Stop spam submissions on your website forms using honeypot fields, CAPTCHAs, rate limiting, and AI-powered spam detection. Protect your inbox without hurting real users.
A honeypot is a hidden form field that real users never see or fill in, but bots fill out automatically. If the honeypot field has a value when the form is submitted, you know it is spam. This technique is invisible to users and blocks a large percentage of simple bots.
<form action="https://formslist.com/f/YOUR_FORM_HASH" method="POST">
<!-- Honeypot field — hidden from users, filled by bots -->
<div style="position:absolute;left:-9999px;" aria-hidden="true">
<label for="website">Website</label>
<input type="text" id="website" name="website" tabindex="-1" autocomplete="off" />
</div>
<label for="name">Name</label>
<input type="text" id="name" name="name" required />
<label for="email">Email</label>
<input type="email" id="email" name="email" required />
<label for="message">Message</label>
<textarea id="message" name="message" required></textarea>
<button type="submit">Send</button>
</form>For stronger protection, add Google reCAPTCHA or a similar CAPTCHA service. reCAPTCHA v3 runs invisibly and scores each visitor, while v2 shows a checkbox challenge. CAPTCHAs are effective against sophisticated bots but add a small amount of friction for real users.
<!-- reCAPTCHA v3 (invisible) -->
<script src="https://www.google.com/recaptcha/api.js?render=YOUR_SITE_KEY"></script>
<script>
document.querySelector("form").addEventListener("submit", function (e) {
e.preventDefault();
grecaptcha.ready(function () {
grecaptcha.execute("YOUR_SITE_KEY", { action: "submit" }).then(function (token) {
const input = document.createElement("input");
input.type = "hidden";
input.name = "g-recaptcha-response";
input.value = token;
e.target.appendChild(input);
e.target.submit();
});
});
});
</script>Bots submit forms instantly, while humans take several seconds to fill them out. Add a timestamp when the page loads and reject submissions that arrive too quickly. You can also restrict form submissions to your own domain so the endpoint cannot be abused from other sites.
<script>
// Add a hidden timestamp when the page loads
window.addEventListener("DOMContentLoaded", () => {
const form = document.querySelector("form");
const timeField = document.createElement("input");
timeField.type = "hidden";
timeField.name = "_loaded_at";
timeField.value = Date.now().toString();
form.appendChild(timeField);
});
// On the server side (or in FormsList settings):
// Reject submissions where (now - _loaded_at) < 3 seconds
</script>
<!-- FormsList also supports domain restriction:
In your dashboard, set "Allowed domains" to your website's domain.
Submissions from other origins will be rejected automatically. -->FormsList includes built-in AI spam detection that scores every submission. It analyzes field content, submission patterns, and sender reputation to separate real messages from spam. Enable it in your FormsList dashboard — no code changes required. Flagged submissions are quarantined so you can review them without cluttering your inbox.
Protect your form from spam and bots by adding Google reCAPTCHA. This guide covers both reCAPTCHA v2 (checkbox) and v3 (invisible) with step-by-step instructions.
Learn moreLearn the best practices for validating form data on both the client and server side. Improve user experience, reduce errors, and keep your data clean.
Learn moreAdd a fully functional contact form to any HTML website in under 5 minutes. No JavaScript frameworks, no server setup — just plain HTML that works everywhere.
Learn moreSet up your form backend in under a minute. No server required, no complex configuration — just a simple endpoint for your forms.