Browser extensions beat server-side bridges for anti-abuse platforms
Building a personal data sync from a platform with aggressive anti-abuse detection (LinkedIn, Instagram, Twitter, Facebook, TikTok) into your own self-hosted app, when server-side approaches get the user's account banned.
For platforms with serious consumer fraud detection (LinkedIn is the clearest example), a server-side bridge running on a cloud VM is a losing battle no matter how careful the rate-limiting. The detection signal is the IP-egress-class mismatch between where cookies were minted (your laptop's residential IP) and where the API calls now originate (datacenter ASN), plus TLS/JA3 fingerprint differences between a real browser and a Go/Python HTTP client. None of this is configurable per-bridge. The architectural answer is a browser extension. The extension lives in your actual browser, runs against your active platform session, uses your real residential IP, has the real browser's TLS fingerprint, and emits real-user behavioral signals (mouse moves, focus events, scroll). To the platform's anti-abuse layer, the extension's traffic is indistinguishable from your normal usage — because it IS your normal usage with a side-channel. Implementation: a Manifest V3 content script wraps window.fetch and XMLHttpRequest in the page main world, sniffs responses from the platform's own internal API (LinkedIn Voyager, Instagram /graphql, Twitter /1.1/dm/, etc.), normalizes the events, and POSTs them to your self-hosted ingest endpoint. This is the architecture every successful personal-CRM-with-LinkedIn-ingest product converged on (Clay, Apollo, etc.) — because all the server-side approaches blew up the same way.
When scoping a sync agent for a platform known for aggressive anti-abuse, lead with the architecture choice before the protocol choice. If the platform fights server-side clients (LinkedIn, Instagram, TikTok, modern Twitter), don't even try a Go/Python bridge from a cloud VM — go straight to a browser extension that piggybacks on the user's active session. If the platform is open to server-side clients (Matrix, IMAP servers, Discord, Telegram), server-side bridges are fine. The dividing line is whether the platform actively invests in detecting non-browser clients.