Released 2026-05-31. Public form submissions are now protected from bots and abuse automatically.
Invisible reCAPTCHA on forms
- Submissions to FlowFn-hosted form pages (
/f/<slug>on flowfn.com or a<name>.flowfn.comsubdomain) are now verified with invisible reCAPTCHA — score-based, with no checkbox or puzzle for your visitors. - It runs alongside the existing per-visitor rate limiting and optional password gate. Automated and abusive submissions are rejected before they reach your workflow.
- Embedded forms load that same FlowFn-hosted page in an iframe, so they get reCAPTCHA too — on a best-effort basis (some browsers block third-party scripts inside iframes; the embed token, allowed-domains list, and rate limiting still apply there).
- Forms served on your own custom domain skip reCAPTCHA (it can't verify a non-FlowFn origin) and rely on rate limiting plus your other protections.
- Nothing to configure — it applies automatically.
Privacy
- Google reCAPTCHA is now listed as a sub-processor, and its
_GRECAPTCHAsecurity cookie is described in our Cookie Policy.