Card #1251 · Shopify App Store
Bots bypassing form spam protection via direct API requests
Merchants are experiencing issues where spam bots bypass frontend protections like reCAPTCHA by sending automated POST requests directly to the sign-up API endpoints. This results in spam submissions even when CAPTCHA is enabled, as bots bypass the browser path and UX verification layers.
Pain score
0.62/ 1.00 · weighted product of four components
Reach0.75distinct authors (log-normalized)
Recency0.74freshness decay, half-life months
Engagement0.46upvotes + comments, normalized
Monetization0.50willingness-to-pay cues in evidence
§ Evidence — 4 verified quotes
spammers very freq hit the backend endpoint these days. the only way to use double opt-in.
the spam bots use automated post requests to the sign up api endpoint, so any verification question in the UX might get bypassed anyways.
A lot of HubSpot form spam is direct-to-Forms-API: the bot already knows the form GUID, posts straight to HubSpot, and never runs the browser path where your page-level controls live.
The issue is the direct POST once you bypass Webflow, all its protection is gone.
Comments are a Pro feature — join the conversation, share what you've shipped, hear what others are building.
Upgrade to Pro