Docs
Security

Security & Privacy

We treat your data with the highest level of security. From invisible spam shields to strict internal architecture rules, here is how FormsIntel protects you and your respondents.

Multi-Layer Spam Defense

Sub-Second Velocity Shield

Bots fill forms instantly. FormsIntel records the exact millisecond a form is rendered and when it is submitted. If the elapsed time is under a humanly possible threshold (default: 1.8 seconds), the submission is silently flagged as spam without alerting the bot.

Honeypot Traps

Our React SDK and headless endpoints automatically inject visually hidden fields into your forms. Human users never see or interact with them. Scraper bots automatically fill all <input> elements. If a honeypot field contains data, the submission is flagged.

Infrastructure Security

Server-side defenses implemented at the API layer.

SSRF Protection (Server-Side Request Forgery)

When you configure a Webhook URL, FormsIntel's backend must make an HTTP request to that URL. To prevent attackers from forcing our servers to probe internal networks or cloud metadata endpoints, we implement strict SSRF rules:

  • DNS resolution checks to block localhost (127.0.0.1).
  • Rejection of Private IP ranges (RFC 1918).
  • Restriction to standard HTTP/HTTPS ports.

Payload Validation & Sanitization

Before a submission is saved to the database or broadcast via webhook, the raw JSON payload undergoes deep sanitization. HTML tags, script injections, and excessive string lengths are automatically truncated or neutralized to prevent Stored XSS attacks in your Dashboard or Webhook receiver.

Data Privacy

How we handle the data passing through our servers.

  • IP Masking: For Geographic heatmaps, IP addresses are processed in memory to extract City/Country data. The raw IP is then partially masked (e.g., 192.168.*.*) before being saved to the database to comply with GDPR/CCPA regulations.
  • Data Ownership: You own all your data. FormsIntel does not sell, rent, or analyze your submission data for advertising purposes.
  • Hard Deletion: When you delete a form from the Dashboard, the form schema, analytics data, and all associated submissions are hard-deleted from the database. We do not keep shadow copies.
Roadmap
  • HMAC Webhook Signatures: Cryptographically signing all webhook payloads with a secret key so your server can verify the request authentically originated from FormsIntel.
  • End-to-End Encryption (E2EE): Allowing developers to provide a public key so that form data is encrypted in the browser before hitting our servers. Only the developer with the private key can decrypt the data.