Spam Protection
Spam Protection
Section titled “Spam Protection”FormFlow includes multiple layers of built-in spam protection that run automatically on every form submission. No configuration is needed to get started — all mechanisms are active by default. You can tune the settings per form from the Shield tab in the form builder.
How It Works
Section titled “How It Works”Challenge Widget (Turnstile)
Section titled “Challenge Widget (Turnstile)”Every form includes FormFlow’s Cloudflare Turnstile challenge by default. Turnstile runs invisibly in the background — it challenges suspicious traffic silently without interrupting legitimate visitors with a puzzle or CAPTCHA. The challenge token is verified server-side before any submission is saved.
You can replace the native Turnstile with your own Google reCAPTCHA or Cloudflare Turnstile account from the Integrations tab in Settings.
Additional Filters
Section titled “Additional Filters”FormFlow also applies four server-side filters to every submission:
| Layer | What it does |
|---|---|
| Honeypot trap | An invisible field is included in every form. Bots typically fill in all fields automatically; humans never see or interact with this field. Submissions where the hidden field is filled are silently discarded. |
| Rate limiting | If the same visitor submits the same form more than 5 times within 10 minutes, further attempts are blocked until the window resets. The limit and window can be customised per form. |
| Disposable email filter | If a form includes an email field and the address uses a known disposable or temporary email domain, the submission is rejected and the visitor is shown an error asking them to use a real email address. |
| Keyword filter | If any field value contains phrases commonly associated with spam, the submission is silently discarded. You can add your own keywords per form. |
Silent discards (honeypot and keyword) do not show an error to the visitor — the form appears to submit successfully, but the submission is not saved.
Bring-Your-Own Challenge Provider
Section titled “Bring-Your-Own Challenge Provider”If you have your own Google reCAPTCHA or Cloudflare Turnstile account, you can use it instead of FormFlow’s native Turnstile on any form.
Setting Up a Provider
Section titled “Setting Up a Provider”- Go to Settings and open the Integrations tab
- Find the Spam Protection section and click the provider you want to configure
- Enter your credentials and save
| Provider | Credentials required |
|---|---|
| Google reCAPTCHA | Site Key, Secret Key, and reCAPTCHA type (v2 Checkbox, v2 Invisible, or v3) |
| Cloudflare Turnstile | Site Key and Secret Key |
Enabling a Provider on a Form
Section titled “Enabling a Provider on a Form”- Open the form in the Form Builder and go to the Integrations tab
- Find the Spam Protection section
- Toggle on the provider you want to use for this form
Only one bring-your-own provider can be active per form at a time. When a bring-your-own provider is active, FormFlow’s native Turnstile is automatically suppressed for that form.
If no providers have been configured yet, you will see a prompt to set one up in Settings.
Widget Behaviour by Provider Type
Section titled “Widget Behaviour by Provider Type”| Provider type | What visitors see |
|---|---|
| reCAPTCHA v2 Checkbox | A visible “I’m not a robot” checkbox widget |
| reCAPTCHA v2 Invisible | No visible widget — runs automatically on submit |
| reCAPTCHA v3 | No visible widget — returns a score; submissions below 0.5 are rejected |
| Cloudflare Turnstile (BYO) | A small Turnstile widget before the submit button |
Per-Form Configuration
Section titled “Per-Form Configuration”Each form has its own spam protection settings. To access them:
- Open the form in the Form Builder
- Click the Shield tab in the left panel
Enabling and Disabling Protections
Section titled “Enabling and Disabling Protections”Each protection mechanism can be toggled on or off for the form independently:
- Cloudflare Turnstile challenge — toggle off to disable the challenge widget for this form entirely
- Honeypot trap — toggle off to skip the hidden field check
- Rate limiting — toggle off to remove the submission rate limit for this form
- Disposable email filter — toggle off to allow submissions from any email domain
- Keyword filter — toggle off to skip the built-in spam keyword check
Disabling a protection affects this form only — all other forms remain unaffected.
Rate Limit Thresholds
Section titled “Rate Limit Thresholds”When rate limiting is enabled, you can adjust the thresholds for the form:
| Setting | Description | Default |
|---|---|---|
| Max submissions | Maximum number of submissions allowed from the same visitor within the window | 5 |
| Window (minutes) | The time window in minutes | 10 |
Trusted Email Domains (Allow List)
Section titled “Trusted Email Domains (Allow List)”Enter email domains you trust — one per line (e.g. acmecorp.com). Submissions from these domains bypass the disposable email filter and keyword checks entirely.
If a domain appears in both the allow list and the blocked domains list, the allow list takes precedence and the submission is accepted.
Blocked Email Domains (Block List)
Section titled “Blocked Email Domains (Block List)”Enter email domains to always reject — one per line. Submissions from these domains are always rejected, regardless of whether they appear on the global disposable email list.
Custom Blocked Keywords
Section titled “Custom Blocked Keywords”Enter words or phrases to block — one per line (case-insensitive). These are checked in addition to FormFlow’s built-in keyword list. Submissions containing any custom keyword are silently discarded.
Spam Log
Section titled “Spam Log”Every blocked attempt is recorded so you can monitor spam activity on your forms.
To view the spam log for a form:
- Open the form and go to the Submissions tab
- Scroll down to the Spam Protection section
The summary shows:
| Column | Description |
|---|---|
| Honeypot | Number of bot submissions caught by the hidden field |
| Rate limited | Number of submissions blocked due to too many attempts from the same visitor |
| Disposable email | Number of submissions rejected for using a temporary email address |
| Keyword filter | Number of submissions silently discarded for containing spam phrases |
Spam log entries are not included in your submission count and do not affect your plan limits.