react-spam-shield
Advanced tools
Free client-side spam protection for React forms with honeypot fields, timing analysis, and behavior tracking. No API keys, no backend required - everything runs in the browser.
npm install react-spam-shield
import { SpamProtectedForm } from 'react-spam-shield';
function ContactForm() {
const handleSubmit = (formData, spamScore) => {
console.log('Spam score:', spamScore);
// Convert FormData to object
const data = Object.fromEntries(formData);
// Send to your backend
fetch('/api/contact', {
method: 'POST',
body: JSON.stringify(data)
});
};
return (
<SpamProtectedForm
onSubmit={handleSubmit}
spamThreshold={0.7}
onSpamDetected={() => alert('Spam detected!')}
>
<input name="name" placeholder="Name" required />
<input name="email" type="email" placeholder="Email" required />
<textarea name="message" placeholder="Message" required />
<button type="submit">Submit</button>
</SpamProtectedForm>
);
}
Main component that wraps your form with spam protection.
| Prop | Type | Default | Description |
|---|---|---|---|
children | ReactNode | Required | Form fields and buttons |
onSubmit | (data: FormData, spamScore: number) => void | Required | Called when form is submitted and passes spam check |
spamThreshold | number | 0.7 | Spam score threshold (0-1). Scores above this trigger spam detection |
onSpamDetected | () => void | undefined | Callback when spam is detected |
honeypotFieldName | string | "website" | Name of the hidden honeypot field |
enableBehaviorTracking | boolean | true | Enable/disable mouse and keyboard tracking |
minTimeSeconds | number | 2 | Minimum time before submission is considered valid |
<SpamProtectedForm
onSubmit={handleSubmit}
spamThreshold={0.8}
onSpamDetected={() => console.log('Spam detected!')}
honeypotFieldName="url"
enableBehaviorTracking={true}
minTimeSeconds={3}
>
{/* Your form fields */}
</SpamProtectedForm>
Custom hook for advanced use cases where you need manual control over spam detection.
interface SpamDetection {
calculateSpamScore: () => number;
setHoneypotFilled: (filled: boolean) => void;
signals: {
mouseMovements: number;
keystrokes: number;
startTime: number;
honeypotFilled: boolean;
clipboardEvents: number;
};
}
import { useSpamDetection } from 'react-spam-shield';
function CustomForm() {
const { calculateSpamScore, setHoneypotFilled } = useSpamDetection();
const handleSubmit = (e) => {
e.preventDefault();
const spamScore = calculateSpamScore();
if (spamScore > 0.7) {
alert('Spam detected!');
return;
}
// Process form...
};
return (
<form onSubmit={handleSubmit}>
<input
type="text"
name="honeypot"
style={{ display: 'none' }}
onChange={(e) => setHoneypotFilled(!!e.target.value)}
/>
<input name="email" type="email" placeholder="Email" />
<button type="submit">Submit</button>
</form>
);
}
The spam score is calculated based on multiple signals:
Base score = 0
Add to score if:
- Honeypot filled: +0.5
- Submit time < 2 seconds: +0.3
- Mouse movements < 5: +0.2
- Keystrokes < 10: +0.1
- Multiple clipboard pastes (≥2): +0.1
Final score = min(total, 1.0)
Score Interpretation:
0.0-0.3: Very likely human0.3-0.7: Uncertain0.7-1.0: Very likely spamA hidden form field that legitimate users won't see or fill, but bots typically auto-fill all fields.
Tracks time from component mount to form submission. Submissions faster than minTimeSeconds (default 2s) are suspicious.
Monitors natural user interactions:
Real users interact naturally with forms, while bots often submit instantly without interaction.
Adjust the threshold based on your needs:
// More lenient (fewer false positives)
<SpamProtectedForm spamThreshold={0.8} onSubmit={handleSubmit}>
{/* ... */}
</SpamProtectedForm>
// More strict (fewer false negatives)
<SpamProtectedForm spamThreshold={0.5} onSubmit={handleSubmit}>
{/* ... */}
</SpamProtectedForm>
If you have privacy concerns or want to reduce tracking:
<SpamProtectedForm
enableBehaviorTracking={false}
onSubmit={handleSubmit}
>
{/* ... */}
</SpamProtectedForm>
Note: This will only use honeypot and timing analysis for spam detection.
const handleSubmit = async (formData, spamScore) => {
const data = Object.fromEntries(formData);
// Send spam score to backend for logging/analysis
await fetch('/api/contact', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
...data,
_spamScore: spamScore
})
});
};
Works in all modern browsers that support:
This package is designed with privacy in mind:
Full TypeScript support included:
import {
SpamProtectedForm,
useSpamDetection,
SpamProtectedFormProps,
SpamDetection
} from 'react-spam-shield';
Found a bug or have a feature request? Please open an issue on GitHub.
MIT License - feel free to use in personal and commercial projects.
FAQs
Free client-side spam protection for React forms
We found that react-spam-shield demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.
Security News
Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.
Security News
Node.js has paused its bug bounty program after funding ended, removing payouts for vulnerability reports but keeping its security process unchanged.