v6.1 — Anti-Detection & Browser Impersonation Fix
Critical Fix: Cloudflare/Bot Detection Bypass
The engine was being blocked by Cloudflare and other anti-bot systems because:
- User-Agent was
"BexEngine/6.0"— immediately flagged as bot - Missing browser headers — no
Sec-CH-UA,Sec-Fetch-*,Accept-Encoding, etc. - No HTTP/2 — real browsers always negotiate H2
- No cookie persistence — CF challenges set cookies that must be sent on subsequent requests
- No compression — browsers always send
Accept-Encoding: gzip, deflate, br
Changes (in crates/bex-core/):
config.rs: Default user_agent changed from "BexEngine/6.0" to a real Chrome 137 UA string. Timeouts increased from 15s to 30s (CF challenges can be slow).
http_service.rs: Complete rewrite of the HTTP layer:
- Real Chrome 137 default headers (Sec-CH-UA, Sec-Fetch-*, Accept-Encoding, etc.)
- HTTP/2 support enabled (Chrome always uses it)
- gzip/brotli/deflate decompression (browsers always send these)
- Cookie store (
cookie_store(true)) for CF session persistence - Auto-generates Referer from URL origin when not provided by plugin
- Plugin headers override defaults (so plugins can customize)
Cargo.toml: Added reqwest features: gzip, brotli, deflate, cookies, http2
Testing Results:
| Site | Search | Episodes | Stream Resolution |
|---|---|---|---|
| AnimeKai (anikai.to) | ✅ Works | ✅ Works | ⚠️ CF JS Challenge |
| enc-dec.app API | ✅ Works | N/A | N/A |
The stream resolution endpoint (/ajax/links/view) is behind a Cloudflare JS challenge that requires actual JavaScript execution. This needs the bex-js QuickJS engine to solve the CF challenge first. The CloudflareKiller approach from cloudstream uses a WebView for this.
Remaining Work: CF Challenge Solver
For sites that use Cloudflare JS challenges on their API endpoints, we need:
- A CF challenge solver using
bex-js(QuickJS) that executes the challenge JS - Cookie persistence across the session so solved challenges don't need re-solving
- The cookie store fix (already implemented) handles step 2 automatically