---
title: "💭 Email Address Obfuscation · Cloudflare Web Application Firewal..."
description: "!https://developers.cloudflare.com/waf/tools/scrape-shield/email-address-obfuscation/"
date: 2024-07-04
published: true
tags:
  - blogging
  - thought
template: link
---


<div class="embed-card embed-card-external">
  <a href="https://developers.cloudflare.com/waf/tools/scrape-shield/email-address-obfuscation/" class="embed-card-link" target="_blank" rel="noopener noreferrer">
    <div class="embed-card-image">
      <img src="https://developers.cloudflare.com/core-services-preview.png" alt="Email Address Obfuscation — By enabling Cloudflare Email Address Obfuscation, email addresses on your web page will be hidden from bots, while keeping them visible to humans. In fact, there are no visible changes to your website for visitors." loading="lazy">
    </div>
    <div class="embed-card-content">
      <div class="embed-card-title">Email Address Obfuscation</div>
      <div class="embed-card-description">By enabling Cloudflare Email Address Obfuscation, email addresses on your web page will be hidden from bots, while keeping them visible to humans. In fact, there are no visible changes to your webs...</div>
      <div class="embed-card-meta">Cloudflare Docs &middot; developers.cloudflare.com</div>
    </div>
  </a>
</div>


I recently started seeing email-decode.min.js show up on my blog posts, and I wondered what the heck ?  I didn't put it there.  Turns out that cloudflare put it there from pages to safely serve email addresses for me.

inspecting the page without js running we can see that the mailto email is swapped out for _email protected_.  Neat feature.

``` bash
❯ curl --silent https://waylonwalker.com/diskcache-as-debounce/ | grep email
<a class="decoration-pink-500 hover:decoration-pink-300 hover:text-pink-100" href="/cdn-cgi/l/email-protection#a4ccc1c8c8cbe4d3c5ddc8cbcad3c5c8cfc1d68ac7cbc9" rel="me"><span class="__cf_email__" data-cfemail="630b060f0f0c2314021a0f0c0d14020f0806114d000c0e">[email&#160;protected]</span></a>
<script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
```

Looking deeper into this article it looks like this feature comes from Scrape Shield and enabling Email Address Obfuscation.

!!! note

    This post is a <a href="/thoughts/" class="wikilink" data-title="Thoughts" data-description="These are generally my thoughts on a web page or some sort of url, except a rare few don&#39;t have a link. These are dual published off of my..." data-date="2024-04-01">thought</a>. It's a short note that I make
    about someone else's content online <a href="/tags/thoughts/" class="hashtag-tag" data-tag="thoughts" data-count=2 data-reading-time=3 data-reading-time-text="3 minutes">#thoughts</a>