Click here to Skip to main content
13,591,708 members
Click here to Skip to main content
Add your own
alternative version


47 bookmarked
Posted 30 Jan 2007
Licenced CPOL

Simple web based obfuscation

, 30 Jan 2007
Rate this:
Please Sign up or sign in to vote.
Protect sensitive data from nasty web bots using server / client obfuscation methods.


A while ago, I had to make a web page with lots of sensitive customer details in a GridView on an ASP.NET page. I thought this is really bad, what happens if this data gets screen scraped by some nasty web bot that happens to match on email Regular Expressions? So I had a think, and an investigation into MSDN. And have come up with what I think is a nice solution.

The Basic Idea

The System.Text namespace has an ASCII encoding, and there is also a System.BitConvertor, so I thought about it. And thought I could actually encode the sensitive data using this method and store the ASCII / BitConverted data in the server requested HTML. Then, use JavaScript to reverse this process when the page is first loaded. That is what is presented in this article.

Probably the easiest way to get this is to look at the code.


It's all in one web form, .. Nice and easy

<%@ Page Language="C#" AutoEventWireup="true" 

            CodeFile="Default.aspx.cs" Inherits="_Default" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 


<html xmlns="" >
<head runat="server">
    <title>Simple web encryption</title>
<style type="text/css">
    font-family: Verdana, Arial, Helvetica, sans-serif;
    font-size: 10px;
    text-decoration: none;
    position: relative;
    color: #000000;
    margin : 0px;
    overflow-x : hidden;
    width: 100%;

<script language="javascript">
        This function helps protect the email address from the evil spam-bots
        that scan web pages for useful data such as (email addresses). 
        Instead of using the data directly, the encoded value is stored in the
        html and decoded when required.
        function decode(ServerEncoded)
        // The ServerEncoded parameter is a string that contains the encoded data.
        // Each character in the ServerEncoded parameter has been converted into 
        // a two digit number (hex / base16). This function converts the
        // series of numbers back into the normal form and returns the 
        // decoded string to the client

        // holds the decoded string
        var res = "";

        // go through and decode the full input server encoded string
        for (i=0; i < ServerEncoded.length;)
            // holds each letter (2 digits)
            var letter = "";
            letter = ServerEncoded.charAt(i) + ServerEncoded.charAt(i+1)

            // build the real decoded value
            res += String.fromCharCode(parseInt(letter,16));
            i += 2;
        //return the new decoded string to allow it to be rendered to screen
        return res;

        This function gets a reference to the server encrypted string and
        then decrypts this using the decode() function and sets the
        txtDecrypted value to the value return by the decode() function
        function GetEmailAndDecode() {
            //get the table element
            var txtSvrEncr = document.getElementById('txtServerEncrypted');
            var txtJSDecr = document.getElementById('txtDecrypted');
            txtJSDecr.value = decode(txtSvrEncr.value);
            var txtAllTog = document.getElementById('txtAllTogether');
            txtAllTog.value = decode(txtAllTog.value);
<body onload="GetEmailAndDecode();">
    <form id="form1" runat="server">
        <h1>Simple ASP .NET data protection</h1>
        This simple web page contains a method 
        for keeping sensitive data (such as emails) safe, by
        employing server side encryption and client side decryption. 
        It could be used for any data
        I am using emails, but it could be applied to anything. You choose.
        We all have emails these days, and this is somepeople 
        main contact detail. As such dont
        we all deserve to have this one detail kept secret 
        from web bots that screen scrape web sites
        looking for emails. This is what is done, 
        its easy just match an email regular expression and
        away you go. They would easily be able to pull out 
        something like
        What this piece of codebehind stuff and javascript (in this page) 
        will show, is how to encrypt
        a users email before sending the page to the client. 
        And then use javascript to decrypt it
        back to an email again. The great part is that 
        the actual HTML code doesnt contain the email
        at all, so the nasty web bot cant get the users personal 
        information out of the page. Ha Ha.
        <b><asp:Label ID="Label1" runat="server" 

           Text="Normal email (BAD, web bot could grab this)">
        <asp:TextBox ID="txtRawEmail" runat="server" 

        <b><asp:Label ID="Label2" runat="server" 

           Text="Server side encrypted email / No javascript decryption...yet">
        <asp:TextBox ID="txtServerEncrypted" runat="server" 

        <b><asp:Label ID="Label3" runat="server" 

          Text="Javascript decryption, from Server side encrypted email"></asp:Label></b>
        <asp:TextBox ID="txtDecrypted" runat="server" 

        <b><asp:Label ID="Label4" runat="server" 

          Text="Putting it all together. Server side encrypted email / 
                   Javascript decryption. Ha Ha web bot"></asp:Label></b>
        <asp:TextBox ID="txtAllTogether" runat="server" 

using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;

/// <summary>
/// This page is a throw away, it is simply used to demonstrate the
/// use of the 2 tools : server side encryption / client side decryption
/// for preserving sensitive data from web bots
/// </summary>
public partial class _Default : System.Web.UI.Page 
    protected void Page_Load(object sender, EventArgs e)
        #region Email Encryption 
        //if javascript is enabled do the encoding
        if (Request.Browser.JavaScript)
            //do the encryption using the raw email
            txtServerEncrypted.Text = System.BitConverter.ToString(
                                    (txtRawEmail.Text))).Replace("-", "");

            //do the encryption using the raw email
            txtAllTogether.Text = System.BitConverter.ToString(
                                    (txtRawEmail.Text))).Replace("-", "");
            //couldnt find javascript so just use normal email
            txtServerEncrypted.Text = txtRawEmail.Text;
            txtAllTogether.Text = txtRawEmail.Text;

So How Does it Work

Well, what actually happens is very simple. Firstly, the server obfuscates the data, then the client-side JavaScript de-obfuscates it. But this means that the sensitive data is never actually within the source document in a format that a web bot can grab.

