Stopping form spam without Google reCAPTCHA

The Formward Team·Formward AB, Stockholm·2026-05-29

reCAPTCHA is the default answer to form spam, and it is a bad one. It loads Google scripts onto your page, tracks your visitors across the web, and forces real people to click on traffic lights. It also quietly makes you a data exporter to a US company.

Formward blocks spam in layers, none of which require shipping your users to a third party. The first layer is a honeypot: an invisible field that humans never fill in but naive bots do. The second is rate limiting keyed on a hashed IP address, so we never store a raw IP yet can still detect floods of submissions.

For forms that attract determined attackers, you can switch on Cloudflare Turnstile. Turnstile runs a lightweight challenge without the surveillance and without the maze of image puzzles. Most visitors never see anything at all.

On Pro plans, AI spam scoring adds a final layer: each submission is scored for how spammy its content looks, so even messages that slip past the mechanical filters get flagged before they reach your inbox. The result is a clean inbox without selling out your visitors' privacy.