I was surprised while looking at a site using the Cloudflare CDN to see a piece of JavaScript I hadn’t come across before: /cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js

Cloudflare has a feature called “Scrape Shield” that looks for pages with email addresses in them, then automatically injects this JavaScript to obfuscate the addresses. The idea is to reduce the risk that bots will harvest the email address for spam. This feature is turned out by default.

Turning it off ( if you want to do that ) is easy enough:

There are more details at https://support.cloudflare.com/hc/en-us/articles/200170016-What-is-Email-Address-Obfuscation- on how this works.