This content originally appeared on dbushell.com (blog) and was authored by dbushell.com (blog)
I’ve ummed and ahhed over removing my contact form entirely. Quality enquiries are rare but still worth the risk of spam. I’d like to hold out a little longer. At least until “AI” apologists ruin the web (don’t pretend you’re not!) Until that day, I’m open for contact.
Contact submissions are sent to my inbox using PGP encryption (a technical exercise) properly signed by my @dbushell.com domain. With Proton using true end-to-end encryption, there isn’t opportunity for traditional spam filters.
My new tactic is inspired by… 🥁
Progressive Enhancement
Progressive enhancement is the act of building for the web, with the web. First, you create an accessible baseline that works for all users. Second, you enhance it with fancy functionality based on browser capabilities. Web standards give us the tools.
This is a tried, tested, and true practice. And yet developers still clown around with new ideas like FOUN (Flash of Unbroken Next.js). It’s a bold strategy, but I’ll stick to the classics.
Progressive enhancement has never been easier with CSS @supports and JavaScript APIs like matchMedia. No JavaScript? No problem.
Now that said, this new FOUN trend gave me an idea. Like Next.js, what if I purposefully downgraded the experience?
Progressive Dehancement
My contact form is already progressively enhanced. By default it sends a POST submission that gets a redirect response. I enhance that with a web component using JavaScript’s fetch to avoid a page refresh. It’s not the fanciest thing on the web but it’s a small enhancement.
Standard <form> submissions and fetch requests differ in how they POST data. A back-end server or worker can differentiate between the two by:
- Checking for CORS headers
- Checking the
content-typeheader
Regular <form> posts default to:
content-type: application/x-www-form-urlencodedWhilst fetch requests default to:
content-type: multipart/form-dataWhen using FormData which is by far the easiest method.
I know what you’re thinking, and yes, headers are easily changed.
I’ve eyeballed hundreds of submissions over the years. 90% of bots use the baseline and 99% of humans use the enhanced fetch version. Your milage may vary. I flag email subjects with “A” or “B” to know what method was used. With this knowledge I can apply heavier counter defences against spam.
If a bot is suspected through progressive dehancement I will:
- Decline all
gmail.comandoutlook.comaddresses - Decline phrases like “SEO”, “unsubscribe”, and “click here”
- Decline scripts like Cyrillic and recently Hangul
I’ve had a sudden influx in Korean cryptocurrency scams. I thought that bubble had burst? I’m 100% confidence I’ll never get a legitimate contact from Google Mail users via a basic POST submission. This experiment has been running and tweaked for over a year.
I’m happy to attempt to converse in other languages. The chance of blocking a real human is slim but not impossible. It’s a calculated risk.
Maybe I should just get it over with and delete the contact form?
This content originally appeared on dbushell.com (blog) and was authored by dbushell.com (blog)
dbushell.com (blog) | Sciencx (2025-05-02T10:00:00+00:00) Progressive Dehancement. Retrieved from https://www.scien.cx/2025/05/02/progressive-dehancement/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.