Self-Hostable Form Back End – OSS Alternative to Formspree
39 comments
·January 6, 2025alin23
Oia20
Thanks for the kind words about Formbee! I also think Formspark is great! I've been thinking about making the pricing options for Formbee more similar to how Formspark does their pricing.
n3storm
We have really easily implemented this service with Nocodb. I think the only feature missing would be the pow catpcha.
I would like to have a moment in my life to write down how we have done it.
Oia20
Nice! I've used Nocodb quite a bit myself, a big fan of it, especially as a free self hostable alternative to Airtables (which is way overpriced imo).
You have the form data being placed into a table, or being sent somewhere external?
n3storm
Also, we have tried in the past a Nocodb json field but was buggy. Nocodb 0.260 has been recently released and we would like to give it a try again to store extra data in some forms, like "Type of enquiry" or Support like contact forms, without having to create a table for each case.
We are succesfully using Nocodb as a Headless CMS too (for +10 microsites)
n3storm
We store submitted data for a while and purge periodically.
We have implemented a multitenant table for multiple websites, depending on which site has been contacted a different webhook is triggered for notification.
Oia20
very cool setup, I would be interested to read more into it if you do get around to writing it down!
include
nocodb fan here. also would love to see your work.
j45
Neat idea, Nocodb is pretty capable. Makes me want to also check if Supabase/Budibase has any decent ability to protect against malicious traffic.
Other things I've considered:
- Appwrite might be another one to look into (might be able to put some or all of these behind cloudflare for another layer).
- Post to some kind of workflow, like n8n and move on from there.
- Use a simple API gateway, pretty easy to isntall Tyk, Kong, etc that can detect malicious traffic.
rudasn
I've done contact form -> Google sheets -> to my email before for a static react (?) website. Worked quite well and was pretty simple iirc.
parkaboy
I signed up for the hosted version to try things out. Some quick feedback is that the dashboard copy (text) could be crystallized a bit more or provide a hint tooltip to help explain things a bit better.
Some examples:
* "Set up return email to return an email to users who submit your forms." - this is pretty clear what it means, but the phrasing is a bit awkward. -> "Set up automated response email for form submissions"
* "Allowed Domains": allowed for what? Allowed to receive form submissions from?
* When giving numbers (e.g. under API Usage), suggest adding units (e.g. "submissions") to the end.
* "Recipient Email" This seems a bit too ambiguous. suggest something more like ->"Address for receiving form submissions"
andershaig
@Oia20 One challenge with form -> email solutions is staying ahead of spam. I've been deep in this space with Kwes Forms [1] and have seen some pretty insane rates of spam usage. If you ever want to chat about some of the techniques I've used for prevention (everything from intelligent rate limiting to now a user scoring service that updates based on data about the user and following actions they take which autobans if they hit a score threshold).
With the self-hosted service, I guess that's up to the hoster but likely something you'll run into on your hosted version.
rendx
What has been working surprisingly well for the sites I maintain is to have a simple but custom "captcha" like "Enter 294 here:" (it can even be static), and to exclude the pages that have submission forms from search engine indexing.
chrismorgan
It may not even need to be a positive action.
I had a form that got about one spam message per day. In late 2021, I added a trivial hidden-by-CSS “If you are human, leave this field blank (required)” <input name=username> honeypot. (More details: <https://news.ycombinator.com/item?id=37058847>.)
For two and a half years, this filtered out all spam, except for one message in early 2023.
But I started this comment with “may not” because since 2024-02-10, I’ve received approximately 268 spam messages, of a few different patterns (still all very easy to identify visually). So some refinement of the idea may be needed. (I have no idea how many more have been filtered out; I never bothered tracking that. But I imagine that it’s still doing something useful.)
This is, of course, low-value-target stuff, scattergun spam rather than targetted spam.
avoutic
Yeah the scatter-gun spam is different.
