Domain restriction
GlossaryA form setting that rejects submissions unless the request comes from your allowed domains.
Definition
Domain restriction is a per-form setting (Pro and above) that checks the `Origin` and `Referer` headers of each submission request. If the request comes from a domain not on your allowlist, FormLoom returns a 403 Forbidden. This prevents other sites from pointing their forms at your access key and consuming your submission quota.
Why it matters for form backends
Domain restriction is the primary defense against quota abuse by third parties who find your public access key in your source code.
FAQ
Server-side scripts can forge the Origin and Referer headers, so it's not foolproof. It stops most browser-based misuse, which is the common attack vector.
Related terms
Ready to put this into practice?
Add a form to your site in minutes — free access key, copy-paste snippet.