Spam Protection

Honeypot fields, captcha, and domain restrictions to keep bots out of your forms.

Honeypot Fields

A honeypot is a hidden form field that real users never see or fill in. Bots, however, tend to fill every field they find. When FormBlade receives a submission with data in the honeypot field, it flags that submission as spam automatically.

How it works

You add a hidden input to your form. It is invisible to humans because of display:none styling.
A legitimate visitor submits the form and leaves the hidden field empty.
A bot crawls the page, fills in every field (including the hidden one), and submits.
FormBlade detects data in the honeypot field and marks the submission as spam.

Adding the honeypot to your HTML

Add this input anywhere inside your <form> tag. The default honeypot field name is _gotcha:

<input type="text"
       name="_gotcha"
       style="display:none"
       tabindex="-1"
       autocomplete="off">

The tabindex="-1" attribute prevents keyboard users from accidentally focusing the field. The autocomplete="off" attribute stops browsers from auto-filling it.

Tip: If you use the Form Designer to build hosted forms, the honeypot field is included automatically. No extra HTML needed.

Custom field name

Some sophisticated bots know to skip fields named _gotcha. You can change the honeypot field name in your form settings:

Open your form in the dashboard.
Go to the Settings tab.
Under Spam Protection, change the honeypot field name to anything you like (e.g., _hp, website_url, company_fax).
Update the name attribute in your HTML to match.

Using a field name that sounds like a real field (like company_fax) can be more effective because bots are more likely to fill it in.

Captcha

For stronger protection, add a captcha challenge. FormBlade supports five providers:

hCaptcha — privacy-focused alternative with image challenges. Available on all plans.
Google reCAPTCHA v2 Pro+ — the classic "I'm not a robot" checkbox.
Google reCAPTCHA v3 Pro+ — invisible, score-based detection that runs in the background.
Cloudflare Turnstile Pro+ — lightweight, invisible challenge with no user interaction.
GeeTest v4 Pro+ — adaptive challenge with slide, click, and icon-based puzzles.

Captcha verification happens server-side. When a submission arrives, FormBlade sends the captcha response token to the provider's API to verify it. If verification fails, the submission is accepted and flagged as spam. It is stored in your dashboard, but no notifications, auto-responders, or integrations are triggered.

For full setup instructions, including how to get API keys and add the captcha widget to your HTML, see the Captcha Setup guide.

Domain Restrictions

Domain restrictions let you whitelist specific domains that are allowed to submit to your form. Submissions originating from any other domain are rejected. This is available on the Business tier and above.

Setting up domain restrictions

Open your form in the dashboard.
Go to the Settings tab.
Under Allowed Domains, enter one or more domains (e.g., example.com, shop.example.com).
Save your changes.

FormBlade checks the Origin and Referer headers on incoming requests. If neither header matches an allowed domain, the submission is rejected with a 403 Forbidden response.

Note: Domain restrictions check the origin of the HTTP request, not the email address of the submitter. They prevent other websites from posting to your form link.

How Spam Submissions Are Handled

When a submission is flagged as spam (by the honeypot field or by a failed captcha check), it is handled as follows:

Stored but marked: The submission is saved to your account with a spam flag. It appears in your dashboard under the Spam tab for that form.
No notifications: Email, Telegram, Slack, Discord, Viber, and Teams notifications are not sent for spam submissions. This keeps your inbox and channels clean.
No auto-responder: Auto-responder emails are not triggered for spam submissions.
No integrations: Webhooks and other integrations are not dispatched for spam.
Visible in dashboard: You can review spam submissions at any time. If a legitimate submission was incorrectly flagged, you can mark it as "not spam" from the dashboard, which moves it to the regular submissions list.
Counts toward limit: Spam submissions still count toward your monthly submission limit because they were accepted before being flagged.

Recommended Setup

For most forms, we recommend combining the honeypot with a captcha:

The honeypot catches simple bots with zero impact on user experience.
A captcha like Turnstile or reCAPTCHA v3 catches more advanced bots without adding friction.
Domain restrictions add a third layer if you know exactly which sites will use your form.

All three methods can be active on the same form. They run in order: domain check first, then captcha verification, then honeypot detection.