Trust & safety
Security
Defense in depth for public form endpoints and authenticated dashboards.
Spam & abuse
- Honeypot field (_gotcha) for bots
- Per-IP rate limiting on submissions
- Optional domain whitelist per form
- Flagged spam stored without emailing you
Transport & auth
- HTTPS for all dashboard and API traffic
- JWT in httpOnly cookies for browser sessions
- Bcrypt password hashing with app pepper
- Role-based access for user vs admin areas
Data handling
- Submissions tied to your account and forms
- Email delivery via AWS SES
- Open redirect protection on _redirect field
- Opaque verification tokens for email confirmation (no user id in links)