FormForge

Anti-Spam & Security

FormForge uses multiple layers of spam prevention and security. Each layer works independently, so bots must defeat all of them to submit successfully. All protections are configurable per form.

Honeypot

The honeypot is a hidden form field that is invisible to real users but gets filled in by bots that blindly complete every field. When the server detects a value in the honeypot, the submission is silently rejected as spam.

The honeypot is enabled by default on every new form. It adds zero friction for legitimate users. You can toggle it off per form in the form settings if needed, but there is rarely a reason to disable it.

Time-to-Submit

FormForge measures how quickly a form is completed after it loads. A real person needs at least a few seconds to read and fill in a form, while bots typically submit within milliseconds. Any submission completed in under 2 seconds is automatically rejected as bot traffic.

Important

The 2-second threshold is not currently configurable. If you have forms that are legitimately submitted very quickly (e.g. a single checkbox opt-in), you can disable time-to-submit validation for those specific forms in the form settings.

CAPTCHA

FormForge supports two CAPTCHA providers for human verification: Cloudflare Turnstile and Google reCAPTCHA v3. Both are configured per form and perform server-side verification automatically.

Supported Providers

ProviderTypeUser Experience
Cloudflare TurnstileInteractive widgetNon-intrusive challenge, adapts to your site’s theme
Google reCAPTCHA v3Invisible / score-basedNo user interaction; submissions scoring below 0.5 are rejected

Per-Form Configuration

In the form settings, choose which CAPTCHA provider to use (or leave it empty to disable CAPTCHA for that form). You can also override the site key per form if different forms use different CAPTCHA widgets.

Global Configuration

Add your site key and secret key in appsettings.json under the FormForge section:

{
  "FormForge": {
    "TurnstileSiteKey": "0x4AAAAAAA...",
    "TurnstileSecretKey": "0x4AAAAAAA...",
    "RecaptchaSiteKey": "6Lc...",
    "RecaptchaSecretKey": "6Lc..."
  }
}

You only need to configure the provider(s) you plan to use. The CAPTCHA widget and verification are handled automatically by FormForge once the keys are set.

Rate Limiting

Form submissions are rate-limited to prevent abuse. When a client exceeds the allowed number of submissions within a time window, further attempts are temporarily blocked.

Tip

Rate limiting is especially important for headless API submissions. Combine it with CAPTCHA for the strongest protection.