Spam is the tax every form owner pays. Form Forge’s anti-spam system is built in layers so you can stop 99% of automated spam without adding a visible CAPTCHA that hurts user experience. For the remaining 1%, optional Google reCAPTCHA v3 runs invisibly in the background.
A honeypot is a hidden form field that humans never see (because it’s hidden with CSS) but bots fill in automatically because they see it in the HTML. Form Forge adds a honeypot to every form by default and rejects any submission where the honeypot is filled.
This alone blocks roughly 80% of automated spam without impacting legitimate users.
Pros: Invisible, zero friction, no third-party service.
Cons: Sophisticated bots can learn to skip honeypot fields.
Real humans take at least a few seconds to fill in a form. Bots submit in milliseconds. Form Forge records a timestamp when the form is rendered and rejects any submission that arrives faster than a configurable minimum (default: 3 seconds).
This catches bots that bypass the honeypot and speeds through the form.
Pros: Invisible to users, catches fast bots.
Cons: Can occasionally produce false positives if a user pastes pre-filled data. The threshold is configurable.
Every form Form Forge renders includes a signed token that’s tied to the form ID, the user’s session, and a timestamp. The token is validated server-side on submission. Forged tokens, reused tokens, and tokens from other forms are all rejected.
This stops attackers who scrape your form once and try to replay submissions from a script.
Pros: Blocks replay attacks, nearly invisible, no third-party service.
Cons: None for normal use.
reCAPTCHA v3 is Google’s invisible anti-spam service. Unlike the old “click the fire hydrants” CAPTCHA, v3 runs in the background and returns a confidence score (0.0 to 1.0) indicating how likely the user is to be human. Form Forge can reject submissions below a configurable threshold (default: 0.5).
Pros: Catches the hardest spam, invisible to most users.
Cons: Requires a Google account, sends data to Google, occasionally false-flags real users.
Enable it per form, or globally, with your site key and secret key in settings.
“Click all the images with traffic lights.” Nobody likes them. They hurt conversion rates. They’re especially bad on mobile. Form Forge’s anti-spam stack is good enough that you shouldn’t need one.
“Type the letters you see below.” Same problem. Friction for humans, easily solved by modern bots.
“What is 3 + 7?” Blocks basic bots, but real ones solve it. And users find it annoying.
All of these can be replaced by Form Forge’s invisible anti-spam.
Each form’s anti-spam settings are independent. For a high-traffic contact form on the homepage, you might enable all four layers. For a low-risk internal form, you might enable only honeypot + token. Configure per form in the form settings panel.
When a submission is blocked by anti-spam, Form Forge logs it as “spam” in a separate view (not mixed with real submissions). You can:
| Honeypot | Text CAPTCHA | reCAPTCHA v2 | reCAPTCHA v3 | |
|---|---|---|---|---|
| Visible to users? | No | Yes | Yes | No |
| User friction | None | High | Medium | None |
| Mobile friendly? | Yes | No | Medium | Yes |
| Blocks most bots? | Yes (~80%) | Medium | Yes (~95%) | Yes (~99%) |
| Blocks sophisticated bots? | No | No | Yes | Yes |
| Third-party dependency | No | No | Yes | Yes |
| Privacy friendly | Yes | Yes | No | No |
Form Forge’s default configuration (honeypot + time check + token) catches roughly 95% of real-world spam without any third-party service. For the remaining 5%, enabling reCAPTCHA v3 as a fifth layer gets you to essentially zero.
Get Form Forge — from $49/year →
All four anti-spam layers are included in every version of Form Forge, including the free one.