Honeypot fields: a single hidden input that filters 95% of bots
The trick
Bots that crawl pages and auto-fill forms don't run your JS, don't read your CSS, and don't think about which fields are visible. They look at the DOM, find every <input>, and fill them all.
So you add an extra input that humans never see and never type into:
<label class="hp"> Leave this empty: <input name="website" tabindex="-1" autocomplete="off" /> </label>
.hp { position: absolute; left: -9999px; }If your server receives a non-empty website, it's a bot. Drop the request silently.
Why offscreen-CSS, not type="hidden"
<input type="hidden"> is invisible to bots too β they fill it because it's still in the DOM. The "absolute, -9999px" trick keeps it focusable + parseable by bots while invisible + non-tab-stoppable for humans.
Other moves layered on top:
tabindex="-1"β sighted keyboard users won't tab into it.autocomplete="off"β browser doesn't autofill it.aria-hidden="true"β screen readers ignore it.- Name it something innocuous (
website,url,nameβ NOThoneypot).
What this is not
Not a CSRF defence. Not a rate-limiter. Not a Turing test. It's a cheap first filter that costs nothing and trips up automated form-fillers. Pair it with rate-limiting + CSRF token.
Sign up to start coding
Theory is open to everyone. The interactive editor, live preview, and check are unlocked with a 7-day free trial β card required, cancel anytime.
Sign up β free trial βFirst 10 lessons in each track are free. No card needed for those.