Field notes4 min read

How we stopped losing leads

Honeypots that fake success to bots, per-IP rate limits, and forms that fail loud with a phone number. How we made lead delivery fail-closed.

A lead form has two failure modes. The loud one is spam: bots hammering the endpoint, junk in the inbox, real inquiries buried. The quiet one is worse: a real lead submits the form, sees a success message, and the email never arrives because one configuration value went missing in a deploy. The loud failure is annoying. The quiet one costs real money, and nobody notices for weeks.

We hardened our lead pipeline against both, across every site we run, and one principle drives all of it: fail closed, fail visible. If the pipeline cannot truly deliver, nobody gets told that it did.

The honeypot that lies to bots

Every form carries a honeypot: an extra field invisible to humans, positioned where form-filling bots will complete it. A filled honeypot means a bot. That part is standard practice, and it filters a surprising share of junk on its own.

The twist is what happens next. Our servers do not reject the bot. They answer with success. The submission is silently discarded, no email is sent, and the bot walks away convinced it worked. Return an error instead and you invite the script to retry, adapt, and probe. Fake success ends the conversation.

Rate limits sized for humans

Every lead endpoint enforces a per-IP rate limit, typically five to eight submissions in ten minutes depending on the site. A human asking for a quote never notices a limit like that. A script hits the wall on its sixth attempt, and everything after it dies at the door before it can touch the email pipeline. The limiter itself is memory-bounded, so the protection can never become its own resource leak.

The quiet failure, and the phone number that fixes it

Now the failure nobody designs for. An email API key rotates and the new one never lands in production. An environment variable gets missed in a migration. On most sites, the form swallows the error and shows the thank-you page anyway, because nobody wrote the failure path. The visitor believes they reached you. They did not.

Our forms refuse to pretend. If the delivery pipeline is not configured, the endpoint returns an honest error, and the visitor sees a clear message with a phone number: something went wrong on our end, call us here. The lead still has a path to the business, and the business gets an immediate signal that something is broken.

A missing configuration value can never silently lose a lead.

It can feel wrong to show an error where a thank-you could go. But a visible error gets reported and fixed the same day. A silent one gets discovered during a slow month, followed by archaeology through the logs and an unanswerable question: how many did we lose?

The rest of the armor

Around those three pillars sits a set of smaller defenses. Each one is boring, and each one earns its place.

  • Request size caps and per-field length clamps, so an oversized payload cannot become a weapon.
  • Control characters stripped from every field, which kills header-injection tricks aimed at the email pipeline.
  • Every submitted value HTML-escaped before it touches the notification email.
  • Origin checks pinned to the site itself, so other sites cannot drive the endpoint.
  • Generic client-facing errors, so a probing script cannot learn which pieces of configuration exist.
  • A server-verified human challenge on the sites that need one.

And one courtesy that costs nothing: the notification email sets its reply-to address to the lead, so the business answers a new inquiry with one tap. The email itself is a branded summary of the full qualification flow, not a raw dump of fields.

Keep the promise even when the machine fails

The same philosophy shows up in a different corner of one build. On America Premier, an exit-intent offer promises visitors a remodel planning checklist in exchange for their details. We built it so the checklist renders in the browser even if the API call behind it fails. The visitor always receives what they were promised; the lead capture is the part allowed to degrade.

That ordering is the entire doctrine in one sentence: the visitor's experience fails last.

Test yours tonight

If you run a business on a lead form, here is a five-minute audit. On a staging copy, remove the email key and submit the form. If you see a thank-you page, you own a silent lead-loser, and it is worth fixing before you spend another dollar driving traffic to it.

Forms are the cheapest part of a website and the most expensive part to get wrong. Ours fail loudly, lie only to bots, and put a phone number where the apology goes. Looking back across the sites running this pipeline, that design has been one of the quietest, highest-value decisions in the studio.

formssecurityreliabilityconversion

Let's talk

Got something worth building?

Whether it's a brand-new site, a rebuild, or a product you can't find off the shelf — let's make it.

Or email hello@spiderdigitalgroup.com · reply within one business day · no pushy sales

Trusted by teams who ship

Belzona Baton RougeAmerica PremierAdvanced Applications SpecialistsPrime CoatSalyers ConstructionPolymer Nation