Skip to main content

Documentation

Spam Protection

Formcore has built-in spam protection you can enable per form. Some checks require small changes to your HTML — others run entirely server-side. Configure everything from the Spam Protection tab in your form settings.

Preset modes

  • Off — all checks disabled
  • Basic — honeypot + timing protection
  • Full — honeypot + timing + keyword filter + IP rate limiting
  • Custom — toggle individual checks on or off

Honeypot

A hidden field that real users never see. Bots that auto-fill every field will fill it and get flagged. Add a hidden _gotcha field to your form: 

<!-- Hide with CSS clipping, not display:none (bots detect that) -->
<div aria-hidden="true"
  style="position:absolute;overflow:hidden;clip:rect(0 0 0 0);
   height:1px;width:1px;margin:-1px;padding:0;border:0">
 <input type="text" name="_gotcha" tabindex="-1" autocomplete="off" />
</div>

If submitting via JSON, include "_gotcha": "" in your payload. The field is always stripped from stored data.

Timing protection

Rejects submissions that arrive faster than a human could fill the form. Set a timestamp when the page loads and send it with the form: 

<input type="hidden" name="_timestamp" id="_timestamp" />

<script>
 // Set on page load, NOT on submit
 document.getElementById("_timestamp").value = new Date().toISOString();
</script>

Default minimum is 3 seconds (configurable per form). The _timestamp field is stripped from stored data. If omitted, the check is skipped.

Turnstile (Cloudflare captcha)

Cloudflare's free, privacy-friendly captcha. It runs invisibly or shows a brief challenge. You'll need a Site Key and Secret Key from the Cloudflare Turnstile dashboard .

  1. Create a Turnstile widget in Cloudflare and copy your Site Key and Secret Key
  2. In Formcore, open Spam Protection settings and enable Turnstile
  3. Paste both keys and save
  4. Add the widget to your form:
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js"
  async defer></script>

<form action="/f/YOUR_FORM_ID" method="POST">
 <input name="name" required />
 <input name="email" type="email" required />

 <!-- Turnstile widget, renders automatically -->
 <div class="cf-turnstile" data-sitekey="YOUR_SITE_KEY"></div>

 <button type="submit">Send</button>
</form>

The token field (cf-turnstile-response) is injected by the widget and stripped from stored data. For JSON submissions, you can also use the field name _turnstile_token.

Server-side checks

These require no changes to your form. Enable them in Spam Protection settings.

  • Keyword filter — scans submissions for known spam patterns. Built-in categories plus up to 64 custom words.
  • IP rate limiting — limits submissions per IP address. Default: 10 per hour (configurable).

Reserved fields

These field names are automatically extracted from submissions and never stored in your data:

_gotcha _timestamp cf-turnstile-response _turnstile_token _session _next _error _meta

Spam flagged submissions are silently accepted with a fake success response to deceive bots. They're still stored and visible in your dashboard so you can review false positives.