Why you do not get banned on day one. The technical version.
X uses multi-layer bot protection. A simple "User-Agent + proxy" setup is detected in minutes. We implement 14 layers of masking.
<aside> 🌐 Network Layer
X uses TLS fingerprinting and header analysis. These 6 layers mask our traffic as Chrome.
| Layer | What it does |
|---|---|
| TLS Fingerprint: JA3/JA4 | Chrome 145 impersonation through curl_cffi — the TLS handshake looks like Chrome |
| Header order | Headers are sent in Chrome order through OrderedDict, not randomly |
| Client Hints | sec-ch-ua, sec-ch-ua-platform, sec-ch-ua-mobile — as in Chrome |
| Accept-Language | Adjusted to the proxy geolocation |
| Timezone | Matches the proxy country |
| TLS extension order | Random order of extensions in the TLS handshake |
</aside>
<aside> 🧩 Application Layer
X checks cookies, tokens, and request signatures. These 4 layers imitate web-client behavior.
| Layer | What it does |
|---|---|
| x-client-transaction ID | Generated like in a real X web client |
| Session warming | On startup, the worker "opens" the home page and receives session cookies |
| ct0 refresh | Refreshed every 30 minutes, like a real browser does |
| Cookie jar | Full set of cookies, not only the required ones |
</aside>
<aside> 🎭 Behavioral Layer
X analyzes behavior patterns: speed, rhythm, and schedule. These 4 layers imitate a real person.
| Layer | What it does |
|---|---|
| Typing speed | 50-90 WPM with jitter — a reply is "typed", not instantly appeared |
| Delays | Log-normal distribution, not Gaussian; real people are not normally distributed |
| Diversity check | 60-minute cooldown for phrases with similarity >70% |
| Sleep mode | 7 hours of silence per day, like a real person |
</aside>