Let's have a look at the source file.

The value of the field txtAllTogether is just ASCII text. However, if we then look at the rendered output for this page, we can see that the data has been de-obfuscated using client-side JavaScript. This will work with any data at all. I just chose email, as it's the most obvious form of data that should be kept private.

The attached project contains a single page, which has four text fields on it:

  • The raw data
  • The server side ASCII / BitConverted data
  • The server side ASCII / BitConverted data through JavaScript
  • Putting it all together in one textbox

What Do You Think?

That's it. I would just like to ask, if you liked the article, please vote for it.


I have quite enjoyed constructing this article. I hope it helps someone the way it has helped me.


  • v1.1: 30/01/07: Changed wording from encryption to obfuscation, thanks to Jan Seda. He is actually correct. Well done, Jan.
  • v1.0: 30/01/07: Initial issue.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Sacha Barber
Software Developer (Senior)
United Kingdom United Kingdom
I currently hold the following qualifications (amongst others, I also studied Music Technology and Electronics, for my sins)

- MSc (Passed with distinctions), in Information Technology for E-Commerce
- BSc Hons (1st class) in Computer Science & Artificial Intelligence

Both of these at Sussex University UK.


I am lucky enough to have won a few awards for Zany Crazy code articles over the years

  • Microsoft C# MVP 2016
  • Codeproject MVP 2016
  • Microsoft C# MVP 2015
  • Codeproject MVP 2015
  • Microsoft C# MVP 2014
  • Codeproject MVP 2014
  • Microsoft C# MVP 2013
  • Codeproject MVP 2013
  • Microsoft C# MVP 2012
  • Codeproject MVP 2012
  • Microsoft C# MVP 2011
  • Codeproject MVP 2011
  • Microsoft C# MVP 2010
  • Codeproject MVP 2010
  • Microsoft C# MVP 2009
  • Codeproject MVP 2009
  • Microsoft C# MVP 2008
  • Codeproject MVP 2008
  • And numerous codeproject awards which you can see over at my blog

You may also be interested in...

Comments and Discussions

GeneralMy vote of 1 Pin
GUI Developer21-Dec-08 6:47
memberGUI Developer21-Dec-08 6:47 
QuestionObfuscation of email addresses in normal HTML pages Pin
pcug5-Nov-08 22:54
memberpcug5-Nov-08 22:54 
AnswerRe: Obfuscation of email addresses in normal HTML pages Pin
Sacha Barber6-Nov-08 1:25
mvpSacha Barber6-Nov-08 1:25 
GeneralThank you Pin
JaECH11-Jun-08 5:08
memberJaECH11-Jun-08 5:08 
GeneralRe: Thank you Pin
Sacha Barber11-Jun-08 6:15
mvpSacha Barber11-Jun-08 6:15 
Questionwhy response raw email when client doesn't support Javascript? Pin
Member #24312387-Feb-07 16:00
memberMember #24312387-Feb-07 16:00 
AnswerRe: why response raw email when client doesn't support Javascript? Pin
Sacha Barber7-Feb-07 21:47
memberSacha Barber7-Feb-07 21:47 
Questionhow to open this web based system? Pin
zixlea5-Feb-07 7:06
memberzixlea5-Feb-07 7:06 
AnswerRe: how to open this web based system? Pin
Sacha Barber5-Feb-07 22:57
memberSacha Barber5-Feb-07 22:57 
GeneralNice Pin
The .NET Junkie30-Jan-07 11:01
memberThe .NET Junkie30-Jan-07 11:01 
GeneralRe: Nice Pin
Sacha Barber30-Jan-07 22:05
memberSacha Barber30-Jan-07 22:05 
GeneralObfuscation Pin
Jan Seda30-Jan-07 3:52
memberJan Seda30-Jan-07 3:52 
GeneralRe: Obfuscation Pin
Sacha Barber30-Jan-07 6:47
memberSacha Barber30-Jan-07 6:47 
GeneralRe: Obfuscation Pin
Jan Seda30-Jan-07 6:49
memberJan Seda30-Jan-07 6:49 
GeneralRe: Obfuscation Pin
Sacha Barber30-Jan-07 7:56
memberSacha Barber30-Jan-07 7:56 
GeneralRe: Obfuscation Pin
Sacha Barber1-Feb-07 7:48
memberSacha Barber1-Feb-07 7:48 
GeneralRe: Obfuscation Pin
Jan Seda2-Feb-07 1:36
memberJan Seda2-Feb-07 1:36 
GeneralRe: Obfuscation Pin
Sacha Barber2-Feb-07 22:22
memberSacha Barber2-Feb-07 22:22 
GeneralRe: Obfuscation Pin
Sacha Barber12-Feb-07 21:57
memberSacha Barber12-Feb-07 21:57 
GeneralRe: Obfuscation Pin
Jan Seda15-Feb-07 5:53
memberJan Seda15-Feb-07 5:53 
GeneralRe: Obfuscation Pin
Sacha Barber15-Feb-07 7:02
memberSacha Barber15-Feb-07 7:02 
GeneralRe: Obfuscation Pin
Sacha Barber28-Feb-07 23:21
memberSacha Barber28-Feb-07 23:21 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Cookies | Terms of Use | Mobile
Web01-2016 | 2.8.180618.1 | Last Updated 30 Jan 2007
Article Copyright 2007 by Sacha Barber
Everything else Copyright © CodeProject, 1999-2018
Layout: fixed | fluid