Security Layers
Headless Forms uses a 4-layer security model. Each layer works independently — you can use any combination depending on your needs. All layers are configured per-form in the dashboard.
Layer 1: Origin Validation (CORS)
Every form can have a whitelist of allowed origins. When a request arrives, the Origin header is checked against this list.
- Strict mode: Rejects requests that don't include an
Originheader. Useful for browser-only forms. - Access token bypass: Requests with a valid
X-Form-Access-Tokenheader skip origin checks. This allows server-to-server submissions. - If no origins are configured, all origins are allowed.
Preflight OPTIONS requests are handled automatically with the correct CORS headers.
Layer 2: Invisible Honeypot
A hidden field that real users never see or fill in. Bots that auto-fill all fields will populate it and get rejected.
- The honeypot field name is configurable per form in the dashboard.
- The honeypot field is removed from the submission data — it never appears in your saved submissions.
Adding the Honeypot to Your Form
Add a hidden input that humans won't see. Use the field name you configured in the dashboard:
<div style="display: none;" aria-hidden="true">
<input type="text" name="your_honeypot_field" tabindex="-1" autocomplete="off" />
</div>
Layer 3: Bot Protection (Turnstile / reCAPTCHA)
Challenge-based verification. Three providers are supported:
| Provider | Token Field |
|---|---|
| Cloudflare Turnstile | cf-turnstile-response |
| reCAPTCHA v2 | g-recaptcha-response |
| reCAPTCHA v3 | g-recaptcha-response |
- Token fields are automatically removed from the submission data.
- Configure the provider and credentials per form in the dashboard.
- See Bot Protection for detailed setup instructions.
Layer 4: Rate Limiting
IP-based throttling prevents rapid-fire submissions.
- Per-form cooldown: Configurable cooldown period per form. One submission per cooldown period per IP.
- When rate limited, the API returns a
429status with aRetry-Afterheader.