Jan 27, 2024

Endpoint Security

Protect endpoint submissions with restricted domains, honeypot fields, and CAPTCHA validation.

Time to lock it down. We've added three new layers of endpoint defense to protect against spam, bots, and automated attacks.

  1. Restricted domains (CORS origins)
  2. User-defined honeypot fields

✨ Restricted domains & honeypot fields are available on ALL plans.

Security layer 1: Restricted domains (CORS origins)

For whatever reason, all of our competitors put restricted domains behind a paywall. Good news: we are not our competitors, and beleive that a base layer of security should be available from the get go.

With restricted CORS origins you can define what hosts can make a submission to an endpoint. Preventing submissions that do not originate from your defined URL patterns:

protocol://hostname[:port] (use * for wildcard)

You can define multiple origins on your endpoints!

Security layer 2: Honeypot fields

Honeypot fields are also normally paywalled, but they're free on Submit JSON 💚

“Honeypot” fields are hidden form fields that lure bot users into completing a field that human users can’t detect. A form submitted with a completed honeypot field can be safely rejected because only a bot would detect and complete the field.

You can alert Submit JSON to a hidden honeypot field in a few easy steps:

  1. Define a honeypot field on your endpoint settings with the name of your hidden field.
  2. Then make sure that field is present in the form, but hidden via CSS or JavaScript.
  3. If the field exists in your data upon submission, we block it and throw an error

Security layer 3: CAPTCHA

Last but not least, we built seamless integrations with three popular captcha providers: Google reCAPTCHA, Cloudflare Turnstile, and hCaptcha.

✨ CAPTCHA integrations are available on paid plans.

Here's how we make it easy to defend against bots and spam:

  1. Set and forget your CAPTCHA secret key in an endpoint's security settings
  2. Integrate the CAPTCHA widget on your front end
  3. Submit your form with the default token response, or set it programatically in the submit request options.
  4. We automatically validate the CAPTCHA token, and if it's invalid SUBMIT JSON blocks the submission and throws an error

Read more in the guides for each CAPTCHA integration:

Get notified in 5 minutes

Submit JSON delivers your submissions via email, integrations, and webhooks. Set up takes less than 5 minutes.