Headless Browser
What is Headless Browser?
Headless BrowserA web browser that runs without a graphical user interface and is driven programmatically, commonly used for testing, scraping, and security automation.
A headless browser is a real browser engine (Chromium, Firefox, WebKit) that executes JavaScript, renders pages, and handles cookies just like a desktop browser, but without showing a visible window. It is controlled through APIs such as Chrome DevTools Protocol, WebDriver BiDi, or libraries like Puppeteer and Playwright. Headless browsers power end-to-end test suites, screenshot services, PDF generation, and security tasks like dynamic application scanning. They are also abused by attackers for credential stuffing, scraping protected content, and bypassing simple bot detection, so anti-automation defenses inspect browser fingerprints, navigator.webdriver flags, and behavioral signals.
● Examples
- 01
Running Chromium in --headless=new to capture rendered DOM during a DAST scan.
- 02
A credential-stuffing bot driving headless Firefox to defeat a login form's JavaScript challenge.
● Frequently asked questions
What is Headless Browser?
A web browser that runs without a graphical user interface and is driven programmatically, commonly used for testing, scraping, and security automation. It belongs to the Application Security category of cybersecurity.
What does Headless Browser mean?
A web browser that runs without a graphical user interface and is driven programmatically, commonly used for testing, scraping, and security automation.
How does Headless Browser work?
A headless browser is a real browser engine (Chromium, Firefox, WebKit) that executes JavaScript, renders pages, and handles cookies just like a desktop browser, but without showing a visible window. It is controlled through APIs such as Chrome DevTools Protocol, WebDriver BiDi, or libraries like Puppeteer and Playwright. Headless browsers power end-to-end test suites, screenshot services, PDF generation, and security tasks like dynamic application scanning. They are also abused by attackers for credential stuffing, scraping protected content, and bypassing simple bot detection, so anti-automation defenses inspect browser fingerprints, navigator.webdriver flags, and behavioral signals.
How do you defend against Headless Browser?
Defences for Headless Browser typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Headless Browser?
Common alternative names include: Headless Chrome, Headless Chromium.
● Related terms
- appsec№ 880
Puppeteer Security
Security considerations for Puppeteer, Google's Node.js library that drives Chrome and Chromium over the DevTools Protocol for automation and testing.
- appsec№ 836
Playwright Security
Security considerations for Playwright, Microsoft's cross-browser automation framework that drives Chromium, Firefox, and WebKit with isolated contexts.
- attacks№ 232
Credential Stuffing
An automated attack that replays large lists of username/password pairs leaked from one service against other services, exploiting password reuse to take over accounts.
- appsec№ 1195
User-Agent Spoofing
Forging the User-Agent header or related client hints so that a request appears to come from a different browser, device, or operating system than it actually does.
● See also
- № 942robots.txt