Spam Protection

FormFast includes multiple layers of spam protection that work out of the box with no configuration required.

Honeypot field

Add a hidden field named _gotcha to your form. It's invisible to humans but bots will fill it in. Any submission with this field filled is silently marked as spam.

HTML

<!-- Add this to your form — bots fill it, humans don't -->
<input type="hidden" name="_gotcha" style="display:none" />

Custom honeypot field name

You can change the honeypot field name in your form's spam configuration:

JSON

{
  "spamConfig": {
    "honeypotField": "_my_custom_field"
  }
}

Rate limiting

Three layers of rate limiting prevent flooding:

Scope	Limit	Window
Per IP per endpoint	5 submissions	1 minute
Per endpoint	30 submissions	1 hour
Per endpoint (daily)	200 submissions	24 hours

When a limit is exceeded, the submission returns a 429 status code with a descriptive error message. See Rate Limits for more details.

Content filtering

Submissions containing more than 3 URLs across all text fields are automatically flagged as spam. This catches common link-spam attacks.

Spam handling

Spam-flagged submissions are still stored in your database, but email notifications, auto-replies, and webhooks are not triggered for spam. You can view and manage flagged submissions in the dashboard.

Domain restrictions

For an additional layer of protection, restrict submissions to specific domains using the Allowed Domains setting.

PreviousEmail Templates NextWebhooks