Spam Protection - Documentation

Back to Documentation

Spam Protection

Keep your forms bot-free with multiple layers of spam protection.

Honeypot

Hidden field that catches bots automatically

Timestamp

Blocks submissions that are too fast

CAPTCHA

Optional challenge for suspicious traffic

Honeypot Field (Recommended)

A honeypot is a hidden field that real users won't see or fill, but bots typically will. This is the easiest and most effective spam prevention method.

How to Implement

<input type="text"
       name="_formigo_hp"
       value=""
       style="display:none"
       tabindex="-1"
       autocomplete="off">

Use display:none

Don't use visibility:hidden or positioning tricks

Add tabindex="-1"

Prevents keyboard users from accidentally focusing the field

Add autocomplete="off"

Prevents browsers from auto-filling the field

Important

The field must remain empty. If it's filled, the submission will be flagged as spam (100 points).

Timestamp Validation (Recommended)

Timestamp validation prevents bots that submit forms instantly. Real users take at least a couple seconds to fill out a form.

How to Implement

<!-- Hidden input for timestamp -->
<input type="hidden" name="_formigo_t" value="">

<script>
  // Set timestamp when form loads
  document.querySelector('input[name="_formigo_t"]').value =
    Math.floor(Date.now() / 1000);
</script>

How It Works

JavaScript sets a Unix timestamp when the page loads
When the form is submitted, Formigo compares it with the current time
If less than 2 seconds have passed, it's likely a bot (50 spam points)
If the timestamp is invalid or missing, adds 25 spam points

Pro Tip

This works even if JavaScript is disabled - the field will just be empty and add minimal spam points. Real users won't be blocked.

CAPTCHA (Optional)

For high-value or high-spam forms, you can add CAPTCHA protection. Formigo supports both hCaptcha and Cloudflare Turnstile.

Cloudflare Turnstile

Free, privacy-friendly, and less intrusive than reCAPTCHA.

Free forever
Privacy-focused
Better UX

hCaptcha

Privacy-focused alternative to reCAPTCHA with better accessibility.

Free tier available
GDPR compliant
Accessible

Cloudflare Turnstile Setup

<!-- Add Turnstile widget -->
<div class="cf-turnstile" data-sitekey="YOUR_SITE_KEY"></div>

<!-- Load Turnstile script -->
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js"
        async defer></script>

<!-- Hidden field (auto-populated by Turnstile) -->
<input type="hidden"
       name="_formigo_captcha"
       class="cf-turnstile-response">

hCaptcha Setup

<!-- Add hCaptcha widget -->
<div class="h-captcha" data-sitekey="YOUR_SITE_KEY"></div>

<!-- Load hCaptcha script -->
<script src="https://js.hcaptcha.com/1/api.js"
        async defer></script>

<!-- Hidden field (auto-populated by hCaptcha) -->
<input type="hidden"
       name="_formigo_captcha"
       class="h-captcha-response">

Configuration Required

You'll need to enable CAPTCHA in your form settings and provide your secret key for validation.

Complete Form Example

Here's a complete form with all spam protection layers (without CAPTCHA):

<form action="https://formigo.com/f/your-form" method="POST">
  <!-- Your actual form fields -->
  <div>
    <label for="name">Name:</label>
    <input type="text" id="name" name="name" required>
  </div>

  <div>
    <label for="email">Email:</label>
    <input type="email" id="email" name="email" required>
  </div>

  <div>
    <label for="message">Message:</label>
    <textarea id="message" name="message" required></textarea>
  </div>

  <!-- Spam protection fields -->

  <!-- Honeypot (hidden field) -->
  <input type="text"
         name="_formigo_hp"
         value=""
         style="display:none"
         tabindex="-1"
         autocomplete="off">

  <!-- Timestamp -->
  <input type="hidden" name="_formigo_t" value="">

  <button type="submit">Send Message</button>
</form>

<script>
  // Set timestamp when form loads
  document.querySelector('input[name="_formigo_t"]').value =
    Math.floor(Date.now() / 1000);
</script>

Rate Limiting

Formigo automatically rate limits submissions to prevent abuse:

Per Form

5 submissions

Per IP, per form, every 10 minutes

Global

20 submissions

Per IP, all forms, per hour

When rate limits are exceeded, the API returns a 429 Too Many Requests status with a retry_after value in seconds.

Spam Score System

Each submission is assigned a spam score based on triggered checks:

Honeypot triggered

+100

CAPTCHA failed

+100

Submitted too fast (< 2 seconds)

+50

Invalid timestamp

+25

Spam Threshold

Submissions with a score of 100 or higher are marked as spam.

Spam submissions are stored but notifications are not sent.

Best Practices

Always include honeypot and timestamp

These two fields catch 95% of spam with zero user friction.

Only use CAPTCHA if needed

CAPTCHA adds friction. Start without it and add only if you see spam.

Review spam submissions periodically

Check your spam folder in the dashboard for false positives.

Style honeypot properly

Use display:none, not visibility tricks that might confuse screen readers.

Monitor your forms

Keep an eye on submission patterns and adjust protection as needed.

Getting Started

New to Formigo? Start here.

API Reference

Complete API documentation.

Code Examples

See integration examples.