In order to complicate automated mass-submissions of forms, one possible solution would be to include a hidden field in the form that includes a timestamp, plus a second field that contains an HMAC for this timestamp value + a secret value.

Upon submission, we could check if the timestamp is legit (the HMAC signature is correct) and falls into a configurable range – so for example, only accept form submissions for forms rendered at least 30s ago and not older than 4 hours.

This does of course not prevent automated form submissions, but would at least require that forms be fetched periodically and kept on hold for some time before they can be abused.

The timestamp + HMAC cannot prevent the same form from being submitted multiple times, but it has the advantage that we do not need to keep state in the backend.

Another approach would be to issue unique form-IDs, but that would require some tracking mechanism (a database, key-value-store, ...) to keep the issued IDs, remove submitted and expire old ones. That would be more involved to set up.

For sure, it's not a perfect solution – but anyway, is that something you would support in this bundle and that you would accept a PR for? Or is this outside of what this bundle tries to provide?