Food delivery scraping: the proxy stack we actually use

Nikodem Gabler1 min read
Table of Contents

Extracting menu and pricing data from platforms like Uber Eats or DoorDash requires bypassing aggressive anti-bot systems and handling hyper-local endpoints. This post outlines the exact proxy architecture, rotation rules, and session management tactics we use to maintain a 99.9% success rate when extracting food delivery data at scale.

Why food delivery apps aggressively block scrapers

If you attempt to hit search endpoints with a standard HTTP client and a datacenter IP, you will see a HTTP 403 Forbidden or a CAPTCHA challenge within your first ten requests. Food delivery platforms employ advanced bot protection vendors like DataDome, PerimeterX, and Cloudflare.

These platforms rely on dynamic, location-based pricing. A coffee in Manhattan costs more than the same coffee in Brooklyn, and the delivery fee changes based on real-time driver availability. To protect this proprietary food delivery data, these companies monitor IP reputation, User-Agent consistency, TLS fingerprints, and request cadence. Standard scraping techniques simply do not work here.

The anti-bot systems also track session continuity. If an IP address requests a menu from a restaurant in Chicago but the request headers lack the appropriate localized cookies, the security system flags the anomaly. You must match the geographic location of your IP with the data you are requesting.

Bypassing ASN bans with residential IPs

The most common mistake data engineering teams make is using shared datacenter proxies for consumer-facing apps. Food delivery platforms blacklist known datacenter Autonomous System Numbers (ASNs). They expect traffic to originate from standard residential broadband providers.

For the vast majority of search and category page requests, we rely on real residential IPs sourced from actual home devices. When you route requests through residential nodes, the target server sees a legitimate user browsing from a local neighborhood.

We typically configure our rotation to switch IPs on every request for search endpoints to avoid triggering strict rate limits. A single residential IP might only handle five or six requests per hour before its risk score increases. By rotating through a pool of millions of devices, you keep the request volume per IP well below human thresholds.

Transitioning from headless browsers to raw requests

Many engineering teams start their projects using Playwright or Puppeteer. Headless browsers are excellent for passing JavaScript challenges. However, running thousands of headless browser instances consumes massive amounts of RAM and CPU.

To scale efficiently, you must transition to raw HTTP requests. Sending a GET or POST request using a library like HTTPX in Python or Got in Node.js is exponentially cheaper. The tradeoff is that you must perfectly mimic the TLS fingerprint and HTTP/2 headers of a real browser.

If your TLS fingerprint belongs to a default Python library but your User-Agent claims to be Chrome on Windows, the target will block you instantly regardless of your proxy quality. You must forge the JA3 or JA4 hashes to match the specific browser version you are emulating.

Targeting mobile APIs and GraphQL endpoints

Parsing HTML from web frontends is notoriously brittle. Web layouts change without warning, breaking your DOM parsers mid-run. The superior method is targeting internal APIs.

Platforms in this space rely heavily on GraphQL. When you intercept network traffic, you will find requests sent to a /graphql endpoint containing an operationName and a complex JSON payload. These endpoints return clean, structured data covering menu items, modifiers, and store hours.

However, API endpoints enforce strict validation. If you want to scrape Uber Eats mobile app endpoints specifically, you will face aggressive monitoring. API requests that typically originate from an iOS or Android device will be dropped if they arrive from a standard ISP. For these critical API paths, we utilize mobile carrier IPs. Combining a 4G or 5G proxy with a mobile-mimicking TLS profile matches the exact network signature the server expects.

The requirement for city-level precision

Food delivery is intrinsically tied to precise geographic coordinates. A restaurant menu is only visible if the requesting IP matches the delivery radius.

If your scraper sends a request for a local diner in Los Angeles but your IP resolves to a server in Texas, the anti-bot system flags the discrepancy. This is where industry-optimized proxy pools become necessary. By utilizing IP blocks specifically vetted for platforms like Wolt, DoorDash, and Uber Eats, you can target specific cities. This ensures the geolocation of the IP matches the simulated GPS coordinates sent in the request headers.

City-level targeting drastically reduces HTTP 403 errors. It also ensures you receive accurate pricing data, as many items carry localized markups.

Session management and header consistency

A successful doordash scraping proxy setup requires more than just clean IPs. You must maintain state when navigating through a specific user flow. If you are extracting cart totals to calculate dynamic delivery fees, you cannot rotate your IP between adding an item to the cart and hitting the checkout endpoint.

  • Sticky sessions: Lock the proxy to a single IP for 3 to 5 minutes to complete the cart flow. If the IP drops mid-session, you must restart the flow from the beginning.
  • Header passing: Ensure your scraper accurately passes Cookie parameters, specifically bot-tracking tokens like x-datadome-clientid. You must also track x-csrf-token and custom authorization headers exactly as they were received from the initial handshake.
  • Concurrency limits: Keep concurrent requests per IP under human-possible thresholds. Firing 50 requests per second from a single residential node will result in an immediate block.

Structuring the retry logic

Even with the highest quality infrastructure, blocks happen. Network latency, dead residential nodes, or sudden spikes in target security will cause failed requests.

Your scraper must be built to anticipate HTTP 429 Too Many Requests and HTTP 403 responses. Importantly, you must also parse the response body. Many anti-bot systems return a HTTP 200 OK status code while serving an HTML CAPTCHA page. Relying solely on status codes will corrupt your dataset.

We implement an exponential backoff retry strategy. If a request fails, the system drops the current session, rotates to a fresh IP in the same geographic area, regenerates the TLS fingerprint, and attempts the request again after a randomized delay.

Where to go from here

Building a reliable pipeline for food delivery intelligence is an ongoing battle between your scraping architecture and the target's anti-bot system. Relying on cheap infrastructure will result in blocked IPs, corrupted data, and endless engineering hours spent updating scrapers. Success at production scale requires high-trust IPs, precise geographic targeting, and meticulous session management.

Need help sizing the right proxy stack for your use case? Talk to our team.

CUSTOM PROXY SOLUTIONS

Need proxies tailored to your use case?

Our team designs custom proxy infrastructure for B2B data teams scraping at scale. Residential, datacenter, ISP, and mobile pools with SLA, GDPR-ready sourcing, and dedicated account management.
CUSTOM PROXY SOLUTIONS

Need proxies tailored to your use case?

Our team designs custom proxy infrastructure for B2B data teams scraping at scale. Residential, datacenter, ISP, and mobile pools with SLA, GDPR-ready sourcing, and dedicated account management.
Talk to our team
;