Web security

Honeypot anti spam

Note: this doesn't stop spamers who intentionally create specific scripts to target the website (like we create automation test scripts). This is just to stop (sophisticated) spam bots which are designed to generically target whatever sites

• Build the form without the <form> tag. Submit form via Javascript or make AJAX submission.
• Reject forms submitted under 5 seconds (configurable)
  • Insert an hidden field into the form. Fill it with the server's current timestamp. Encrypt (not encode) the value
  • Upon form submission,
  • If the value is not sent back, reject
  • If the interval < 5 seconds, reject
• Add empty invisible fields (called honeypot fields) to the form and reject if one of them is not empty when form is submitted.
  • Don't just add one field, add several, with different techniques to make them invisible to the real users
    • position:absolute; height:0; width:0; left:-1000px; top:-1000px
    • Put the field in a div, then style the DIV: text-indent: 100%; white-space: nowrap; overflow: hidden;
    • z-index: -1
    • opacity: 0;
    • visibility: collapse
  • Note:
  • Hide some fields with CSS, some with Javacript (nowaday sophisticated bots can interprete CSS)
  • All these fields must have autocomplete="nope" https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion
  • Shuffle location of honeypot fields in the form (prevent bots from always skip the n-th field)
  • Use non-standard name for real fields
  • Use names that bots likes for honeypot fields (url, email, name, homepage, phone, fax, comment, description ...)
  • For ID, css class name: use the ones that looks real e.g. avoid names like honeypot, hidden...
  • Associate each honeypot field with a <label> tag
  • Do not return any error if any honeypot check fails