The problems web forms face
| Problem | Detail |
|---|---|
| Spam bots | Automated submissions that flood inboxes, pollute databases, and waste team time |
| Disposable emails | Fake addresses used to bypass trial limits, exploit offers, or avoid follow-up |
| Malicious file uploads | PDFs and Office documents submitted through upload fields that contain malware, macros, or phishing links |
| CAPTCHA friction | Traditional CAPTCHAs hurt conversion and frustrate legitimate visitors — Shield is invisible |
Bot protection with Shield
Shield is an invisible bot-protection widget that embeds in any form. No checkbox, no image puzzle — legitimate users never know it's there.
How it works
- 1The Shield widget script loads with your form
- 2On page load, the browser solves a proof-of-work challenge in the background
- 3When the form is submitted, a signed token is included automatically
- 4Your server sends the token to the
siteverifyendpoint - 5Verifence returns a success verdict and risk score — reject if
success: false
What Shield checks
- ✓Proof-of-work — The browser must complete a computational challenge; bots typically can't or won't
- ✓Browser fingerprinting — Headless browsers, WebDriver, and automation frameworks are flagged
- ✓Behavioral signals — Instant submissions, no mouse movement, and uniform keystroke timing indicate bots
- ✓IP reputation — Spamhaus, Barracuda, and AbuseIPDB checks applied to the submitter's IP
Email validation at submission
Pass the email field from your form directly to siteverify — Verifence checks it against your Email Rules in the same request, no second API call needed:
{
"secret": "your_secret_key",
"token": "<shield token>",
"email": "user@example.com"
}If the email matches a rule — disposable domain, blocked country, custom block — the submission is rejected with a clear reason. For deeper validation (typo correction, role accounts, free providers), submit the email separately to the email scan endpoint.
Spam text classification
If your form has a free-text field — a message body, description, or comment — pass it to siteverify via the text field:
{
"secret": "your_secret_key",
"token": "<shield token>",
"text": "Hi I want to buy cheap replica..."
}Verifence returns a spam_score (0–1), the detected language, and classifier signals. Your server sets the threshold — for example, reject any submission with spam_score > 0.85.
File upload screening
When your form includes a file upload field, POST the file to the document scanner before storing or processing it:
POST /api/scan
API-KEY: your_api_key
Content-Type: multipart/form-data
file=@uploaded.pdfThe scanner returns a verdict and threat breakdown:
- ✓Viruses detected by the antivirus engine
- ✓Macros in Office documents (Word, Excel, PowerPoint)
- ✓Suspicious or phishing links embedded in PDFs
- ✓OLE embedded objects and XML external entities
Reject block verdicts immediately. Route warn verdicts to a manual review queue. Only accept ok results into your normal pipeline.
The full protected submission flow
1. User fills in form (Shield widget runs in background) 2. User submits → token added to form data automatically 3. Your server receives the submission 4. Call siteverify with token + email + text → invalid token or low score → reject → email blocked by rules → reject → high spam score → reject or queue for review 5. If file included → POST to /api/scan → block verdict → reject → warn verdict → queue for review 6. All checks pass → save and process normally
Roll out in stages
Shield and the scan API work independently — add them one layer at a time:
| Step | What it adds |
|---|---|
| Embed Shield widget + siteverify | Bot blocking, IP reputation, behavioral checks |
| Pass email to siteverify | Email rule enforcement at the form level — no second API call |
| Pass text to siteverify | Spam text classification with score and language detection |
| POST file to /api/scan | Malware and threat screening for uploaded documents |