Contact Form Security Best Practices With WizeForm

WizeForm enforces rate limiting at the platform level — per access key and per IP address. When submission volume from a single source exceeds the threshold within a rolling time window, requests are rejected with a 429 response. This protects your monthly submission quota from abuse and prevents your form endpoint from being used as a spam relay.

Honeypot field detection is built into WizeForm's submission processing pipeline. WizeForm validates each submission against a hidden field that should always be empty for genuine human submissions. Bots that programmatically fill all available form inputs trigger this check and are silently discarded before processing. You don't add anything to your HTML — the detection runs server-side within WizeForm.

All submission data is stored encrypted at rest. WizeForm only accepts submissions over HTTPS — plain HTTP requests to the submission endpoint are rejected. Your access key is treated as a write-only credential: it allows a form to send submissions to your account, but it cannot be used to read your submissions, access your dashboard, or make any changes to your account settings.

Keep your WizeForm access key out of public version control. If your key appears in a public repository, anyone can submit to your account and consume your monthly quota with junk. For server-rendered applications, store the key in an environment variable and inject it at build time or runtime. For client-side static sites where the key must appear in the HTML, accept that it will be visible in source — but know that the key can only be used to write submissions, not to read or modify your account.

Serve your form page over HTTPS. If the page that contains your form is accessible over plain HTTP, an attacker on the same network can observe the POST request and extract the submitted data in transit — including whatever personal information your form collects. Most modern hosting services enforce HTTPS by default, but if you're hosting on a custom setup, verify that HTTPS is active on any page that contains a WizeForm-connected form.

Review your submission fields for what you actually need. Don't collect sensitive personal information — passwords, payment data, social security numbers — through a form, not just because WizeForm doesn't need it, but because reducing the sensitivity of collected data reduces the impact of any potential exposure. The security principle of minimal data collection applies to your form design.

WizeForm gives you full control over your submission data. You can delete any individual submission or your entire submission history from the dashboard at any time, with immediate effect. WizeForm does not retain backups of deleted data beyond the standard infrastructure-level snapshot window. Deleted submissions are gone.

For GDPR data subject access requests, the WizeForm dashboard search lets you find all submissions associated with a specific email address in seconds. You can export those submissions as CSV to fulfill a data portability request, or delete them directly from the dashboard to fulfill an erasure request. WizeForm does not expose submission data to third parties.

If your project requires data to be stored in a specific geographic region, WizeForm's region configuration at account setup determines where submissions are stored. Review your WizeForm account region settings if your project has specific data residency requirements. All processing, scoring, and storage happens within the configured region.