A
Atlas
...

Security

Atlas Forms includes multiple security layers to protect your forms from abuse.

Origin Validation

Restrict which domains can submit to your forms.

Configuration

  • Go to Form Settings → Allowed Origins
  • Add your domains (e.g., example.com, app.example.com)
  • Save

    • How It Works

  • Submissions check the Origin or Referer header
  • Only requests from allowed domains are accepted
  • Subdomains are matched (e.g., example.com allows www.example.com)
  • Localhost requires sandbox mode + registered IP (see below)

    • Localhost Testing

    Testing forms locally requires sandbox mode and a registered IP address.

    Why IP Registration?

    Localhost origins (http://localhost:3000) are identical for all developers. Without IP validation, anyone who discovers your form ID could submit to your form from their localhost.

    By registering your IP, Atlas ensures only your machine can submit to the form during development.

    How to Test Locally

  • Keep your form in Sandbox Mode (default)
  • Go to Form Settings → Localhost Testing
  • Click Register My IP
  • Your current public IP is now authorized
    • Form in SANDBOX mode:
  - Your localhost + registered IP → ✅ Allowed
  - Other localhost + different IP → ❌ Rejected

Form in LIVE mode:
  - Localhost (any IP) → ❌ Blocked

    IP Registration

    Your public IP (detected via Cloudflare) is shown in form settings. Click Register My IP to authorize it.

    Common scenarios:

    ScenarioSolution
    IP changed (new WiFi, VPN)Click "Register My IP" again
    Team developmentEach team member registers their IP
    Same office (shared NAT)Same IP = same org, works automatically

    Optional: Sandbox API Key

    For extra security in JavaScript apps, generate a Sandbox API Key:

  • Go to Form Settings → Localhost Testing
  • Click Generate API Key
  • Add to your .env.local:
    • ATLAS_FORM_KEY=sk_sandbox_xyz123...
  • Include in submissions:
    • javascript
    await fetch('https://atlasforms.app/f/abc123', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'X-Atlas-Key': process.env.ATLAS_FORM_KEY
  },
  body: JSON.stringify({ name: 'Test' })
})

    This provides two layers of security: IP binding + API key.

    When You Go Live

    When you switch from Sandbox to Live mode:

  • Localhost submissions are blocked entirely
  • Your registered IPs no longer apply
  • Only production domains in allowed_origins can submit

    • This ensures your production form only accepts submissions from real users on real domains.

    Error Response

    json
    {
  "error": "Origin not allowed"
}

    Rate Limiting

    Prevent abuse with per-IP rate limiting.

    Default Limits

    ContextLimit
    Form submissions60/minute per IP
    API requests100/minute per API key

    Custom Limits

    Configure per-project rate limits in Project Settings → Security.

    Rate Limit Headers

    X-RateLimit-Limit: 60
X-RateLimit-Remaining: 55
X-RateLimit-Reset: 2024-01-15T10:31:00Z

    When Limited

    json
    {
  "error": "Rate limit exceeded. Please try again later.",
  "retry_after": 45
}

    Status code: 429 Too Many Requests

    Spam Protection

    Honeypot Fields

    Add invisible fields that only bots fill out:

    html
    <form action="https://atlasforms.app/f/abc123xyz" method="POST">
  <!-- Honeypot - hidden from humans -->
  <div style="position: absolute; left: -9999px;">
    <input type="text" name="_gotcha" tabindex="-1" autocomplete="off">
  </div>

  <input type="text" name="name" required>
  <button type="submit">Send</button>
</form>

    If _gotcha or _honeypot has a value, the submission is silently accepted but discarded.

    Turnstile CAPTCHA

    Cloudflare Turnstile provides invisible bot detection:

  • Get Turnstile keys from Cloudflare Dashboard
  • Add the widget to your form
  • Configure in Project Settings → Security
    • html
    <form action="https://atlasforms.app/f/abc123xyz" method="POST">
  <input type="text" name="name" required>

  <div class="cf-turnstile" data-sitekey="0x4AAAAAAA..."></div>

  <button type="submit">Send</button>
</form>

<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>

    IP Blocking

    Automatically block IPs that exhibit abusive behavior.

    Automatic Blocking

    IPs are blocked after repeated violations:

  • Rate limit exceeded multiple times
  • Suspicious request patterns
  • Failed CAPTCHA attempts

    • Manual Blocking

    Admins can manually block IPs from the security dashboard.

    Unblocking

    Blocks expire automatically or can be removed manually.

    Webhook Security

    Signature Verification

    All webhooks include HMAC-SHA256 signatures:

    X-Webhook-Signature: sha256=abc123...

    Always verify signatures to prevent spoofed webhooks:

    javascript
    const crypto = require('crypto');

function verifySignature(payload, signature, secret) {
  const expected = 'sha256=' + crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

    Webhook Secrets

    Generate a secret in Project Settings → Security → Webhook Secret.

    CSRF Protection

    The dashboard uses CSRF tokens to prevent cross-site request forgery.

    For API integrations:

  • API requests are authenticated via API keys (not cookies)
  • CSRF protection is not required for API endpoints

    • Data Security

    Encryption

  • All data encrypted in transit (TLS 1.3)
  • Database encryption at rest
  • File storage encryption

    • Data Retention

  • Submissions stored indefinitely by default
  • Configure retention policies in project settings
  • Export and delete data anytime

    • GDPR Compliance

  • Export all user data via API
  • Delete submissions via dashboard or API
  • Data processing agreement available for Enterprise

    • Security Headers

    Atlas sets security headers on all responses:

    X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin

    Audit Logging

    Enterprise plans include security audit logs:

  • All authentication events
  • API key usage
  • Configuration changes
  • Suspicious activity alerts

    • Access logs in Admin → Security → Audit Log.

    Reporting Vulnerabilities

    Found a security issue? Email security@atlasforms.app.

    We appreciate responsible disclosure and will:

  • Acknowledge receipt within 24 hours
  • Provide updates on remediation
  • Credit reporters (if desired)
    • Schema ValidationPlans & Pricing