Now we’re are using Netlify forms in production I’ve been thinking about protecting from misuse.
It’s great to have honeypot and reCATCH support but I was wondering if it would be useful to ignore submissions not from a specific Domain? Is that something Netlify would add? Does it already do so? I’ve not tried but observe submissions from localhost do not work when using Netlify Dev (shame).
We could do the check in a function I guess but spam might still be sitting in the Netlify forms list (which I think we will largely ignore).
There are no options to limit form submissions to a specific domain. Feel free to open a Feature Request in #features.
Submitting form data via Netlify Functions would bypass Netlify Forms. Such a function (example) could/would send the form data to a specified email address, and/or could add it to a database, etc. I have a (not yet public) function that checks a Supabase table prior to processing the data (bad person === no send.)
The functions for forms are only triggered after a successful submission. Checking spam at that point doesn’t really do any good in my opinion, unless that use case is going to fit your needs.
Plus, it’s not very difficult to bypass referrer checks and submit a form via Postman or curl.
I was think of posting to a function instead of netlify forms.
I now find we cant manage the akismet filtering at all and it’s killing my end-to end tests. So yes ,I’ll use a function as you suggest and do my own content transform. If spam becomes a problem them I can add filtering of some sort.