Self-Hostable Form Back End – OSS Alternative to Formspree
175 points by Oia20 4 days ago | 36 comments
  • n3storm 4 days ago |
    We have really easily implemented this service with Nocodb. I think the only feature missing would be the pow catpcha.

    I would like to have a moment in my life to write down how we have done it.

    • Oia20 4 days ago |
      Nice! I've used Nocodb quite a bit myself, a big fan of it, especially as a free self hostable alternative to Airtables (which is way overpriced imo).

      You have the form data being placed into a table, or being sent somewhere external?

      • n3storm 4 days ago |
        We store submitted data for a while and purge periodically.

        We have implemented a multitenant table for multiple websites, depending on which site has been contacted a different webhook is triggered for notification.

        • Oia20 4 days ago |
          very cool setup, I would be interested to read more into it if you do get around to writing it down!
      • n3storm 4 days ago |
        Also, we have tried in the past a Nocodb json field but was buggy. Nocodb 0.260 has been recently released and we would like to give it a try again to store extra data in some forms, like "Type of enquiry" or Support like contact forms, without having to create a table for each case.

        We are succesfully using Nocodb as a Headless CMS too (for +10 microsites)

    • include 4 days ago |
      nocodb fan here. also would love to see your work.
    • j45 4 days ago |
      Neat idea, Nocodb is pretty capable. Makes me want to also check if Supabase/Budibase has any decent ability to protect against malicious traffic.

      Other things I've considered:

      - Appwrite might be another one to look into (might be able to put some or all of these behind cloudflare for another layer).

      - Post to some kind of workflow, like n8n and move on from there.

      - Use a simple API gateway, pretty easy to isntall Tyk, Kong, etc that can detect malicious traffic.

      • rudasn 4 days ago |
        I've done contact form -> Google sheets -> to my email before for a static react (?) website. Worked quite well and was pretty simple iirc.
  • satvikpendem 4 days ago |
    This used to be what StaticKit did...until they were acquired by Formspree.
    • Oia20 4 days ago |
      interesting, I hadn't heard of StaticKit, looks like they were acquired by FormSpree in 2020, as I write this I realize that's now 5 Calendar years ago... Time is flying lol
      • satvikpendem 4 days ago |
        The founder was one of the cofounders of Drip, and now he runs SavvyCal. Apparently StaticKit wasn't profitable enough to run as a viable business.
        • Oia20 4 days ago |
          Did statickit function as more than just a form backend? I do feel like a form backend alone is hard to run as a viable business, but I find it to be an interesting enough problem to maintain an open source solution for.
          • satvikpendem 4 days ago |
            Only a backend with some frontend React components if I remember correctly
  • alin23 4 days ago |
    In case others are looking for a cheaper alternative to Formspree, I've been using https://formspark.io/ for all my websites [1] [2] [3]

    I paid $25 a few years ago (can't even remember when) and I still have 47k out of the 50k submission credits I bought.

    But I love to see a self-hostable alternative available, especially one that's as easy to use as running a `docker-compose` command. Sometimes you just need that control.

    For example in my case, I would get app support emails all day and night, and even if I had DND enabled, I would wake to 3-6 emails that accumulated over night and my mornings would get hectic instantly. I would forget to eat for a long time and my mood would be irritable all day.

    I had to place my own small API in front of Formspark to delay the emails for specific times of the day to avoid this. Something like FormBee would allow me to alter this in the server code directly instead of building yet another API.

    [1] https://lowtechguys.com/contact

    [2] https://lunar.fyi/contact

    [3] https://alinpanaitiu.com/contact

    • Oia20 3 days ago |
      Thanks for the kind words about Formbee! I also think Formspark is great! I've been thinking about making the pricing options for Formbee more similar to how Formspark does their pricing.
  • andershaig 4 days ago |
    @Oia20 One challenge with form -> email solutions is staying ahead of spam. I've been deep in this space with Kwes Forms [1] and have seen some pretty insane rates of spam usage. If you ever want to chat about some of the techniques I've used for prevention (everything from intelligent rate limiting to now a user scoring service that updates based on data about the user and following actions they take which autobans if they hit a score threshold).

    With the self-hosted service, I guess that's up to the hoster but likely something you'll run into on your hosted version.

    [1] https://kwesforms.com

    • j45 4 days ago |
      That would be a nice blog post to read - not because it's proprietary, but dealing with spam traffic is so common.

      Sometimes rate limiting individual sessions, and IPs, and combinations of them, and even using fingerprinting on suspected sessions of certain kinds.. to discover in some cases that a lot of small walls can sometimes cause some automated bots to move on.

      • andershaig 4 days ago |
        Absolutely. I was surprised both in the scale of spam attempts in certain scenarios and how quickly it died with different mitigation measures. It's a challenging thing to blog about because some of the heuristics can be fixed. To be super vague, when you have a certain amount of data about a user if metadata A should be correlated to metadata B and it isn't, that bumps the score. It's not enough on it's own if there are legitimate reasons it doesn't have to be correlated.

