← knowledge.oriz.in

Never call Web3Forms from server-side code

rule rulesweb3formscontact-formscloudflareworkers

Never call Web3Forms from server-side code

Submit Web3Forms exclusively from the browser via fetch (or their documented HTML form post). Never proxy a Web3Forms request through a Cloudflare Worker, GitHub Action, or any other server-side context.

Why

Web3Forms has two operating modes:

  1. Browser-side, free — the access key is included in the form payload. Anti-spam runs via referrer + their own heuristics. This is the supported, free-tier path.
  2. Server-side, paid — requires upgrading the plan AND adding the caller's egress IP to a static allow-list. Cloudflare Workers do not have stable egress IPs (the request can leave from any of dozens of PoPs), so the allow-list approach is structurally broken for us.

That puts server-side use squarely on the wrong side of the no-card-on-file rule AND would need a subscription, which the no-subscriptions rule forbids anyway.

What to do instead

Exceptions

None.

See also