I was surprised while looking at a site using the Cloudflare CDN to see a piece of JavaScript I hadn’t come across before: /cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js
Cloudflare has a feature called “Scrape Shield” that looks for pages with email addresses in them, then automatically injects this JavaScript to obfuscate the addresses. The idea is to reduce the risk that bots will harvest the email address for spam. This feature is turned out by default.
Turning it off ( if you want to do that ) is easy enough:
There are more details at https://support.cloudflare.com/hc/en-us/articles/200170016-What-is-Email-Address-Obfuscation- on how this works.
3 replies on “Cloudflare Injected JavaScript”
Thank you Joseph. This is what I was looking for.
Thanks Joseph, this came very helpful!
While Script Shield is a well-intended feature, its a bit intrusive and unneeded for uses cases like bloggers and freelancers who actually want to publish their email address.
@Prahlad Yeri – glad it helped