Automatic spam protection
ContactFire filters spam before it reaches your inbox. Three independent layers catch bots without ever showing a CAPTCHA to real visitors.
How it works
The Cloudflare edge rejects more than 10 requests per IP per minute before they reach the server.
A hidden field that no real user fills in. Bots that auto-complete all fields get silently discarded.
Suspicious patterns — rapid submissions, known spam content, header anomalies — flag the submission for review.
Honeypot field
The JS embed snippet automatically injects a honeypot field and hides it with CSS. If you build a plain HTML form, add the field yourself:
<!-- Honeypot — must stay empty -->
<input
type="text"
name="_honeypot"
value=""
style="display:none !important;"
tabindex="-1"
autocomplete="off"
/>tabindex="-1" and style="display:none" keep it invisible to assistive technology and real users alike.Edge-layer filtering
ContactFire runs on Cloudflare Workers at the edge. Rate limiting runs in Cloudflare KV before any request reaches the server, so flood attacks are stopped immediately.
| Rate limit | 10 requests per IP per minute |
| Enforcement layer | Cloudflare edge (before reaching the server) |
| Response to blocked IPs | HTTP 429 with Retry-After header |
Heuristic checks
Submissions that pass rate limiting and the honeypot check go through server-side analysis. These signals trigger a spam flag:
- Fields contain known spam keywords or link patterns
- Submission timing is suspiciously fast (below human typing threshold)
- Missing or malformed HTTP headers expected from real browsers
- Multiple identical submissions from the same IP within a short window
Flagged submissions
When a submission is flagged as spam:
- The API returns
{"status":"success"}— the submitter does not know they were flagged - The submission is stored with
spam: true - No email notification is sent
- The submission appears in the Spam inbox tab in your dashboard
To review spam: open Inbox → Spam. You can mark any submission as "not spam" to move it to your main inbox.
Avoiding false positives
Legitimate submissions are rarely flagged, but here is what can cause a false positive and how to prevent it:
Manual review
You can always access spam submissions from your dashboard:
- Go to Inbox
- Click the Spam tab
- Open any submission to view its full content
- Click Not spam to move it to your main inbox