLET_RESULTS.md benchmark, run by the maker, claims high evasion rates against a gauntlet of bot-mitigation vendors. The Show HN thread for the project sat at roughly six points at receipt time, a thin community signal that should not be read as adoption.
The evasion vectors implied by the project shape are standard in modern anti-bot tooling: TLS fingerprint randomization, browser fingerprint spoofing, in-browser JavaScript challenge execution, and human-input timing mimicry. None is new in the cat-and-mouse history of browser fingerprinting. The customer base, however, is about to grow from a few thousand scraping shops to every developer shipping an autonomous agent that touches the public web.
Agents cannot tell the difference between a block page and real content. That is why the only way to keep them honest is to teach them to look like a human browser before they ask, and once stealth-browser primitives become a baseline capability for AI agents, detection vendors will target the new fingerprint cluster those primitives produce. The arms race shifts up a layer, and there is no stable endpoint where agents stay one step ahead of the infrastructure designed to block them.
The maker's benchmark is a self-run gauntlet against current detection rules, not an independent reproduction against production traffic. Fingerprint randomization has a known shelf life as vendors iterate. The more useful question is whether detection vendors treat agent-driven traffic as a separate signal class with its own fingerprint heuristics, or fold it into existing crawler rules that already target headless browsers. Both paths move the same arms race forward. The trigger to watch is whichever detection vendor publishes agent-fingerprint heuristics first.
The repo, the self-benchmark, and the blog post describe the same accident the same way: the agent did not know it had been blocked, and the only fix was to give the agent a Chromium-derived stack with stealth-browser primitives. The next AI agent to ship a clean answer about a protected page will hit the same wall, with or without Fortress in its dependencies.