Spam Protection

Keep your submissions clean with built-in detection and captcha integration.

Built-in Detection

Submito automatically analyzes every incoming submission for spam signals. The detection runs without any configuration and flags submissions it considers likely spam.

Signals used for detection include:

• IP reputation (known spam sources)
• Submission velocity (many submissions from the same IP in a short window)
• Common spam content patterns
• Honeypot field detection

Flagged submissions are still stored so you can review and recover false positives. They are visually distinguished in the list with a spam badge.

Captcha Integration

For stricter protection, add a captcha challenge to your form. Submito supports three captcha providers. Enable captcha per form in Form Settings > Spam Protection.

Cloudflare Turnstile Setup

1. Create a Turnstile site at dash.cloudflare.com > Turnstile. Set the site type to Managed.
2. Copy your Site Key and Secret Key.
3. In Submito, go to Form Settings > Spam Protection, select Turnstile, and paste your Secret Key.
4. Add the Turnstile widget to your HTML form:

<!-- Add to your <head> -->
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>

<!-- Add inside your <form>, before the submit button -->
<div class="cf-turnstile" data-sitekey="YOUR_SITE_KEY"></div>

Turnstile automatically adds a hidden cf-turnstile-response field to your form submission, which Submito verifies server-side.

Google reCAPTCHA v3 Setup

1. Register your site at google.com/recaptcha. Choose reCAPTCHA v3.
2. Copy your Site Key and Secret Key.
3. In Submito, go to Form Settings > Spam Protection, select reCAPTCHA v3, and paste your Secret Key.
4. Add the reCAPTCHA script and token generation to your form:

<!-- Add to your <head> -->
<script src="https://www.google.com/recaptcha/api.js?render=YOUR_SITE_KEY"></script>

<!-- Add to your form submit handler -->
<script>
  document.querySelector('form').addEventListener('submit', function(e) {
    e.preventDefault();
    grecaptcha.ready(function() {
      grecaptcha.execute('YOUR_SITE_KEY', {action: 'submit'}).then(function(token) {
        document.getElementById('g-recaptcha-response').value = token;
        e.target.submit();
      });
    });
  });
</script>

<!-- Hidden field inside your <form> -->
<input type="hidden" id="g-recaptcha-response" name="g-recaptcha-response">

hCaptcha Setup

1. Create an account at hcaptcha.com and add a new site.
2. Copy your Site Key and Secret Key.
3. In Submito, go to Form Settings > Spam Protection, select hCaptcha, and paste your Secret Key.
4. Add the hCaptcha widget to your HTML form:

<!-- Add to your <head> -->
<script src="https://js.hcaptcha.com/1/api.js" async defer></script>

<!-- Add inside your <form>, before the submit button -->
<div class="h-captcha" data-sitekey="YOUR_SITE_KEY"></div>

How Verification Works

When a captcha is configured, Submito performs server-side verification on every submission:

1. Your form collects the captcha token from the user's browser.
2. The token is submitted alongside the form data.
3. Submito sends the token to the captcha provider's verification API using your Secret Key.
4. If verification passes, the submission is accepted. If it fails, a 422 error is returned.

Testing Captcha

Each provider offers test keys that always pass verification during development:

# Always passes (use in dev/testing)
Site Key:   1x00000000000000000000AA
Secret Key: 1x0000000000000000000000000000000AA