How JustForms blocks spam

5 layers, all on by default

Spam is the #1 reason form backends become useless. JustForms blocks it at 5 different layers so almost nothing reaches your inbox.

1. Honeypot fields (auto-injected)

The embed script adds a hidden _gotcha input field. Real humans can't see it (CSS hidden, ARIA hidden, off-screen). Bots that auto-fill every field will trip it.

Any submission with _gotcha, _hp, botcheck, or website_url filled is silently dropped (returns 200 OK to not tip off the bot).

Blocks: ~70% of spam. Zero false positives.

2. Per-IP rate limiting

Default: 10 submissions per minute per IP per form (configurable). Above that, requests get 429 Too Many Requests.

Blocks: scripted attacks hammering one form from one IP.

3. Content-based spam scoring

Every submission gets scored 0.0–1.0. Score > 0.7 = flagged, no email, kept in dashboard for review.

Score factors:

• 3+ URLs in message → +0.3
• Common spam keywords (configured per-form) → +0.4 each
• Hard-coded high-signal terms (viagra, SEO services, crypto, casino, guest post) → +0.5
• Pure non-Latin content (often spam from Cyrillic content farms) → +0.2

Tune per-form spam keywords in dashboard → form → Edit → Spam keywords.

4. Cloudflare Turnstile (optional)

Free, privacy-friendly CAPTCHA alternative to reCAPTCHA. No "click all the buses" puzzles — most users pass silently.

1. Get a free site key at dash.cloudflare.com/turnstile
2. Add to your form embed:

   <form data-justforms="..." data-turnstile-key="0x4AAAAA...">

3. Or enable "Require Turnstile" toggle on the form in dashboard

Blocks: 99% of remaining bot traffic.

5. Origin allowlist (CORS lock)

Per-form setting. By default * (any origin). Lock to specific domains to block cross-site abuse:

Allowed origins: https://yoursite.com, https://www.yoursite.com

Requests from other origins return 403 Forbidden.

Total spam blocked by default

With all defaults on (no Turnstile, no origin lock): ~95% of spam blocked.

With Turnstile added: ~99.5%.

What about the spam that gets through?

Open the dashboard. Submissions marked spam appear in the list with a grey row. Delete them in bulk, or recover false positives by clicking "Mark as legit".