Security
Block bots and unauthorized submissions before they reach your inbox.
Security holds two cards: Domain restriction (a list of approved origins for submissions) and CAPTCHA (a verification challenge from a provider of your choice). Together they stop most automated abuse; Spam filter handles what slips through.
Reject vs. filter
Security rejects bad submissions — they never reach your inbox. Spam filter accepts and routes — submissions land in the Spam tab where you can review them.
Domain restriction
Restrict which websites can submit to this form. Add the domains your form is hosted on (one per line, without protocol). Submissions from any other origin are rejected with a 403.
- Domains list — one per line, no protocol (e.g.
www.example.com). - Allow localhost — checkbox to permit
localhostorigins during development.
Full domain restriction docs →
CAPTCHA
Verify each submission with a captcha provider. Static Forms supports four providers (Pro plan):
reCAPTCHA
Google v2 and v3
Cloudflare Turnstile
Invisible, privacy-friendly
hCaptcha
Privacy-focused alternative
ALTCHA
Self-hosted, no third party
Honeypot
Invisible bot trap, always on
Domain restriction
Origin allowlist
Choosing a provider
- Turnstile — best default. Invisible to most users, no Google dependency.
- reCAPTCHA — pick v3 for invisible scoring, v2 if you want the explicit "I'm not a robot" checkbox.
- hCaptcha — drop-in alternative to reCAPTCHA, more privacy-conscious.
- ALTCHA — when you want to avoid third-party services entirely.
Tier gating
- Domain restriction — Pro plan.
- CAPTCHA (any provider) — Pro plan.
- Honeypot — every plan; works automatically.