Spam Protection
WebStadia Forms includes built-in spam protection to keep bots from flooding your inbox.
Honeypot fields
The primary spam protection method is the honeypot technique. Add a hidden field to your form that's invisible to humans but visible to bots. Bots typically fill out every field they find — if the honeypot field has a value, the submission is silently rejected.
HTML form example
<form action="https://api.webstadia.com/v1/fm/YOUR_FORM_ID" method="POST">
<!-- Honeypot — hide from humans -->
<input type="text" name="_gotcha" style="display:none" tabindex="-1" autocomplete="off">
<input type="text" name="name" required>
<input type="email" name="email" required>
<button type="submit">Send</button>
</form>
How it works
- The
_gotchafield is hidden withdisplay:none - Human users never see or fill it
- Bots automatically fill every field, including
_gotcha - If
_gotchahas any value, WebStadia silently accepts the request (returns 200) but does not store the submission - The bot thinks it succeeded, but no spam is recorded
Tips for better honeypot protection
- Use
style="display:none"instead oftype="hidden"— some bots skip hidden inputs but fill visible ones - Add
tabindex="-1"so keyboard users don't accidentally tab into it - Add
autocomplete="off"to prevent browsers from auto-filling it
Alternative honeypot field: _honey
You can also use _honey as the honeypot field name:
<input type="text" name="_honey" style="display:none">
Both _gotcha and _honey work identically.
CSRF tokens (JavaScript API)
For JavaScript submissions, you can use CSRF tokens for stronger protection. See JavaScript API → CSRF Protection.
Best practices
- Always add a honeypot field — it's simple and effective
- Use CSRF tokens for JavaScript forms on sensitive pages
- Set up email notifications so you can monitor submissions
- Review submissions in the dashboard regularly