What Does It Actually Do?

The script does two things simultaneously:

1. Blocks free/personal email domains. When someone submits your form with a Gmail, Yahoo, Hotmail, iCloud, or similar address, the script intercepts the submission and shows an error message before anything hits your inbox. It also catches common typos like gmali.com and gamil.com, so accidental mis-spellings don't slip through.

2. Traps bots with a hidden field. A technique called a "honeypot" involves placing a hidden input field on the form — one that real users never see or fill out, but bots do (because they blindly fill every field they find). If that field has a value on submit, the script knows it's a bot and silently blocks the submission.

The result: cleaner leads, less noise, and no backend changes required.

Setting It Up

Step 1: Add the CMS Toggle

The script is designed to be toggled on or off via a Webflow CMS field — useful if you want validation on some pages but not others (a contact form vs. a newsletter signup, for example).

In your CMS collection, add a Switch field named "Form Validation".

Then, on the page where your form lives, select the wrapper element and add a Custom Attribute:

• Name: data-form-validation
• Value: Bind it to your CMS "Form Validation" field

When the CMS field is toggled on, this attribute outputs "true" on the element, and the script activates.

Step 2: Configure Your Form Elements

Inside your Webflow form, add two custom attributes:

• A hidden input (bot trap): add attribute data-input-15
• An error message div: add attribute data-error-message

The email input and submit button are found automatically by the script — no attributes needed on those.

Step 3: Embed the Script

Grab the contents of global-code.js from the honeypot-webflow GitHub repo. Then in Webflow, go to Project Settings → Custom Code, scroll to Footer Code, and paste it wrapped in script tags:

<script>
  // paste contents of global-code.js here
</script>

Which Email Providers Are Blocked?

Out of the box, the script blocks: Gmail, Yahoo, Ymail, Hotmail, Outlook, AOL, iCloud, ProtonMail, Proton, Mail.com, GMX, Zoho, Tutanota, Fastmail, Yandex, Live, and MSN — across any TLD. It also catches the typos gmali and gamil.

You can add or remove providers by editing the blocked domains list directly in the script before embedding.

Why a CMS Toggle?

Rather than hardcoding validation on every form, you get per-page control without touching code. This is especially handy for lead gen pages where you want strict business email enforcement, event signups where Gmail is fine, or A/B testing validation messaging without a redeployment.

A Note on Honeypots vs. CAPTCHA

Honeypot fields are not a complete bot-blocking solution, but they're significantly less friction for real users than a CAPTCHA. Sophisticated bots can detect and skip honeypot fields, but the vast majority of form spam comes from low-effort scripts that fill every field they find. For most Webflow marketing sites, this approach catches plenty of junk without annoying legitimate leads.

For very high-traffic forms or particularly targeted spam, consider layering this with Webflow's native reCAPTCHA integration as an additional defense.

Putting It All Together

Once configured, your Webflow form will: check the CMS toggle, inspect the hidden honeypot field on submit, validate the email domain, and — if both checks pass — allow the native Webflow form submission to proceed normally.

No backend, no Zapier step, no extra services. Check out the full source at github.com/twistedx/honeypot-webflow.