Securing Your Forms By Preventing Spam Submitted Using Honeypot

Every website suffers from spam bot registration; for those who don't know what that is, it's when a bot registers or submits a form with garbage data from public forms from your website. It can be for spam purposes, data collection, etc., but it is never good for a website.

To Avoid that you can use,

Honeypot Technique

The honeypot technique is a cybersecurity strategy used to detect, deflect, or study unauthorized access to systems. This technique is used for a large number of cases ranging from websites to servers. In this, we set up a decoy or fake target for the attacker, which appears vulnerable or valuable to attackers.

Once the decoy is attacked, we know that our system was attacked, and actions can be taken accordingly.

Implementing Honeypot in a form

The implementation of the honeypot happens in two steps: frontend and backend.

Frontend

To implement a honeypot in a form, we need to add a hidden input field in the form. But I would strongly suggest not to use type hidden, as spam bit creators are now checking the type of the input before filling the form with garbage data. What you can do is hide the input with CSS, I would also restrain myself from using obvious CSS classes like hide or hidden for the same reason.

< input name="hp" type="text" class="dont-show" />

Backend

Because this field is invisible to the user whenever a real user fills the form, this field will always be empty, but if the form is filled by a bot, this field will be filled too because a bot can not differentiate between a hidden and non-hidden input. So, while submitting the form, we will check if this particular field has data or not. if we find data in this field, the request is from a spam bot, and we can discard it.

// check if request gave data in honeypot field
if ($request->filled('hp')) {
    // redirect to spam page
    return redirect()->route('spam');
}

Advancement

If you want, you can also add a timestamp input hidden and disabled with values as the current date and time. At the time of submission, you check the time difference between the form timestamp and submission time, if the time difference is ridiculously low, like a few seconds, that also means the form was submitted by a bot.

Feel free to suggest more security or implementation techniques in the comments section.