formbuild.io

Spam Protection

Protect your forms from spam with honeypot fields, automatic scoring, and rate limiting on formbuild.io.

formbuild.io includes multiple layers of spam defense so your Inbox stays clean — without CAPTCHAs that annoy real visitors.

Honeypot fields Pro

A honeypot is a hidden field that real visitors never see or fill in. Bots that auto-fill every field will trigger it.

  • In your form settings, go to Spam and set a honeypot field name (e.g. _honey).

  • Add a hidden input to your HTML form:

<!-- Hidden honeypot — do not show to users -->
<div style="display:none" aria-hidden="true">
<input name="_honey" tabindex="-1" autocomplete="off" />
</div>

If a response includes a non-empty value for this field, we silently discard it — returning a success status so the bot doesn't know it was caught.

Automatic spam scoring

We run a set of heuristics on every response to detect common spam patterns (link stuffing, suspicious content, etc.). Responses flagged as likely spam are still stored but moved to the Spam tab in your Inbox, keeping your main view clean.

You can always review the Spam tab and mark responses as Not spam if they were caught incorrectly, or manually mark legitimate-looking responses as Spam.

Google reCAPTCHA Pro

For high-traffic forms or when honeypots aren't enough, you can enable ** Google reCAPTCHA** for advanced bot protection.

  • In your form settings, go to Spam and enable ** reCAPTCHA**.

  • Enter your Site Key and Secret Key from the Google reCAPTCHA Admin Console.

  • Add the reCAPTCHA script to your page's &lt;head&gt;:


          - 
              Place the reCAPTCHA widget inside your `&lt;form&gt;`:

          formbuild.io will automatically detect the `g-recaptcha-response` 
          field and verify it with Google before accepting the submission.

      ## Rate limiting

          Every form endpoint on formbuild.io is automatically protected by strict, global rate-limiting
          heuristics to prevent abuse and bot flooding. 

          **Custom Rate Limits <span className="text-[10px] ml-1 bg-foreground text-background px-1.5 py-0.5 rounded-sm uppercase tracking-widest font-bold align-middle">Pro</span>**<br />
          If you are on the Pro plan, you can additionally configure a strict **Max submissions per hour** limit in your form's Spam settings to explicitly cap the volume of traffic a single form will accept.

      ## Bulk actions

          In the Inbox, you can select multiple responses and use bulk actions to:

          - Mark as spam

          - Mark as not spam

          - Delete permanently

      ## Tips

          - 
              Always use a honeypot — it catches the majority of naive bots with
              zero friction for real visitors.

          - 
              Use `tabindex="-1"` and{" "}
              `autocomplete="off"` on the honeypot input so
              screen readers and browsers skip it.

          - 
              Combine honeypot with{" "}
              [server-side validations](/docs/validations) (e.g.
              require an email field) for stronger protection.

          [← Success page](/docs/success-page)
          {" · "}
          [Next: Integrations →](/docs/integrations)

On this page