Form Spam Protection: Honeypots, Rate Limiting & CAPTCHA
Spam bots submit thousands of forms per day. Here's a practical breakdown of every spam protection technique - from honeypots to CAPTCHA - and when to use each.
formvoxo Team
Security
Security deep-dive
6 spam-fighting techniques - pros, cons, and when to use each.
If you've ever run an unprotected contact form, you've seen it: within hours your inbox fills with messages about SEO services, cryptocurrency, and pharmaceutical products. Spam bots are relentless, automated, and constantly evolving. Here's how to stop them.
1. Honeypot fields
Highly recommendedA honeypot is a hidden form field that real users never fill in - but bots do. When a submission arrives with the honeypot populated, silently discard it.
<input type="text" name="_honey"
style="display:none" tabindex="-1" autocomplete="off">
Pros
Zero friction for real users. Easy to implement. Works against most automated bots.
Cons
Doesn't stop sophisticated bots that parse the DOM. Doesn't stop human spammers.
Verdict: Always use this as a baseline. formvoxo checks _honey automatically.
2. Per-IP rate limiting
EssentialLimit how many submissions the same IP address can make within a time window. Most spam attacks come from a small number of IPs hitting your endpoint hundreds of times per minute.
Pros
Stops flooding attacks. No user friction for normal usage.
Cons
IPs can be spoofed or rotated. Shared IPs (offices, schools) can hit limits legitimately.
Verdict: formvoxo applies configurable rate limiting on every form automatically.
3. Domain whitelisting
Very effectiveRestrict which domains can POST to your form endpoint. If your form lives on example.com, there's no reason a bot on badactor.ru should be able to submit to it.
Pros
Eliminates cross-origin spam attacks entirely.
Cons
Doesn't help if spam comes from a headless browser that spoofs headers.
Verdict: Use it when your form is on a specific domain. Available in formvoxo.
4. Time-based submission check
Simple additionReal humans take at least a few seconds to fill in a form. If a submission arrives less than 3 seconds after page load, it's almost certainly a bot.
<input type="hidden" name="_loaded_at" value="{{ time() }}">
<!-- Server: reject if time() - _loaded_at < 3 -->
Pros
Simple. Zero user friction.
Cons
Sophisticated bots can delay submissions.
Verdict: Good lightweight addition to your baseline protection.
5. reCAPTCHA / hCaptcha
High-value formsCAPTCHA challenges are the most powerful spam protection but come with trade-offs. Google's invisible reCAPTCHA v3 scores submissions rather than challenging users.
Pros
Very high effectiveness. Invisible v3 has zero user friction.
Cons
reCAPTCHA sends data to Google. Both add JavaScript weight. Can cause false positives for VPN users.
Verdict: Use for registration, payments, and high-abuse targets. For contact forms honeypot + rate limiting is usually enough.
6. CSRF tokens
Full-stack appsA random value that must be present in both the form and the user's session. This stops automated submissions from external sources that don't have a valid session.
Pros
Cryptographically strong. Stops CSRF attacks completely.
Cons
Breaks static sites and SPAs that don't have a session.
Verdict: Use in server-rendered apps with sessions.
The right combination for most sites
| Form type | Recommended protection |
|---|---|
| Simple contact form | Honeypot + rate limiting |
| Form on a specific domain | Honeypot + rate limiting + domain whitelist |
| High-traffic public form | All of the above + hCaptcha |
| User registration / sign-up | All of the above + email verification |
formvoxo includes honeypot + rate limiting on every form
With domain whitelisting available on paid plans. Create your free account.
Share this article