Shopify App StoreimplicitmediumCluster of 12 signals
Card #1251 · Shopify App Store

Bots bypassing form spam protection via direct API requests

Merchants are experiencing issues where spam bots bypass frontend protections like reCAPTCHA by sending automated POST requests directly to the sign-up API endpoints. This results in spam submissions even when CAPTCHA is enabled, as bots bypass the browser path and UX verification layers.

Shopify App StoreUpdated 27d ago0.62
Pain score
0.62/ 1.00 · weighted product of four components
Reach0.75
distinct authors (log-normalized)
Recency0.74
freshness decay, half-life months
Engagement0.46
upvotes + comments, normalized
Monetization0.50
willingness-to-pay cues in evidence
§ Evidence — 4 verified quotes
spammers very freq hit the backend endpoint these days. the only way to use double opt-in.
Reddit·@ryan_from_onvoard··source ↗
the spam bots use automated post requests to the sign up api endpoint, so any verification question in the UX might get bypassed anyways.
Forum·@Lilly··source ↗
A lot of HubSpot form spam is direct-to-Forms-API: the bot already knows the form GUID, posts straight to HubSpot, and never runs the browser path where your page-level controls live.
Forum·@kepan··source ↗
The issue is the direct POST once you bypass Webflow, all its protection is gone.
Reddit·@Queasy_Hotel5158··source ↗

Comments are a Pro feature — join the conversation, share what you've shipped, hear what others are building.

Upgrade to Pro