InputHaven
Back to blog
GuidesecurityspamCSRF

Form Security Best Practices: Protecting Your Web Forms from Abuse

8 min read

Why form security matters

Web forms are an open invitation for abuse. Any form on the public internet will receive:

  • Spam submissions — automated and semi-automated junk
  • Injection attacks — SQL injection, XSS payloads, command injection
  • Brute force attacks — high-volume submissions to overwhelm your system
  • Phishing attempts — using your form to send malicious emails
  • Data harvesting — bots probing your form to find vulnerabilities

Here's how to defend against each.

1. Honeypot fields

A honeypot is an invisible form field that only bots can see. Real users never fill it in because it's hidden with CSS. If the field has a value, the submission is from a bot.

<div style="position: absolute; left: -9999px;" aria-hidden="true">
  <input type="text" name="_gotcha" tabindex="-1" autocomplete="off" />
</div>

This catches approximately 70% of spam bots with zero impact on user experience. No CAPTCHAs, no friction.

InputHaven supports honeypot fields natively — name any field _gotcha and submissions with a value in that field are automatically rejected.

2. Rate limiting

Every form endpoint should have rate limits:

  • Per-IP limits — prevent a single source from flooding your form
  • Per-form limits — prevent total submission volume from exceeding capacity
  • Sliding windows — use time-based windows rather than hard resets

InputHaven enforces rate limits at the API level. Excessive submissions from a single IP are throttled with a 429 response.

3. Input validation

Never trust client-side validation alone. Always validate on the server:

  • Type checking — ensure email fields contain valid emails
  • Length limits — prevent oversized payloads (InputHaven caps submissions at 100KB)
  • Required fields — reject submissions missing required data
  • Content sanitization — strip HTML tags and script content from text fields

4. Domain allowlists (CORS)

Configure which domains can submit to your form. If a submission originates from an unauthorized domain, reject it.

Allowed domains: yoursite.com, www.yoursite.com

This prevents form hijacking — where someone embeds your form endpoint in their site to send spam through your account.

InputHaven lets you configure domain allowlists per form in the dashboard.

5. CSRF protection

Cross-Site Request Forgery (CSRF) attacks trick users into submitting forms they didn't intend to. Standard HTML forms are vulnerable because browsers automatically include cookies with form submissions.

For API-based submissions (using fetch), CSRF is less of a concern because you're not relying on cookies for authentication. The form ID itself is a public identifier — it's not a secret.

For additional protection, InputHaven verifies the Origin and Referer headers against your domain allowlist.

6. Content Security Policy

If your form sends email notifications, submitted data gets rendered in emails. This creates an XSS vector if you're not careful.

InputHaven sanitizes all submission data before including it in email notifications. HTML tags are escaped, and URLs are rendered as plain text rather than clickable links.

7. File upload security

If your form accepts file uploads:

  • Restrict file types — only allow expected extensions (.pdf, .jpg, .png)
  • Check MIME types — verify the actual file type matches the extension
  • Limit file sizes — InputHaven caps uploads at 10MB per file
  • Store securely — use signed URLs with expiration for downloads
  • Scan for malware — at scale, consider virus scanning uploaded files

InputHaven stores uploads on Cloudflare R2 and generates time-limited signed download URLs. Files are never served directly from a public URL.

8. Webhook security

If you forward submissions to external services via webhooks, sign the payloads:

  • HMAC-SHA256 — cryptographically sign the webhook body with a shared secret
  • Timestamp validation — include a timestamp and reject old payloads to prevent replay attacks
  • HTTPS only — never send webhooks to HTTP endpoints

InputHaven signs all webhook payloads with HMAC-SHA256. Your webhook receiver can verify the signature to ensure the payload hasn't been tampered with.

9. AI-powered detection

Rule-based security catches known patterns. AI catches novel attacks:

  • Sophisticated spam — grammatically correct but still unsolicited
  • Social engineering — messages designed to trick humans into taking action
  • Obfuscated content — Unicode tricks, invisible characters, encoded payloads

InputHaven's AI spam filtering analyzes submission content for these patterns using Claude. It's available on Starter plans and above.

Checklist

Before launching any form into production:

  • [ ] Honeypot field added
  • [ ] Rate limiting configured
  • [ ] Server-side input validation in place
  • [ ] Domain allowlist configured
  • [ ] File uploads restricted by type and size (if applicable)
  • [ ] Webhook signatures verified (if applicable)
  • [ ] Email content sanitized
  • [ ] HTTPS enforced
  • [ ] Monitoring and alerting set up

If you use InputHaven, all of these are handled automatically — except monitoring, which you can set up via webhooks to your own alerting system.

Ready to try InputHaven?

500 free submissions/month. No credit card required.

Get Started Free