Spam Protection and Files
Understand origin checks, rate limits, honeypots, FingerprintIQ, Turnstile, and file uploads.
Spam Protection and Files
Public forms need to accept real customer submissions without turning into an open spam relay. RogerIQ uses layered defenses.
Protection Layers
| Layer | Applies to | Behavior |
|---|---|---|
| Allowed origins | Public forms and beacons | Rejects disallowed browser origins. |
| Rate limit | All public submissions | Limits submissions per IP and form. |
| Honeypot | HTML, iframe, and JSON submit | Silently succeeds if the hidden bot field is filled. |
| FingerprintIQ | All public surfaces when configured | Soft-blocks confident bot signals. |
| Turnstile | Hosted RogerIQ form pages | Required only for hosted top-level form pages. |
Why Turnstile Is Hosted-Only
Turnstile is bound to RogerIQ-hosted form pages. Off-host embeds rely on honeypot, rate limit, and FingerprintIQ because third-party customer sites cannot generate a RogerIQ Turnstile token.
File Uploads
File fields are accepted through multipart form submissions. Files are validated and uploaded to R2 before the submission is finalized.
If any file is rejected, the endpoint returns:
json{ "error": "File upload rejected", "issues": [ { "field": "attachment", "message": "File type not allowed" } ]}
Common Error Codes
| Status | Meaning |
|---|---|
400 | Invalid body, validation failed, spam protection failed, or file rejected. |
403 | Origin not allowed. |
404 | Form or beacon not found. |
410 | Form or beacon archived. |
429 | Rate limit exceeded. |