Available on: All plans
One way to improve the security of your form is to only allow submissions from forms hosted on an authorized domain. To accomplish this, go to Settings tab of your Project and find "Restrict to Domain". Enter your domain without a protocol:
Once saved, only submissions originating from forms on that domain, or any subdomain, will be permitted. Any submissions from unauthorized domains will be sent to your spam inbox.
Restricting to subdomains, including www
If you enter a domain into "Restrict to Domain" without a subdomain, it will automatically match any subdomain. However, if you supply a subdomain, only submissions from that subdomain will be permitted. For example, if you enter `blog.my-website.com`, only forms on pages under the "blog" subdomain will be allowed to submit.
This is also true for the "www" subdomain. Adding the "www" prefix in settings will only permit forms to submit from the "www" subdomain. However, some websites can be reached with or without the "www" prefix. If your website is accessible through both the bare domain, and the "www" subdomain, you should leave off the "www" subdomain in the "Restrict to Domain" settings.
Referrer-Policy Header
If your web server sends a referrer-policy
header the strictest setting it can use is strict-origin-when-cross-origin
. If it set to no-referrer
or same-origin
then the browser will not send the referer
header and submissions will be marked as spam.
Caveat concerning browser support
The Restrict to Domain feature relies on the referer
header to identify the page from which the form was submitted. The Brave browser may block the referer
header. This issue has been filed with the Brave team. We'd love your help bringing this to the Brave team's attention by upvoting it.