Security Options

Easy Forms includes multiple security features to protect your forms from spam and malicious submissions.

CSRF Protection

Cross-Site Request Forgery (CSRF) protection is enabled by default on all forms and the required token is automatically included.

Honeypot Spam Detection

Honeypot fields are invisible traps for spam bots. It works by including a hidden field that bots will fill out, while legitimate users will not. If the field is filled out, the submission is rejected.

Enable Honeypot:

Set the name of the honeypot in your form configuration. Statamic's default is honeypot but we suggest something else to avoid detection.

# In form configuration
honeypot: 'name'

Then in your form add a text field with the same handle:

handle: name
field:
    type: text
    display: Name

There is no need to set it to hidden or any other configuration. Easy Forms will automatically hide this field but bots will read it in the code and attempt to fill it out. If they do, the form appears as if it was submitted but in reallity it will not be processed.

Google reCAPTCHA v3

Sometimes the honeypot is not enough. Google reCAPTCHA v3 is a more advanced solution that analyzes user behavior without user interaction.

Setup

Step 1: Install the Library

Install the ReCAPTCHA PHP library using Composer:

composer require google/recaptcha

Step 2: Get reCAPTCHA Keys:

Get your keys from Google reCAPTCHA:

• Choose reCAPTCHA v3
• Add your domain
• Get Site Key and Secret Key

Step 3: Add Keys to Environment:

Add the keys to your .env file:

RECAPTCHA_SITE_KEY=your_site_key_here
RECAPTCHA_SECRET_KEY=your_secret_key_here

# Optional: Set custom score threshold (default: 0.5)
# Lower scores indicate more bot-like behavior (0.0 - 1.0)
RECAPTCHA_SCORE_THRESHOLD=0.5

How It Works

Frontend (Automatic)

When RECAPTCHA_SITE_KEY is set:

1. The reCAPTCHA script loads automatically
2. On form submit, a token is generated
3. The token is sent with the form data as g-recaptcha-response

Backend (Automatic)

The ValidateRecaptcha listener is automatically registered when RECAPTCHA_SECRET_KEY is configured:

1. Listens for FormSubmitted events
2. Checks if g-recaptcha-response is present
3. Validates the token with Google's API
4. Enforces the score threshold
5. Throws a validation error if verification fails

Disabling reCAPTCHA

To disable reCAPTCHA temporarily:

• Remove RECAPTCHA_SECRET_KEY from .env

File Uploads

Implementing robust security precautions for file uploads is critical. Allowing users to upload arbitrary file types poses a significant security risk. Fortunately, leveraging Statamic's and Laravel's built-in features can significantly enhance upload security.

Assets Container

When using the assets fieldtype, never use a publicly accessible container, as this allows malicious users to upload and access files directly on your server. Best practice is to create a dedicated private container for uploads.

Ensure that users with access to your Statamic Control Panel are trusted. Access to the upload container could potentially allow them to execute unauthorized code.

Files Fieldtype

When using the files fieldtype, files are attached directly to form emails. Enable this by selecting "Include attachments" in the email configuration.

Crucial: Do not include attachments in auto-response emails sent to the user (e.g., "Thank you for your message"). Doing so could allow malicious actors to use your form to distribute malware to third parties.

Validation

Since Statamic utilizes Laravel's validation system, you can and should use available validation rules to secure file uploads.

• Restricting File Types: Use the mimes rule (e.g. mimes:pdf,doc,docx).
• Limiting File Size: Use the max_filesize rule in kilobytes (e.g. max_filesize:2048 for 2MB).
• Image Validation: Use the image rule to ensure the file is an image.