How we rate-limit forms without storing raw IPs

The Formward Team·Formward AB, Stockholm·2025-05-30

Rate limiting is the unglamorous backbone of spam defence. To know that one source is hammering your form, you need a stable key to count submissions against, and the obvious key is the visitor's IP address.

The trouble is that an IP address is personal data under the GDPR. Keeping a plain log of every submitter's IP is exactly the kind of incidental data hoarding that turns into a liability the moment you are asked to account for it.

Formward never stores a raw IP. We hash it with a keyed function before it touches storage, so the value we keep is useless for identifying anyone, yet stable enough to count against. Floods from a single source still get caught; the underlying address is gone.

It is a small engineering decision with an outsized privacy payoff: the system gets the signal it needs without retaining the thing that would have been sensitive. Privacy-by-design is mostly a stack of choices like this one.