statamic · jasonvarga · Apr 28, 2026 · Apr 27, 2026 · Apr 27, 2026 · Apr 28, 2026
diff --git a/src/Fields/Validator.php b/src/Fields/Validator.php
@@ -186,12 +186,12 @@ public function filterPrecognitiveRules($rules)
     {
         $request = request();
 
-        if (! $request->headers->has('Precognition-Validate-Only')) {
+        if (! $request->headers->has('Precognition')) {
             return $rules;
         }
 
         return Collection::make($rules)
-            ->only(explode(',', $request->header('Precognition-Validate-Only')))
+            ->only(explode(',', $request->header('Precognition')))
             ->all();
     }
 }
diff --git a/tests/Tags/Form/FormCreateAlpineTest.php b/tests/Tags/Form/FormCreateAlpineTest.php
@@ -3,6 +3,7 @@
 namespace Tests\Tags\Form;
 
 use PHPUnit\Framework\Attributes\Test;
+use Statamic\Facades\Form;
 use Statamic\Statamic;
 
 class FormCreateAlpineTest extends FormTestCase
@@ -932,6 +933,22 @@ public function it_dynamically_renders_precognition_text_field_x_on_change()
         $this->assertFieldRendersHtml(['<input id="[[form-handle]]-form-name-field" type="text" name="name" value="" x-model="form.name" @change="form.validate(\'name\')">'], $config, [], ['js' => 'alpine_precognition']);
     }
 
+    #[Test]
+    public function it_wont_submit_form_when_precognition_validate_only_header_is_spoofed()
+    {
+        $this->assertEmpty(Form::find('contact')->submissions());
+
+        $this
+            ->withHeaders([
+                'Precognition-Validate-Only' => 'foo',
+            ])
+            ->post('/!/forms/contact', [])
+            ->assertSessionHasErrors(['email'], null, 'form.contact')
+            ->assertLocation('/');
+
+        $this->assertEmpty(Form::find('contact')->submissions());
+    }
+
     private function jsonEncode($data)
     {
         return Statamic::modify($data)->toJson()->entities();