With Email Address Obfuscation Cloudflare, visitors will notice no visible changes to the website, along with protecting email addresses on the site. Read out the article to find more.

As part of our Server Management service, Bobcares responds to all inquiries, big or small.

Let’s take a closer look at the Email Address Obfuscation with Cloudflare.

Email Address Obfuscation In Cloudflare

Email harvesters and other bots search online for email addresses to add to spam-targeting lists. As a result of this trend, there is an increase in the number of unwanted emails.

Web administrators suggest many ways to protect against this, such as writing out email addresses or embedding images of the email address. However, we will lose the convenience of automatically sending an email by clicking on the email address by doing so.

With Cloudflare Email Address Obfuscation, we can hide email addresses from bots while remaining visible to humans. A page must have a MIME type (Content-Type) of “text/html” or “application/xhtml+xml” for email address obfuscation to work in Cloudflare.

Strategy For Obfuscation

Cloudflare email address obfuscation adds its own scripts and dynamically modifies markup to help hide email addresses for the user to see:

<a href="mailto:j************@gmail.com">contact</a>

Turns to:

<a href="/cdn-cgi/l/email-protection#6e040b1d1d0b040b1d1d0b5f5c5d2e09030f0702400d0103">contact</a>
<script data-cfasync="false" src="/cdn-cgi/scripts/f2bf09f8/cloudflare-static/email-decode.min.js"></script>

The portion of the injected URL that follows the # encodes the email address. Depending on the length of the email address, it is a variable-length series of bytes that have been hex encoded.

The first byte, 6e is randomly selected. It encrypts and decrypts the remaining bytes by bitwise XORing the key with each subsequent byte. For instance, 0x6e ^ 0x04 is decimal 106 which is the ASCII code for j, the first character of the email address.

Despite the decryption operating on a per-byte basis, what it does next is actually quite interesting. It enables the function to correctly support Unicode codepoints, which can be 1-4 bytes in size.

For e.g., consider the following character: 丂

Its made of three bytes, E4 B8 82, which are ä, ¸, and U+0082, respectively. However, simply concatenating the String.fromCharCode() representations of each byte results in a mess:

After that, Cloudflare’s function uses escape() on the resulting string, which percent-encodes the string’s bytes.

%E4%B8%82

After that, it decodes the string again using decodeURIComponent(), which handles Unicode and shows 丂.

Confirm Email Address Obfuscation.

When the user signs up, Cloudflare automatically enables email address obfuscation. To Confirm email address obfuscation in Cloudflare:

1. Firstly, Log in to the Cloudflare dashboard.
2. Then make sure to select the website we want to verify.
3. Now Tap on the Scrape Shield app.
4. Finally, Check that the toggle for Email Address Obfuscation is set to On.

Alternatively, our Expert team also suggests obtaining the page source from an HTTP client like CURL, an HTTP library. We can also obtain it through the browser’s view-source option. Then, check the source HTML to ensure that the address has been removed.

Troubleshooting Email Obfuscation

If we use the Cache-Control: no-transform header, Email Obfuscation will not work. To avoid unexpected website behavior, no obfuscation is done for email addresses when they appear in:

• Pages that does not have a MIME type of “text/html” or “application/xhtml+xml”
• HTML tag attributes except for the href attribute of the a tag.
• HTML tags including noscript tags, textarea tags, xmp tags, head tags, script tags

Stop Cloudflare From Obfuscating Email.

We can stop Cloudflare from obfuscating email by following any of these methods:

• Disable the ‘Email Obfuscation’ feature by applying a Page Rule to a specific endpoint in your zone.
• Insert the following code into the page’s HTML code: your email addresses go here
• For AJAX calls, return email addresses in JSON format, ensuring that the web server returns a content type of “application/json.”

[Looking for solutions to another topic? We’re only a click away.]

Conclusion

By enabling email address obfuscation in Cloudflare, we can protect email addresses from spam. To conclude, our Support team provides the obfuscation strategy in detail with an example.