Contact forms on a static site

I’ve been reading through posts about using contact forms. Am testing the “parsa-hugo” theme and using the contact page, but what does the ‘submit’ button do ? Looked through the code and it is just a FORM with a POST.

The main reason I wanted a static site generator is because of security. Over the years, seen many attempts to inject SQL into php scripts in a Wordpress site. A few considerations:

  1. If static forms have email addresses, it opens up SPAM

  2. If server side tools like PHP, Ruby, Python, etc, are used, the email address is hidden, yet is the script itself ‘safe’ ? Can it be broken ?

  3. How does one protect the site from email bots if a static form (no server side) is used ?

  4. I have seen some Java code where a person has to hover the mouse over the email address to view it ? Are these completely safe from email bots and spammers ?

  5. Possibly another method to use are tools like ASSP, that can stop emails at the server level - cPanel App Catalog :: ASSP Deluxe for cPanel ?

I have used ASSP in the past and found it very useful, however the web hosting company disabled it as it was causing high load on email servers. These days the web hosts use SPAM tools to give a point rating, yet I found the bar had to be raised as it also stopped valid emails. It seems some of the work email servers also do are to now check RBL lists and reject emails appropriately.

It comes down to personal choice no doubt, do I want security (no scripts) at the risk of spam, or no spam at the risk of security ? Possibly it is not so black and white though. :slight_smile:


1 Like

You also can use an external service. For example:


I went open source and created a contact form using MailyGo and some custom JavaScript I wrote.
My theme is open source so you can have a look at it. I’ll be adding the documentation for it soon, but the code is pretty modular so just refer to files named contact.*.

Theme live at


I would definitely go for using netlify and netlify forms. I use them a lot and they work great and also have great spam protection even on the free tier


I can suggest using - a backend service for forms management that can handle your submissions, send emails and integrate with other services.
It has over 99.9% success rate of spam filtering.
You can start for free, up to 100 submissions a month.

Disclaimer: I’m the founder of Form-Data

1 Like

Thanks for those links, much appreciated.

Thanks, I’m not on Netify, just a local web hosting company. I’ll checkout the ‘codementor’ link though.

Thanks, I (GIT) installed your theme, and tested it. Have sent you a message.

Thanks, we have the hosting all sorted. I can use php, ruby, python, etc, just not totally convinced regards security. Although most scripts can hide the includes elsewhere. I only just remembered a CAPCHA. Are they an overkill to stop bots ??

Thanks, however we need to keep all the data away from third parties. Only last week, there were two fraudulent attempts on a credit card, so I’m (more) cautious now to not allow data on third party sites.

You can decide for how long the data will be stored on our systems.
So you can use zapier or webhooks to store the data anywhere you want, or even just have it emailed to you, and then delete it automatically from our systems.
This way we’ll be processing the data but not storing it for long term.

1 Like

Slightly off-topic but for my latest projects I am using the excellent Cloak email theme component by @martignoni

Basically it is a scrambled mailto link that is re-assembled on the frontend with JS.

Typically bots crawl static pages therefore they can never read the actual email address.

I have yet to receive spam through this component whereas with Netlify forms etc spam always comes through.


That looks interesting, thanks.

I use an tally form that is linked on the bottom of a page.

It sends an hidden field as query string to get the context of the page and anyone (so far no one) can submit. The spam control is their responsibility. It’s cheaper on load times and price than feedback fish and work nice.

@lucasew thanks :slight_smile:

I use to power a form on my blog.

It’s totally free. By default it uses reCAPTCHA to filter out spam, but you can disable that if you wish.

To start, the URL includes your email address, but after you verify your email (the first time you use the form on your site) they give you a random string that you can use instead of your email address in the URL.

I compared a bunch of (free) options and I’m very happy with this one so far.


@justahugouser okay thanks

My observation so far. Devro LABS made couple good services but what is strange, that they making service and than putting this on Marketplace to sell?

I am little worry to trust by implementing this on websites to find out that this will be for sale as well?

Does selling a service mean it stops working?

If you want to go 100% sure just program everything by yourself. If not, chose one of the services presented. Things (services) online always change.

I use a self-hosted form from ReusableForms HTML5 Contact Form To Send Email On Form Submission - download from ReusableForms embedded on a page on my Hugo site Contact - D'Arcy Norman

I usually get SPAM with the services I have tried before. I also despise recaptcha. Any free service that allows anti-SPAM features?

As a defense against bot I use ReCaptcha v2 but we’ll be migrating to v3 soon.

As for the form post, I use google cloud function and I use Mailgun for the mailing part.
(And google storage to store the files from the form inputs.)

I use the jQuery framework to do all the heavy lifting on the client side.
The again Javascript in google function, with IP check, Captcha check.

I used to use Mailchimp forms but I don’t like it…