Domain Restriction
Domain restriction lets you specify which websites are allowed to submit to your form endpoint. Any request from an origin not on your allowlist is rejected before it reaches your form.
This is useful when your form is embedded on a known domain and you want to prevent anyone from using your form ID on a different site.
How it works
Formtorch checks the Origin or Referer header on every incoming submission. If you have an allowlist configured:
- Requests from allowed domains are processed normally
- Requests from domains not on the list are rejected with
403 Forbidden - Requests with no
OriginorRefererheader (e.g. direct API calls from server-side code) bypass the check
Domain restriction is available on the Starter and Pro plans. See the pricing page for a full plan comparison.
Setting up an allowlist
Open your form settings
In the dashboard , open your form → Settings → Spam Protection.
Add allowed domains
Enter each allowed domain and click Add. You can add multiple domains — for example, your production domain and a staging domain.
Save
Changes take effect immediately for new submissions.
Domain format
Enter domains without a protocol or path:
| Input | Matches |
|---|---|
example.com | https://example.com, http://example.com |
staging.example.com | Only that exact subdomain |
*.example.com | Any subdomain of example.com (wildcard) |
Development and testing
During local development, localhost requests won’t match your production domain. Either:
- Add
localhostto your allowlist temporarily - Use
_test=truesubmissions, which bypass domain restriction checks - Leave domain restriction off during development and enable it before going live
Removing all domains from the allowlist disables the restriction entirely and allows submissions from any origin.