Protect your forms from spam without CAPTCHAs

Form spam is inevitable. But solving CAPTCHAs frustrates real users. LazyForms offers three layers of spam protection that work invisibly: honeypot fields, Cloudflare Turnstile, and domain restriction. Most forms only need honeypot — it stops 95% of bots.

Layer 1: Honeypot fields

A honeypot is a hidden form field that's invisible to humans but visible to bots. Bots fill in every field they find — when `_honey` has a value, LazyForms rejects the submission.

<input type="text" name="_honey" style="display:none" tabindex="-1" autocomplete="off" />

**How to enable:** 1. Add the hidden input to your form HTML 2. Enable "Honeypot protection" in your form settings 3. Done — spam submissions are silently rejected

**Effectiveness:** Blocks ~95% of automated bots. Zero friction for users.

Layer 2: Cloudflare Turnstile

Turnstile is Cloudflare's privacy-friendly alternative to reCAPTCHA. It runs invisibly — no puzzles, no checkboxes. Users don't even notice it.

**How to enable:** 1. Enable Turnstile in your LazyForms form settings 2. Add the Turnstile script and widget to your page:

<form action="https://api.lazyforms.com/f/YOUR_KEY" method="POST"> <!-- your fields --> <div class="cf-turnstile" data-sitekey="YOUR_TURNSTILE_SITE_KEY"></div> <button type="submit">Send</button> </form> ```

  1. LazyForms validates the Turnstile token server-side before accepting the submission.

**Effectiveness:** Blocks sophisticated bots, headless browsers, and automated scripts. Still zero friction for legitimate users.

Layer 3: Domain restriction

Lock your form to only accept submissions from your domains. If someone copies your form endpoint into their own site, submissions are rejected.

**How to enable:** 1. Go to your form settings 2. Add your allowed domains (e.g., `yoursite.com`, `www.yoursite.com`) 3. LazyForms checks the `Origin` and `Referer` headers on every submission

**Effectiveness:** Prevents endpoint abuse and unauthorized form submissions from other sites.

Recommended combinations

**Low-traffic blog or portfolio:** - Honeypot only — simple, effective, zero setup

**Business website or landing page:** - Honeypot + Domain restriction

**High-traffic site or under active attack:** - Honeypot + Turnstile + Domain restriction

All three layers are free on LazyForms. Enable them in your form settings.

Why not reCAPTCHA?

Google reCAPTCHA has problems:

  • Privacy — sends user data to Google
  • UX friction — "select all traffic lights" frustrates users
  • Accessibility — difficult for users with disabilities
  • Mobile — harder to complete on phones

Cloudflare Turnstile is: - Invisible to users (no interaction required) - Privacy-preserving (no Google tracking) - Fast (runs in milliseconds) - Free for any traffic volume

Ready to get started?

Get your form endpoint in seconds. Free forever.

Enter your email to receive your form action URL · No password needed

More guides

How to add forms to a static siteHandle form submissions in React without a backendAuto-sync form submissions to Google SheetsAutomate workflows with form submission webhooks