Setting Up Spam Protection
This guide walks through configuring all of Formtorch’s spam protection layers on a form, from basic to advanced.
Step 1: Enable the honeypot
The honeypot catches basic bots with zero friction for real users. Enable it first on every form.
Open form spam settings
In the dashboard , go to your form → Settings → Spam Protection and toggle Honeypot on.
Add the hidden field to your HTML
<input
type="text"
name="_honeypot"
style="display:none"
tabindex="-1"
autocomplete="off"
/>Place this inside your <form> tag. Real users never see it. Bots that fill every field get caught automatically.
Step 2: Review TorchWarden detections
TorchWarden runs on every submission automatically — no configuration required. Starter and Pro plans get the full detection suite; Free gets basic protection.
Check Submissions in your dashboard. Spam submissions show a red Spam badge.
Step 3: Add domain restriction
If your form is embedded on a known domain, restrict submissions to that origin:
Open spam settings
Go to your form → Settings → Spam Protection → Allowed Domains.
Add your domain
Enter your production domain (e.g. yoursite.com). Add a staging domain if needed.
Save
Only submissions from the listed origins will be accepted. Requests from all other origins receive a 403 Forbidden.
During local development, add localhost to the allowed domains list
temporarily, or use test submissions (_test=true) which bypass domain
restriction.
Step 4: Add CAPTCHA
CAPTCHA is a heavier layer for forms under active bot pressure. Cloudflare Turnstile, hCaptcha, and reCAPTCHA v3 are available on all plans.
For step-by-step setup, see CAPTCHA Integration and choose your provider.
Verify it’s working
After enabling protection:
- Submit your form normally — it should succeed
- Manually fill in the honeypot field and submit — the submission should appear with a Spam badge in the dashboard
- Check the Spam Score column to confirm signals are firing as expected
Learn more
- Spam Protection overview — TorchWarden™ and how protection layers work together
- Honeypot — configuration options and custom field names
- Domain Restriction — allowlist setup and wildcard syntax
- CAPTCHA Integration — Turnstile, hCaptcha, and reCAPTCHA (coming soon)