formisoft
← Back to Blog
Security

How Formisoft Blocks Form Spam Without CAPTCHAs

February 1, 2026

Public forms attract bots. It's not a question of if, but when. A contact form, an intake form, an event registration, anything publicly accessible will eventually get hit with automated submissions. The traditional solution is CAPTCHAs, but CAPTCHAs annoy real users and have accessibility problems. Formisoft takes a different approach.

Two Layers of Protection

Rate Limiting

Every form automatically limits submissions to 10 per minute from a single IP address or session. Normal users never hit this. Even a fast typist submitting a short form takes at least a minute. Bots hammering your form with hundreds of submissions per second get stopped cold.

When rate limiting kicks in, the user sees a clear message and can try again after the 60-second window resets. Legitimate users who somehow trigger it (accidental double-clicks, network retries) wait briefly and resubmit. Bots give up or get blocked.

Honeypot Fields

Honeypot fields are invisible form fields that humans never see (they're hidden via CSS). Legitimate users leave them blank because they don't know they exist. Bots, which auto-fill every field they find, fill them in, and their submission is silently rejected.

No CAPTCHA to solve. No "select all the traffic lights" puzzles. No impact on the real user experience at all.

Why This Matters

Spam submissions aren't just annoying. They cause real problems:

  • Notification overload: If your form sends email notifications, 500 spam submissions means 500 junk emails burying real patient submissions.
  • Dirty data: Spam pollutes your submission data, making it harder to find and analyze real responses.
  • Resource waste: Every spam submission consumes storage, processing, and bandwidth.
  • Webhook noise: If your form triggers webhooks, spam submissions fire false triggers to your EHR or practice management system.

No Configuration Required

Both rate limiting and honeypot fields are enabled by default on every form. You don't need to toggle anything, set any thresholds, or configure any rules. Protection works from the moment you publish a form.

Technical Details

Rate limit: 10 submissions per minute per IP address/session.

Reset window: 60 seconds. After the window passes, the counter resets.

Rate limit response: HTTP 429 status code with a clear error message and reset time information.

Honeypot detection: Silent rejection. The bot receives a normal-looking response, so it doesn't know its submission was blocked. This prevents bots from adapting.

Edge Cases

High-volume events: If you're running an event registration that might legitimately get many rapid submissions from the same network (e.g., an office where everyone shares an IP), be aware that rate limiting is per-IP. In practice, 10 per minute per IP is generous enough that this rarely causes issues, but it's worth knowing.

Password-protected forms: If a form is password-protected, spam is already less likely since bots can't get past the password prompt. Rate limiting still applies as a second layer.

Webhooks: Rate limiting happens before webhook triggers, so spam submissions that get blocked never fire your webhooks. Your integrations only receive legitimate data.

Spam protection should be invisible to real users and effective against bots. Rate limiting and honeypot fields achieve both without adding friction to the patient experience.

Related Articles

When and How to Password-Protect a Form

Feb 2026

Ready to digitize your intake?

Start building HIPAA-ready patient intake forms in minutes.

Get Started