"Our survey is getting junk submissions" and "our contact form is flooded with spam links" — anyone running a public form hits this. Bot and spam protection is unavoidable.
This article covers the main options and the UX / accuracy / cost trade-offs.
What you're defending against
Common attack patterns
- Spam bots — bulk commercial spam, link injection
- Credential stuffing — login attempts with leaked credentials
- Data harvesting — automated form-fill to extract structure
- DDoS — mass form submissions overloading the server
Actual cost
- 100 spam submissions per day is normal
- 1,000+ per month is real headcount cost in manual filtering
- Junk responses in survey data distort decisions
Bot protection history
Gen 1: Simple CAPTCHA (2000s)
Distorted-text input. Early on it worked; AI now breaks it trivially. Severe accessibility problems too.
Gen 2: reCAPTCHA v2 / "I'm not a robot" (2014)
Checkbox click. Improved against bots, but image-recognition tasks killed UX.
Gen 3: reCAPTCHA v3 (2018)
Background scoring without user interaction. UX recovered, but privacy concerns about sending data to Google scaled.
Gen 4: Cloudflare Turnstile / hCaptcha (2022)
Privacy-focused alternatives. Cloudflare offers Turnstile free; UX is dramatically better; adoption is climbing fast.
Main options compared
| Item | reCAPTCHA v3 | Cloudflare Turnstile | hCaptcha |
|---|---|---|---|
| UX | Good (background) | Best (mostly no interaction) | Good (occasional image task) |
| False-positive rate | Slightly high | Low | Medium |
| Privacy | △ Google data | ◎ Cloudflare-internal | ◎ Privacy-focused |
| Free tier | 1M calls/mo | Fully free | 1M/mo |
| Implementation ease | Easy | Easy | Easy |
| Mobile | Good | Best | Good |
How to choose
- UX-first + privacy-conscious → Cloudflare Turnstile
- Already in Google ecosystem → reCAPTCHA v3
- Heavy EU GDPR audience → hCaptcha
Repoan's defaults
Repoan ships Cloudflare Turnstile on every form by default. No config — protection applies to:
- Public forms
- Embedded forms
- iframe-served forms
Users see a small "✓ Protected" indicator. In most cases, no clicks required — UX stays clean.
Supplementary defenses
CAPTCHA isn't the only layer. Stacking these compounds.
1. Honeypot
A hidden input field. Bots fill all fields; humans don't see it:
<input type="text" name="website" style="display:none;" tabindex="-1" autocomplete="off">
Any value in that field = bot, reject.
2. Submission time validation
Humans take several seconds to fill in. Sub-1-second submissions = bot.
3. Rate limiting
Multiple submissions from the same IP within a short window → trigger additional checks.
4. Email format validation
Block disposable email domains (10minutemail and friends).
Human-source junk responses
CAPTCHA stops bots. Human submitting low-quality answers is a separate problem.
Duplicate prevention
- Limit submissions per IP
- Detect duplicate email submissions
- Browser fingerprinting to identify devices
Low-quality detection
- Abnormally fast completion (10 questions in 10 seconds)
- Single-character open text (".", "a")
- All same selection ("very satisfied" for everything)
Repoan's AI analysis auto-flags these low-quality patterns too.
Recommended by use case
B2B (asset request / inquiry)
- Cloudflare Turnstile (standard)
- Honeypot stacked
- Business-domain-only restriction (optional)
B2C (CSAT / campaigns)
- Cloudflare Turnstile (standard)
- Duplicate prevention (email auth)
- Heightened identity verification for incentive payouts
Internal surveys
- Heavy CAPTCHA not needed (corp network)
- SSO for identity
Public prize campaigns
- Strong CAPTCHA + dedupe + identity verification
What not to do
❌ Nothing
A public form without CAPTCHA hits spam saturation in days.
❌ Old text-recognition CAPTCHA
Bad UX, easily bypassed by modern AI.
❌ Honeypot only
Sophisticated attackers evade honeypots. CAPTCHA + honeypot is the combination.
❌ Over-aggressive validation
High false-positive rate hurts UX and conversion.
Summary
Modern best practice:
- Cloudflare Turnstile as the default (best UX × privacy balance)
- Honeypot + submission-time validation as supplements
- Duplicate prevention via email auth or fingerprinting
- Low-quality detection automated via AI analysis
Repoan ships Cloudflare Turnstile as default. No config — all forms protected. No reCAPTCHA-style UX hit, no data shipped to Google.