Anti-spam form protection

SpamFlip

Drop-in protection that scores every form submission, quarantines the ambiguous, and forwards the clean ones — without breaking your form.

How it works

Score

Multiple independent signals — behavioral, reputational, and content-based — combine into a single confidence score.

Route

Clear submissions forward to your handler. Borderline ones are quarantined for one-click review. The rest get a benign response.

Never breaks

If the proxy is unreachable, the snippet submits your form directly to its original endpoint. Protection degrades; the form keeps working.

Privacy-first

Emails, payloads, and IPs are stored only as SHA-256 hashes. No plaintext PII is persisted or logged.

This build is honest about scope: there is no connection-holding “tarpit” (it would bill the host, not the attacker) and no automatic abuse-registry reporting (false positives harm innocent senders). Confirmed spam is recorded with a log-only note of what would be reported.

Live demo

This form is protected by SpamFlip (site demo, store-only). Submit it, then open the dashboard to see how it scored.

Install

Add the snippet, mark your form. The original action stays as your fallback.

<script src="https://spamflip.app/sf.js" data-site-key="demo" defer></script>

<form data-spamflip action="https://formspree.io/f/abc123" method="POST">
  <input name="email" type="email" />
  <textarea name="message"></textarea>
  <button type="submit">Send</button>
</form>

Configure per-site allow-listed forward endpoints and origins via the SPAMFLIP_SITES environment variable. The forward target is always server-side — never taken from the client — so the proxy can’t be used as an open relay.