Drop-in protection that scores every form submission, quarantines the ambiguous, and forwards the clean ones — without breaking your form.
Nine heuristics — honeypot, fill timing, mouse movement, IP and domain reputation, payload patterns, repeat-rate — produce a 0–100 score.
Clean (0–29) forwards to your handler. Ambiguous (30–69) is quarantined for one-click review. Spam (70+) gets a benign response.
If the proxy is unreachable, the snippet submits your form directly to its original endpoint. Protection degrades; the form keeps working.
Emails, payloads, and IPs are stored only as SHA-256 hashes. No plaintext PII is persisted or logged.
This form is protected by SpamFlip (site demo, store-only). Submit it, then open the dashboard to see how it scored. Try filling it in under two seconds to trip the timing signal.
Add the snippet, mark your form. The original action stays as your fallback.
<script src="https://spamflip.app/sf.js" data-site-key="demo" defer></script> <form data-spamflip action="https://formspree.io/f/abc123" method="POST"> <input name="email" type="email" /> <textarea name="message"></textarea> <button type="submit">Send</button> </form>
Configure per-site allow-listed forward endpoints and origins via the SPAMFLIP_SITES environment variable. The forward target is always server-side — never taken from the client — so the proxy can’t be used as an open relay.