        I'm always happy to chat through some of the details individually.

    • rendx 4 days ago |
      What has been working surprisingly well for the sites I maintain is to have a simple but custom "captcha" like "Enter 294 here:" (it can even be static), and to exclude the pages that have submission forms from search engine indexing.
      • andershaig 4 days ago |
        Definitely. Any kind of unique check (another example is just a uniquely named version of a classic hidden honeypot field like https://dev.to/felipperegazio/how-to-create-a-simple-honeypo...) is usually enough on it's own until you're a higher value target.
      • chrismorgan 4 days ago |
        It may not even need to be a positive action.

        I had a form that got about one spam message per day. In late 2021, I added a trivial hidden-by-CSS “If you are human, leave this field blank (required)” <input name=username> honeypot. (More details: <https://news.ycombinator.com/item?id=37058847>.)

        For two and a half years, this filtered out all spam, except for one message in early 2023.

        But I started this comment with “may not” because since 2024-02-10, I’ve received approximately 268 spam messages, of a few different patterns (still all very easy to identify visually). So some refinement of the idea may be needed. (I have no idea how many more have been filtered out; I never bothered tracking that. But I imagine that it’s still doing something useful.)

        This is, of course, low-value-target stuff, scattergun spam rather than targetted spam.

        • avoutic 4 days ago |
          Yeah the scatter-gun spam is different.

          From my experience with coding parts of Un-static [1], the advantage of having a single source for submissions for thousands of forms, is that you can filter out these more easily as well. As you can create partial fingerprints. Then just compare similarity between incoming submissions on other forms. And of course start blocking if you receive a scatter-gun message that matches partial fingerprints received across an increasing number of form endpoints.

          [1]: https://un-static.com

  • colevscode 4 days ago |
    @Oia20 Great stuff! Very complete docs, and I dig the docker based self hosting with SMTP integration.
    • Oia20 3 days ago |
      Thank you!
  • throw646577 4 days ago |
    Everything old is new again.
  • elwebmaster 4 days ago |
    This doesn’t take long to build with LLM but what I find challenging to make is a beautiful and intuitive form builder. Is there any such open source solution out there? I found this one but IMO it is not usable outside of the dev community without heavy customizing: https://www.npmjs.com/package/react-form-builder2?activeTab=...
    • jason_zig 4 days ago |
      Not 100% on the nose with what you're looking for but I built Zigpoll (form builder for on-site surveys and forms) that may useful: https://www.zigpoll.com/
  • stevenicr 4 days ago |
    I suppose the easiest way to use this or similar and be compliant with Hipaa would be to send the data vai webhook to a Hipaa compliant thing..

    I've been looking for self hostable: encryption before emailing and encryption at rest for form submissions dat saved in a server DB eg sql with wordpress moved to something else,

    anyone having suggestions (things free or under $29 / mth) I'm all ears.

    • andershaig 4 days ago |
      HIPAA compliance is one of my focus areas: https://kwesforms.com/hipaa

      Email is in my profile if you have any questions. Technically the HIPAA plan starts at $99/mo but I'll give you a discount code to get you to $29 if you give a try and are willing to jump on a call and do a feedback session with me after trying it.

      (You can also try it for free before signing up for anything)

  • foxbee 4 days ago |
    How does this differ to Budibase?
    • cess11 4 days ago |
      It's much smaller and likely to be largely untested in production (since it just lost the MyProject name), but both run on Node so there are some similarities.
  • samsquire 4 days ago |
    Thanks for sharing.

    I am curious: how low maintenance is this?

    Is this something that can be hosted for long periods of time without security interventions and updates?

    Is it fire and forget?

  • nprateem 4 days ago |
    This is just one prompt away: write a lambda to forward emails to a configured email address
    • Oia20 3 days ago |
      I don't think that prompt alone would send your form data to your email. We're using Nodemailer under the hood, while you could "prompt engineer" your way to having functional forms, configuring things like custom SMTP would take more than just that prompt. The idea with Formbee is to have a fairly low friction way to send form data to email, or webhooks. With the hosted option its as simple as sending a post request, self hosting can be as easy as spinning up a docker image, and configuring a few env vars.

      Lambda is great though! We should add some Lambda boilerplate to our docs to make it easy to self host form submission with Lambda.

      • nprateem 3 days ago |
        Lambda + SES (+ SNS? I forget) works a treat. Dead simple, almost free to run.
  • parkaboy 3 days ago |
    I signed up for the hosted version to try things out. Some quick feedback is that the dashboard copy (text) could be crystallized a bit more or provide a hint tooltip to help explain things a bit better.

    Some examples:

    * "Set up return email to return an email to users who submit your forms." - this is pretty clear what it means, but the phrasing is a bit awkward. -> "Set up automated response email for form submissions"

    * "Allowed Domains": allowed for what? Allowed to receive form submissions from?

    * When giving numbers (e.g. under API Usage), suggest adding units (e.g. "submissions") to the end.

    * "Recipient Email" This seems a bit too ambiguous. suggest something more like ->"Address for receiving form submissions"