Domain Restrictions

Control which websites are allowed to submit data to your form endpoint.

What it does

Domain restrictions limit which websites can POST to your form endpoint by checking the Origin and Referer HTTP headers on each request. If the request comes from a domain not on your list, it is rejected with a 403 Forbidden response.

This prevents other websites from embedding your form endpoint URL in their own pages and consuming your submission quota.

Business feature: Domain restrictions are available on the Business plan.

Important: This checks the HTTP origin of the request — the website the visitor is on when they submit the form. It does not check the submitter's email domain. For blocking specific email addresses, see Email Blocklist.

How matching works

FormBlade extracts the hostname from the Origin header. If no Origin header is present, it falls back to the Referer header. The hostname must exactly match one entry in your allowed list.

Allowed list	Request origin	Result
`example.com`	`https://example.com`	Allowed
`example.com`	`https://shop.example.com`	Blocked
`example.com`, `shop.example.com`	`https://shop.example.com`	Allowed
`example.com`	`http://example.com`	Allowed (protocol ignored)
(empty list)	Any origin	Allowed (no restrictions)

Subdomains do not automatically match their parent domain. If your form is used on both example.com and www.example.com, add both to the list.

What happens when blocked

Requests from unlisted domains receive:

HTTP 403 Forbidden
Content-Type: application/json

{
  "ok": false,
  "error": "Submissions from this domain are not allowed"
}

Browser form submissions see a plain error page with the same message.

Setup

Open your form in the dashboard.
Go to the Security tab.
Find the Allowed domains textarea.
Enter one domain per line — hostnames only, no protocol or path.
Click Save.

Example configuration

example.com
www.example.com
shop.example.com
landing.example.com

Limitations

Not a security guarantee. The Origin and Referer headers are set by the browser and can be spoofed by bots or custom HTTP clients. Domain restrictions are a UI-level control that prevents casual misuse — they are not a substitute for authentication or captcha.

Bots can bypass this. Automated scripts can set any Origin header they want. If you are dealing with targeted spam bots, combine domain restrictions with captcha and FormShield.
Some browsers strip Referer. Privacy-focused browsers or extensions may remove the Referer header. If Origin is also absent, the request will be rejected when you have an allowed list configured.
Server-side submissions have no origin. Requests from backend servers (cURL, API clients) typically do not send Origin or Referer headers. If you need to accept both browser and server submissions, use API keys for server-side access instead.

When to use domain restrictions

You have a public form endpoint and want to ensure only your own sites can use it.
You share a form endpoint across multiple sites and want to restrict it to just those domains.
You want to prevent a competitor or scraper from embedding your endpoint in their pages.

For maximum protection, pair domain restrictions with a captcha provider that binds to your domain (such as reCAPTCHA or Turnstile with domain verification).