Skip to content

Spam Protection

Forms published on the open web are constantly targeted by automated bots sending spam, advertisements, or phishing links. Lucid Forms provides a multi-layered spam defense system to keep your submissions and inbox completely clean.


Spam bots scan HTML markup and attempt to fill out every field on a form to ensure their payload is delivered. Real users, however, only see what is rendered visually. We use this behavior to catch bots silently.

Add a field to your form, name it _honeypot, and hide it using CSS:

<!-- Hidden from actual users, but visible to bots -->
<div style="display: none;">
<input type="text" name="_honeypot" tabindex="-1" autocomplete="off" />
</div>
  • How it works: When a submission arrives, Lucid Forms checks the value of the _honeypot field. If it has any value, we mark it as spam immediately. If it’s blank, we process it normally.
  • Why use it: It has zero friction. Real users don’t have to solve puzzles or select traffic lights.

Our advanced machine learning model screens form submissions in real-time. It analyzes the content, language patterns, links, and submission metadata to calculate a spam score.

  • No Configuration Needed: The AI Spam Filter is active on all plans (including Free) out of the box.
  • Handling: Submissions classified as spam are routed to the Spam folder on your dashboard instead of your Inbox, and email alerts are silenced.

To prevent malicious users from copying your form’s action URL and posting data from unauthorized sites, you can restrict submissions to specific domains.

  1. Navigate to Form Settings in your dashboard.
  2. Locate the Allowed Domains field (available on the Pro Plan).
  3. Add your authorized domains, one per line (e.g., yourwebsite.com, staging.yourwebsite.com).
  4. Save settings.

Submissions coming from any other origin URL will be blocked immediately.


If you are receiving repetitive spam containing specific keywords, products, or links, you can set up keyword blocks.

  1. Navigate to Form Settings in your dashboard.
  2. Under Keyword Blocking, enter specific words, phrases, or domains you want to reject (e.g., crypto, SEO services, buy now).
  3. Any submission containing these keywords will be rejected automatically.

For forms under heavy attack, you can enforce explicit CAPTCHA validation. We support:

  • Cloudflare Turnstile (Recommended: secure, fast, and user-friendly)
  • hCaptcha
  • Google reCAPTCHA v2
  1. Enable CAPTCHA in the Dashboard -> Form Settings -> CAPTCHA section and select your provider.
  2. Add your CAPTCHA provider’s site key and secret key.
  3. Add the CAPTCHA widget script and container inside your HTML form markup:
<!-- Example for Cloudflare Turnstile -->
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
<form action="https://api.lucidforms.co/f/{form_id}" method="POST">
<!-- Your inputs... -->
<!-- Turnstile Widget -->
<div class="cf-turnstile" data-sitekey="your-site-key"></div>
<button type="submit">Submit</button>
</form>