Under the hood

How we keep spam off this form

Almost all form spam comes from robots that never even open your page. The fix is simple: we only accept a message if it proves it came from a real person actually using the form. No Google, no captcha puzzles, no tracking.

A robot doesn't use your form like you do

This one difference is the whole trick. Once you see it, the rest is obvious.

How you use it

You open the page, read it, type your name and message, and press send. While you do, the page quietly does a small check and hands your browser a kind of ticket that proves a real person was actually here.

How a robot uses it

It never opens your page or sees any of this. It throws junk straight at the hidden address behind the form, the way someone might shove a flyer under the door instead of knocking. It does this to thousands of sites a day, a few goes each, which is why you get the odd junk message and not a flood.

So we check one thing: were you really here?

Not a puzzle to solve, just a quiet check that you came from a real browser.

No ticket, no entry.

Our server simply refuses any message that doesn't carry that ticket. A robot firing junk at the back door never opened the page, so it never got one, and its message is thrown out before it ever reaches us. That single rule stops almost all of it, and you never see it happen. You just fill in the form like any other website.

The ticket can't be copied or guessed either, because your device makes a fresh one each time by doing a tiny scrap of real computing work. That is all the brief "Checking you're a real person" pause is. A rarer, cleverer robot could run the page properly to earn a ticket, but then it has to do that work on every single attempt, which is the slow, fiddly thing it is built to avoid. So it gives up and moves to an easier target.

Four quiet checks, working together

You sail straight past all four without noticing. A junk robot trips over them.

Check 01

A box only a robot ticks

There's a box on the form you can't see. Robots fill in everything they find, so the moment one ticks it, we know it isn't a person.

Check 02

Real people aren't that fast

A person takes a few seconds to read and type. A message that arrives in a split second wasn't typed by a human.

Check 03

The ticket

The main one. A real browser that loads and uses the page earns a ticket. No ticket, no entry, so junk fired at the back door is dropped on sight.

Check 04

Knock too often and the door locks

If something does keep trying over and over from the same place, we quietly stop letting it through.

What actually reaches you

A robot fires the same junk at both forms. Only one of them passes it on.

A normal form
every one lands in the inbox
Our form
0 reach you

A normal form passes whatever it's handed straight to the inbox. Ours checks every message for a ticket proving it came from a real browser that used the page. The robot never opened the page, so it never has a ticket, and the junk is dropped before it ever lands in front of you.

For the techies

No third parties, no cookies, no tracking. Here's exactly what's under the hood, and we'll happily build the same into any form we make for you.

honeypot
A hidden field a real person never sees or fills. Any value in it means an automated client filled the whole form, so the submission is dropped.
time‑trap
The challenge carries a server timestamp. A submission that arrives within a few seconds, or after the window expires, didn't come from a human reading and typing, and is rejected.
proof‑of‑work
On page load the server issues an HMAC-signed challenge: salt + timestamp + difficulty + signature. A Web Worker then brute-forces a SHA-256 nonce whose hash has the required number of leading zero bits, off the main thread so the page never blocks. The solved token rides along with the form post.
verification
The server re-checks three things with no database and no session: the HMAC signature is ours and unaltered, the timestamp is inside its window, and the nonce genuinely satisfies the difficulty. Anything missing or off, and the message is binned. The browser's SHA-256 was verified byte-identical to the server's before launch.
forge‑proof
Because the challenge is signed with a server-only secret, a token can't be hand-crafted, reused, or replayed past its short life. Security rests on the signature, not on hiding how it works.
rate‑limit
Per-IP throttling, backed by SQLite, stops anyone grinding repeated attempts from a single source.
heuristics
A last pass over the message itself catches link-stuffing, gibberish and the obvious junk patterns that slip through everything else.
silent
Every rejection returns the exact same response a success does, so a bot gets no signal to learn or tune against.
self‑hosted
No reCAPTCHA, no Friendly Captcha, no external scripts, no web fonts, no cookies. The whole thing runs on our own server and in your browser, full stop.

Done properly

How something is built matters as much as what it does.

Private

No Google watching your visitors and no outside trackers. The whole thing runs on our own server and in your browser, and nowhere else.

Nothing for you to do

No traffic-light puzzles, no "pick all the buses." Real people just get through without lifting a finger.

This is how we build

If we take this much care over our own contact form, picture the care we put into your project.

We build this kind of thing for a living

Websites, online systems, software products and ServiceM8 add-ons, built properly, right down to the details most people never notice.

Start a project