From my experience with coding parts of Un-static [1], the advantage of having a single source for submissions for thousands of forms, is that you can filter out these more easily as well. As you can create partial fingerprints. Then just compare similarity between incoming submissions on other forms. And of course start blocking if you receive a scatter-gun message that matches partial fingerprints received across an increasing number of form endpoints.
andershaig
Definitely. Any kind of unique check (another example is just a uniquely named version of a classic hidden honeypot field like https://dev.to/felipperegazio/how-to-create-a-simple-honeypo...) is usually enough on it's own until you're a higher value target.
j45
That would be a nice blog post to read - not because it's proprietary, but dealing with spam traffic is so common.
Sometimes rate limiting individual sessions, and IPs, and combinations of them, and even using fingerprinting on suspected sessions of certain kinds.. to discover in some cases that a lot of small walls can sometimes cause some automated bots to move on.
andershaig
Absolutely. I was surprised both in the scale of spam attempts in certain scenarios and how quickly it died with different mitigation measures. It's a challenging thing to blog about because some of the heuristics can be fixed. To be super vague, when you have a certain amount of data about a user if metadata A should be correlated to metadata B and it isn't, that bumps the score. It's not enough on it's own if there are legitimate reasons it doesn't have to be correlated.
I'm always happy to chat through some of the details individually.
satvikpendem
This used to be what StaticKit did...until they were acquired by Formspree.
Oia20
interesting, I hadn't heard of StaticKit, looks like they were acquired by FormSpree in 2020, as I write this I realize that's now 5 Calendar years ago... Time is flying lol
satvikpendem
The founder was one of the cofounders of Drip, and now he runs SavvyCal. Apparently StaticKit wasn't profitable enough to run as a viable business.
Oia20
Did statickit function as more than just a form backend? I do feel like a form backend alone is hard to run as a viable business, but I find it to be an interesting enough problem to maintain an open source solution for.
colevscode
@Oia20 Great stuff! Very complete docs, and I dig the docker based self hosting with SMTP integration.
Oia20
Thank you!
samsquire
Thanks for sharing.
I am curious: how low maintenance is this?
Is this something that can be hosted for long periods of time without security interventions and updates?
Is it fire and forget?
throw646577
Everything old is new again.
elwebmaster
This doesn’t take long to build with LLM but what I find challenging to make is a beautiful and intuitive form builder. Is there any such open source solution out there? I found this one but IMO it is not usable outside of the dev community without heavy customizing: https://www.npmjs.com/package/react-form-builder2?activeTab=...
jason_zig
Not 100% on the nose with what you're looking for but I built Zigpoll (form builder for on-site surveys and forms) that may useful: https://www.zigpoll.com/
stevenicr
I suppose the easiest way to use this or similar and be compliant with Hipaa would be to send the data vai webhook to a Hipaa compliant thing..
I've been looking for self hostable: encryption before emailing and encryption at rest for form submissions dat saved in a server DB eg sql with wordpress moved to something else,
anyone having suggestions (things free or under $29 / mth) I'm all ears.
andershaig
HIPAA compliance is one of my focus areas: https://kwesforms.com/hipaa
Email is in my profile if you have any questions. Technically the HIPAA plan starts at $99/mo but I'll give you a discount code to get you to $29 if you give a try and are willing to jump on a call and do a feedback session with me after trying it.
(You can also try it for free before signing up for anything)
null
In case others are looking for a cheaper alternative to Formspree, I've been using https://formspark.io/ for all my websites [1] [2] [3]
I paid $25 a few years ago (can't even remember when) and I still have 47k out of the 50k submission credits I bought.
But I love to see a self-hostable alternative available, especially one that's as easy to use as running a `docker-compose` command. Sometimes you just need that control.
For example in my case, I would get app support emails all day and night, and even if I had DND enabled, I would wake to 3-6 emails that accumulated over night and my mornings would get hectic instantly. I would forget to eat for a long time and my mood would be irritable all day.
I had to place my own small API in front of Formspark to delay the emails for specific times of the day to avoid this. Something like FormBee would allow me to alter this in the server code directly instead of building yet another API.
[1] https://lowtechguys.com/contact
[2] https://lunar.fyi/contact
[3] https://alinpanaitiu.com/contact