Lead Capture

Hardened Lead-Form Route With Validation and Bot Checks

A server-validated lead form that rejects junk at the edge: Zod schema validation, Cloudflare Turnstile bot verification, rate limiting, and honeypot — before a single row touches the database.

Start a ProjectAll Case Studies
HMX Zone
Zod 4 validation

Verified HMX-owned case

Outcome signals

These are the real outcome statements attached to this HMX case study.

Bot-checked
Turnstile verified server-side, not client-trusted
Rate-limited
per-IP caps stop submission floods
Schema-clean
malformed payloads rejected before any DB write
Non-blocking
email failures never lose a captured lead

Case architecture

Hardened Lead-Form Route With Architecture

6 nodes
a Zod schema as the single
Render the form as a
Next
Zod 4 validation
Fallback Path
Lead Capture
  1. 01a Zod schema as the single

    A server-validated lead form that rejects junk at the edge: Zod schema validation, Cloudflare Turnstile bot verification, rate limiting, and honeyp...

  2. 02Render the form as a

    Render the form as a progressive-enhancement Server Action so it works without client JS

  3. 03Next

    Next.js Server Actions supports the route, form, or data boundary for Hardened Lead-Form Route With so public UX and backend state stay connected.

  4. 04Zod 4 validation

    Add a Turnstile widget and verify the token server-side before trusting the submission

  5. 05Fallback Path

    When automation confidence is low, route the record to a manual owner with the source, stage, and last action attached.

  6. 06Lead Capture

    Bot-checked Turnstile verified server-side, not client-trusted; Rate-limited per-IP caps stop submission floods; Schema-clean malformed payloads re...

Problem

The operating gap

A naive contact form trusts the browser. Spam bots flood the inbox, malformed payloads break downstream email, and there is no rate limit, so a single script can submit thousands of fake leads and poison the CRM.

Build

What gets built

Process every submission through a Next.js Server Action: parse and coerce input with a Zod schema, verify a Cloudflare Turnstile token server-side, apply Upstash rate limiting keyed by IP, and drop a hidden honeypot. Only clean, human, rate-limited payloads get written via the service-role Supabase client; email send stays non-blocking after insert.

Build steps

Hardened Lead-Form Route With Validation and Bot Checks uses a web app route, data, and conversion layer for Full-Stack Websites. A server-validated lead form that rejects junk at the edge: Zod schema validation, Cloudflare Turnstile bot verification, rate limiting, and honeyp... The architecture connects a zod schema as the single, next, zod 4 validation, and lead capture with an explicit control path.

  1. 01Define a Zod schema as the single contract for field shape, length caps, and coercion
  2. 02Render the form as a progressive-enhancement Server Action so it works without client JS
  3. 03Add a Turnstile widget and verify the token server-side before trusting the submission
  4. 04Gate the action with Upstash rate limiting by IP plus a hidden honeypot field
  5. 05Insert with the server-only service-role client, then fire the notification email non-blocking
  6. 06Add a validation test suite so schema and rejection rules are locked against regressions

Stack

Tools and layers

  • Next.js Server Actions
  • Zod 4 validation
  • Cloudflare Turnstile
  • Upstash Ratelimit + Redis
  • Supabase (service-role write)
  • Resend (non-blocking email)
  • Experience layer: Define a Zod schema as the single contract for field shape, length caps, and coercion
  • Server layer: Render the form as a progressive-enhancement Server Action so it works without client JS
  • Database layer: Next.js Server Actions supports the route, form, or data boundary for Hardened Lead-Form Route With so public UX and backend state stay connected.
  • Automation layer: Zod 4 validation handles routine steps while process every submission through a Next.js Server Action: parse and coerce input with a Zod schema, verify a Cloudflare Turnstile token server-side...
  • Measurement layer: Bot-checked Turnstile verified server-side, not client-trusted; Rate-limited per-IP caps stop submission floods; Schema-clean malformed payloads re...

Data flow

  1. 01Define a Zod schema as the single contract for field shape, length caps, and coercion
  2. 02Render the form as a progressive-enhancement Server Action so it works without client JS
  3. 03Add a Turnstile widget and verify the token server-side before trusting the submission
  4. 04Gate the action with Upstash rate limiting by IP plus a hidden honeypot field
  5. 05Insert with the server-only service-role client, then fire the notification email non-blocking
  6. 06Add a validation test suite so schema and rejection rules are locked against regressions

Controls

  • A naive contact form trusts the browser.
  • Process every submission through a Next.js Server Action: parse and coerce input with a Zod schema, verify a Cloudflare Turnstile token server-side...
  • When automation confidence is low, route the record to a manual owner with the source, stage, and last action attached.

Research basis

A route assembles through form, data, metadata, and deploy checks.

The same website operating path

Full-stack websites for service businesses and operators: route architecture, service pages, lead capture, metadata, proof boundaries, blog/database paths, analytics, and deployment checks.

Route map

Service architecture

Clear service routes

01active
Progress72%

Lead capture

Form and context flow

Lead capture that saves context

02active
Progress86%

Public metadata

SEO and schema layer

SEO and schema on public pages

03active
Progress64%

Launch QA

Analytics and deployment checks

Analytics events tied to CTAs

04active
Progress91%

Build a website with the same traceability.

Start a ProjectView Proof
All systems operational
HMX Zone
(c) 2026 HMX Zone