Honeypot / decoy injection: invisible trap links, fake form fields, and
bogus data blocks that waste scraper effort and poison harvested data.
Decoys are hidden from layout and assistive tech, so real users, keyboard
nav, and screen readers are unaffected.
Optional inlining of local <link rel=stylesheet> and <script src> as a
preprocessing step, so the inlined CSS/JS is then obfuscated normally. Only
files resolving under base_dir are inlined; URLs, protocol-relative refs,
data: URIs, and paths escaping base_dir are left untouched. Never hits
the network.
Structural obfuscation with client-side restoration (WebCloak-style):
visible text in safe flow elements is moved out of the static markup into an
encoded data-* attribute, then restored at runtime by an injected script.
Static scrapers see only opaque text; a browser renders identically.
Opt-in: breaks no-JS, SEO, and (until restore runs) accessibility.
Invisible per-build watermark: a 64-bit id encoded as zero-width characters,
embedded once in the document text so a scraped/leaked copy can be traced.
Renders invisibly and survives copy-paste.
Word splitting: insert an empty HTML comment inside long words so a naive
regex/substring scraper sees fragmented text, while browsers, readers, and
content extractors merge across the comment and read the word intact. Flow
content only (in <title> and other RCDATA a comment is literal text).