Spam Protection

FormShield automated protection, captcha, and domain restrictions to keep bots out of your forms.

FormShield

FormShield is FormBlade's built-in automated bot protection. It uses a combination of honeypot fields (hidden inputs that trap bots) and JavaScript verification to catch spam without any user interaction. When FormBlade detects bot behavior through FormShield, it flags that submission as spam automatically.

How it works

FormShield has two layers that work together:

Honeypot field — a hidden input is added to your form. It is invisible to humans because of display:none styling. Bots fill every field they find, including the hidden one, revealing themselves.
JavaScript verification — a hidden field that JavaScript populates after a short delay. If the field is empty on submission, no JS ran, which means it is almost certainly a bot.

Adding FormShield to your HTML

Add this hidden input anywhere inside your <form> tag. The default honeypot field name is _gotcha:

<input type="text"
       name="_gotcha"
       style="display:none"
       tabindex="-1"
       autocomplete="off">

The tabindex="-1" attribute prevents keyboard users from accidentally focusing the field. The autocomplete="off" attribute stops browsers from auto-filling it.

Tip: If you use the Form Designer to build hosted forms, FormShield is included automatically. No extra HTML needed.

Custom field name

Some sophisticated bots know to skip fields named _gotcha. You can change the FormShield honeypot field name in your form settings:

Open your form in the dashboard.
Go to the Security tab.
Under Spam Protection, change the FormShield field name to anything you like (e.g., _hp, website_url, company_fax).
Update the name attribute in your HTML to match.

Using a field name that sounds like a real field (like company_fax) can be more effective because bots are more likely to fill it in.

Captcha

For stronger protection, add a captcha challenge. FormBlade supports five providers:

hCaptcha — privacy-focused alternative with image challenges. Available on all plans.
Google reCAPTCHA v2 Pro+ — the classic "I'm not a robot" checkbox.
Google reCAPTCHA v3 Pro+ — invisible, score-based detection that runs in the background.
Cloudflare Turnstile Pro+ — lightweight, invisible challenge with no user interaction.
GeeTest v4 Pro+ — adaptive challenge with slide, click, and icon-based puzzles.

Captcha verification happens server-side. When a submission arrives, FormBlade sends the captcha response token to the provider's API to verify it. If verification fails, the submission is accepted and flagged as spam. It is stored in your dashboard, but no notifications, auto-responders, or integrations are triggered.

For full setup instructions, including how to get API keys and add the captcha widget to your HTML, see the Captcha Setup guide.

Email Blocklist Pro+

Block specific email addresses or wildcard patterns from submitting your form. Any submission containing a blocked email address in any field is rejected before it is stored or counted.

Setting up the blocklist

Open your form in the dashboard.
Go to the Security tab.
Under Email blocklist, enter one pattern per line.
Save your changes.

Pattern syntax

Patterns use wildcard matching with *:

Pattern	Blocks
`spam@test.com`	That exact address
`*@spam.com`	Any address at spam.com
`@.disposable.com`	Any sub-domain of disposable.com
`bot@`	Any address starting with "bot"

Matching is case-insensitive. The blocklist is checked against every field value that contains an @ symbol, not just the email field.

Tip: The blocklist is ideal for blocking disposable email services, known spam senders, or internal test addresses from production forms.

Domain Restrictions

Domain restrictions let you whitelist specific domains that are allowed to submit to your form. Submissions originating from any other domain are rejected. This is available on the Business tier and above.

Setting up domain restrictions

Open your form in the dashboard.
Go to the Security tab.
Under Allowed Domains, enter one or more domains (e.g., example.com, shop.example.com).
Save your changes.

FormBlade checks the Origin and Referer headers on incoming requests. If neither header matches an allowed domain, the submission is rejected with a 403 Forbidden response.

Note: Domain restrictions check the origin of the HTTP request, not the email address of the submitter. They prevent other websites from posting to your form link.

How Spam Submissions Are Handled

When a submission is flagged as spam (by FormShield or by a failed captcha check), it is handled as follows:

Stored but marked: The submission is saved to your account with a spam flag. It appears in your dashboard under the Spam tab for that form.
No notifications: Email, Telegram, Slack, Discord, Viber, and Teams notifications are not sent for spam submissions. This keeps your inbox and channels clean.
No auto-responder: Auto-responder emails are not triggered for spam submissions.
No integrations: Webhooks and other integrations are not dispatched for spam.
Visible in dashboard: You can review spam submissions at any time. If a legitimate submission was incorrectly flagged, you can mark it as "not spam" from the dashboard, which moves it to the regular submissions list.
Counts toward limit: Spam submissions still count toward your monthly submission limit because they were accepted before being flagged.

Recommended Setup

For most forms, we recommend combining FormShield with a captcha:

FormShield catches simple bots with zero impact on user experience.
A captcha like Turnstile or reCAPTCHA v3 catches more advanced bots that bypass FormShield without adding friction.
An email blocklist (Pro+) blocks known disposable or spam email addresses before they are stored.
Domain restrictions (Business) add another layer if you know exactly which sites will use your form.

All methods can be active on the same form. They run in order: domain check first, then captcha verification, then FormShield detection, then email blocklist.