Brent Haskins / Applied AI
Public form spam is a product problem, not only a CAPTCHA checkbox
Unlimited form responses attract bots the week a campaign goes live. Brent Haskins treats spam control as part of Formably's core: server-side validation, throttling, and alerts that distinguish junk from real leads.
The same week you launch unlimited responses, bots discover your embed.
Spam is not a surprise feature request—it is a capacity and trust problem. Owners blame the form vendor when their inbox fills with SEO pitches.
Layer defenses
Edge rate limits — per IP, per form ID, sliding window.
Honeypots — CSS-hidden fields bots fill; humans never see them.
Schema validation — reject unknown fields; cap string lengths; validate emails and phones with server rules, not browser hints alone.
File uploads — if you allow them, type and size caps, scan if your threat model requires it.
OWASP’s web top ten still applies to public POST endpoints.
Alert hygiene
Email on every submission trains users to ignore alerts. Flag confidence: likely human vs likely bot. Let users purge spam in bulk.
AI-generated forms do not get a pass
Generated fields increase attack surface if the generator adds hidden inputs or script- friendly markup. Sanitize output; keep allowed component types closed.
Brent Haskins
Built /projects/formably with generation and scale in mind. If you operate public forms, budget spam work in v1—not the week before a Super Bowl ad.
FAQ
Questions people ask about this topic.
What stops form spam besides CAPTCHA?
Combine per-IP and per-form rate limits, honeypot fields hidden from real users, strict server-side type validation, maximum field counts, and blocklists for disposable email domains where appropriate. Log submission metadata for review. CAPTCHA is a last resort for heavy abuse—it hurts conversion on high-intent pages.
How should SaaS form products alert owners about spam?
Separate notification rules for likely spam versus verified leads. Show spam quarantine in the dashboard with one-click delete and export for appeals. Do not email the customer on every bot hit. When a real lead arrives, notifications must be immediate—that is the whole product promise.
Sources