Making a Public Form Secure: Tokens, Idempotency & Real-World Backend Design

I thought building a form was easy… until I tried making it secure. While designing a recruitment form for a college club, I realized that the real challenge is not collecting data — it is making sure the system behaves correctly under real-world conditions. Let’s walk through how I approached this problem step by step. Understanding the Problem The form was public. Users could submit it using: Mobile data College Wi-Fi A common beginner approach is to block users based on IP address after submission. At first glance, this seems reasonable. But in real-world networks, especially Wi-Fi, multiple users share the same public IP due to NAT. 100 users → 1 IP If we block that IP, we end up blocking everyone connected to that network. Clearly, this approach fails. Solution 1 — IP-Based Blocking The idea Track submissions by IP Block further requests from the same IP Why it seems useful Simple to implement Works in small, isolated environments Drawbacks Breaks in shared networks (Wi-Fi, office