Every Aspire site · standard

Every lead
a real person.

Spam robots fill out a lot of contact forms. We make sure they never reach yours. Behind every Aspire site sit ten invisible filters — quiet enough that your real customers never see a puzzle, sharp enough that robot junk doesn't reach your inbox.

01 · What's a bot

A computer program faking a customer.

It's a robot that crawls the web looking for any contact form, quote request, or booking page it can fill out. It pretends to be a person, but it's typing thousands of fake submissions a day — not aimed at you, just hitting every form it can find. The goal is volume, not anything personal.

02 · Why it's a problem

Junk in your inbox. Dead-end calls. Real customers blocked.

Without protection, the average small-business form gets dozens of fake submissions a week. You waste your morning sorting through them. Your team calls phone numbers that don't ring. Your CRM fills up with garbage. Worst of all, the typical fix — "click all the boxes with a stoplight" puzzles — sends actual customers to whoever made it easier to get in touch.

03 · How we stop them

Quiet filters. No puzzles for your customers.

Behind every Aspire form sit ten invisible checks — little things a real person passes without noticing and a robot can't fake. The same security that protects Cloudflare's biggest enterprise customers runs on every site we build. Your customer clicks send. The bot gets caught. You see only the real leads.

The stack

Ten quiet layers, working at once.

Cloudflare's bot mitigation is the most visible piece — it's the same enterprise-grade system that protects banks and Fortune 500 sites. We layer our own checks on top of it so the spam never even gets the chance to try.

01

No-puzzle bot check

Cloudflare Turnstile watches how the visitor moves, types, and behaves — passes real people through without a captcha, catches automated submissions on the spot. The same protection used by enterprise sites.

02

Hidden spam traps

Invisible fields a real customer never sees but bots can't help filling out. The moment a bot touches one, the submission is silently dropped — they never know the form rejected them.

03

Timing check

Real people take a few seconds to fill out a form. Bots submit in milliseconds. We measure the gap between page load and submit — anything implausibly fast or stale gets blocked.

04

Replay protection

Every form submission gets a single-use token. If a spammer tries to replay the same submission a hundred times, the second attempt fails. One human visit = one valid submission.

05

Email shape check

Validates the email actually looks like a real email, and blocks disposable-address services bots use to dodge filters. Catches the obvious fakes before they reach your inbox.

06

Phone format check

A real US phone number has ten or eleven digits. Bots often submit random strings or international scam patterns. We require the right shape before the form will go through.

07

Message scanner

Looks at what was typed. If the message is wall-to-wall URLs, promo keywords, or a fingerprint from a known spam ring, we drop it. Real inquiries about your business get through.

08

Non-Latin script filter

Most US small-business clients write in English. Submissions that come in entirely in Cyrillic, Arabic, or CJK scripts are almost always automated. We screen them out at the door.

09

Flood blocker

If the same source sends more than one submission in a few minutes, it's almost certainly a script. We cap the rate per visitor so a single bot can't flood your inbox in the time it takes to make coffee.

10

Origin allow-list

The form will only accept submissions that came from your actual website, not from a bot posting directly to the back-end. Closes the most common attack route in one rule.

Common questions

What clients actually ask.

Real questions we get when we walk a client through their new contact form. Plain answers — no jargon.

Do we have to show the "Verify you are human" box on the form?

No. Cloudflare Turnstile (the bot-check we use) runs in three modes — and one of them is fully invisible. The choice is yours, and there are real trade-offs on both sides.

Showing it

Visible "Verify you are human" widget

Pros

  • Visitor sees the trust signal — "this site has real security."
  • Reinforces the brand promise that every lead is real.
  • Visitor knows their submission is being checked.
  • No additional privacy-policy language required.

Cons

  • Adds one more visual element to the form.
  • A small percentage of users may have to click a checkbox (rare).

Hiding it

Invisible mode — runs entirely in the background

Pros

  • Cleaner form — no visible widget at all.
  • Zero risk of interactive challenges showing.
  • Same level of bot detection (security doesn't change).

Cons

  • You lose the visible trust signal at the moment of submission.
  • Cloudflare requires invisible-mode sites to reference their Turnstile Privacy Addendum in your Privacy Policy — small one-time update.
  • Marketing moment ("this site has enterprise security") goes away.

Our recommendation: Show it. Visitors filling out a contact form are already trusting you with their info — a tiny "verifying" cue tells them their submission is being treated with care. We default to showing because it costs nothing and adds reassurance. If you'd rather hide it, we can flip the switch in five minutes and update your privacy policy.

What if a real customer gets blocked?

It's designed not to happen. The whole point of Cloudflare's no-puzzle approach is to let real customers through without making them prove anything. The system watches subtle browser behavior (mouse movement, keystroke timing, device signals) and flags only the patterns no real person can produce.

If somehow a real submission did get caught, our backend logs every block with a reason — so we can pull it up, see what triggered it, and adjust. We've watched this stack run on Aspire's own contact form for months and haven't found a single false positive yet.

Does this slow down my form?

No. The check runs in the background while your visitor is typing. By the time they click submit, the verification is already done. Cloudflare's own servers are inside the network path anyway, so there's nothing extra to wait for.

What does it cost?

Nothing extra. Cloudflare Turnstile is free, and the other nine layers are part of how we build every site. The whole security stack is included in your project — no monthly fee, no per-submission cost, no upsell.

Is my customer's data being shared with Cloudflare?

No. The bot check looks at browser behavior signals — mouse movement, keystroke patterns, device fingerprint, IP address — not the contents of your form. Cloudflare never sees what your customer typed in the name, email, phone, or message fields. That data goes straight from the form to your inbox (and your CRM if connected), nowhere else.

What if Cloudflare goes down?

Cloudflare runs at 99.99%+ uptime — they're the largest CDN in the world and what they call "downtime" is usually a few minutes a year. If their bot-check endpoint did fail, your form would temporarily refuse new submissions rather than let unverified ones through. The other nine layers (honeypots, rate limits, format checks, etc.) keep working independently, so the form never falls back to "no protection at all."

Can I see how many spam attempts have been blocked?

Yes — ask us. Our backend logs every block with a reason (which layer caught it, when, from what country/IP range). We don't surface this in a dashboard by default because most clients don't want to think about it, but if you're curious or need it for reporting, we can pull a monthly summary for you.

Is this just for my contact form, or every form on the site?

Every form. Quote requests, booking forms, newsletter signups, "ask a question" pop-ups — anything that accepts user input runs through the same stack. We don't pick and choose which forms to protect; security is the default for the whole site, every time.

Powered by

Cloudflare bot mitigation, under the hood.

The most visible layer in our stack is Cloudflare Turnstile — their next-generation replacement for CAPTCHA. It uses machine-learning models trained on a huge portion of the internet's traffic, so it sees novel attacks first and updates protection for every site we ship in real time. We chose it because it does the job without making your customers prove they're human.

See how Cloudflare blocks bad bots →

Start your Project today.

We listen first, pitch never.

Tell us where you're headed — we'll show you how to get there. No long contracts, no hidden fees.

Let's work together See our work