Developer forum

Forum » Swift » Form submit bot spam

Form submit bot spam

E-mail notifications
Joakim
Reply
Posted on 31/10/2025 10:44:04

We have a customer who just recently started recieving form spam submissions. We believe due to the fact that we changed an input field to type="email", since this was previously lacking.

We were considering an implementation of reCaptcha, but looking at this post you would say its not recommended? We are unsure how to properly solve this issue and hopefully you have suggestions how to prevent the spam.

 

Thank you


Replies

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 31/10/2025 11:55:47
Reply

Hi Joakim

Is the form antispam enabled? https://doc.dynamicweb.dev/manual/dynamicweb10/settings/system/webhttp/security.html#form

I would like to see the form and submits to understand why they are not stopped.

Dynamicweb does not support re-captchas as a standard feature - but you can easily add them.

Example notification subscriber for goog re-capthcas:

using System;
using System.Net.Http;
using System.Threading.Tasks;
using Dynamicweb.Extensibility.Notifications;
using Dynamicweb.Forms;
using Dynamicweb.Core.Helpers;

namespace Dynamicweb.Examples.Forms.Notifications
{
    [Subscribe(Dynamicweb.Forms.Notifications.Frontend.OnBeforeContent)]
    public class CaptchaValidationSubscriber : NotificationSubscriber
    {
        public override void OnNotify(string notification, NotificationArgs args)
        {
            if (args is not Dynamicweb.Forms.Notifications.Frontend.OnBeforeContentArgs contentArgs)
                return;

            // Only check captcha on POST (form submission)
            var request = System.Web.HttpContext.Current?.Request;
            if (request?.HttpMethod?.Equals("POST", StringComparison.OrdinalIgnoreCase) != true)
                return;

            var captchaResponse = request.Form["g-recaptcha-response"];
            if (string.IsNullOrEmpty(captchaResponse))
            {
                StopExecution(contentArgs, "Captcha validation failed: missing token.");
                return;
            }

            // Verify captcha with Google API
            if (!VerifyCaptcha(captchaResponse))
            {
                StopExecution(contentArgs, "Captcha verification failed. Please try again.");
            }
        }

        private static bool VerifyCaptcha(string response)
        {
            try
            {
                var secret = "YOUR_GOOGLE_RECAPTCHA_SECRET_KEY";
                using var client = new HttpClient();
                var postTask = client.PostAsync(
                    "https://www.google.com/recaptcha/api/siteverify",
                    new FormUrlEncodedContent(new[]
                    {
                        new KeyValuePair<string, string>("secret", secret),
                        new KeyValuePair<string, string>("response", response)
                    })
                );
                postTask.Wait();

                var result = postTask.Result.Content.ReadAsStringAsync().Result;
                return result.Contains("\"success\": true");
            }
            catch
            {
                return false;
            }
        }

        private static void StopExecution(Dynamicweb.Forms.Notifications.Frontend.OnBeforeContentArgs args, string message)
        {
            args.StopExecution = true;
            args.Output = $"<div class=\"alert alert-danger\">{message}</div>";
        }
    }
}

And in your form template, something like this

<form method="post" action="">
    <!-- Your regular form fields -->
    <input type="text" name="Name" placeholder="Your name" required>
    <input type="email" name="Email" placeholder="Your email" required>

    <!-- Google reCAPTCHA widget -->
    <div class="g-recaptcha" data-sitekey="YOUR_SITE_KEY"></div>

    <button type="submit" class="btn btn-primary">Send</button>
</form>

<script src="https://www.google.com/recaptcha/api.js" async defer></script>

 

You must be logged in to post in the forum