Available on: All plans
One way to improve the security of your form is to only allow submissions from forms hosted on an authorized domain. To accomplish this, go to your project's settings and find `Restrict to Domain`. Enter your domain without a protocol.
Once saved, only submissions originating from forms on that domain, or any subdomain, will be permitted. Any submissions from unauthorized domains will be sent to your spam inbox.
Restricting to subdomains, including www
If you enter a domain into `Restrict to Domain` without a subdomain, it will automatically match any subdomain. However, if you supply a subdomain, only submissions from that subdomain will be permitted. For example, if you enter `blog.my-website.com`, only forms on pages under the `blog` subdomain will be allowed to submit.
This is also true for the `www` subdomain. Adding the `www` prefix in settings will only permit forms to submit from the `www` subdomain. However, some websites can be reached with or without the `www` prefix. If your website is accessible through both the bare domain, and the `www` subdomain, you should leave off the `www` subdomain in the `Restrict to Domain` settings.
If your web server sends a
referrer-policy header the strictest setting it can use is
strict-origin-when-cross-origin. If it set to
same-origin then the browser will not send the
referer header and submissions will be marked as spam.
Caveat concerning browser support
The Restrict to Domain feature relies on the
refererheader to identify the page from which the form was submitted. The Brave browser may block the
refererheader. This issue has been filed with the Brave team. We'd love your help bringing this to the Brave team's attention by upvoting it.