Cloudflare Injected JavaScript

I was surprised while looking at a site using the Cloudflare CDN to see a piece of JavaScript I hadn’t come across before: /cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js

Cloudflare has a feature called “Scrape Shield” that looks for pages with email addresses in them, then automatically injects this JavaScript to obfuscate the addresses. The idea is to reduce the risk that bots will harvest the email address for spam. This feature is turned out by default.

Turning it off ( if you want to do that ) is easy enough:

There are more details at on how this works.

3 replies on “Cloudflare Injected JavaScript”

Thanks Joseph, this came very helpful!

While Script Shield is a well-intended feature, its a bit intrusive and unneeded for uses cases like bloggers and freelancers who actually want to publish their email address.

Leave a Reply

Your email address will not be published. Required fields are marked *