Comfyform logo
Our website is still under development, but we would be thrilled to have you join our community of first users. Become an early adopter →

How to make the honeypot field the most efficient

Jan Švábík
by Jan Svabik • 8/9/2023 • 4 minutes read

As the internet continues to grow and evolve, so do the security risks associated with it. One of the most common security risks for websites is spam form submissions, which can be not only annoying but also potentially dangerous. To combat this issue, web developers have come up with a clever solution: the honeypot field.

What is a honeypot field?

A honeypot field is a security feature that is added to web forms to help prevent spam submissions. It is a hidden field that is not visible to users but is added to the form to trick spambots into filling it out. The honeypot field is designed to look like a regular field in the code and is given a generic name, such as phone or website. However, it is not meant to be filled out by users, as it is hidden from view.

How does a honeypot field work?

The way a honeypot field works is by tricking spambots into thinking that it is a regular field on the form that needs to be filled out. Spambots are automated programs that are designed to fill out web forms with spam content. When a spambot encounters a honeypot field, it will typically fill it out, thinking that it is a required field on the form. However, because the field is hidden, a human user will not see it and will not fill it out. This allows the website to identify the submission as spam and take appropriate action.

How to make a honeypot field the most efficient?

There are a few things to keep in mind in order to make a honeypot field as efficient as possible. The main factor is to ensure that the honeypot field looks as similar as possible to the other input fields. This means that the honeypot field should appear to be a valid input in the code.

Use a generic name

When creating a honeypot field, it is important to use a generic input name that will not be easily recognized as a honeypot. Names like phone or website are good examples of generic names that are commonly used.

We have had success with using the names emailHp or hpEmail for the honeypot field. Both names have proven to work well, and we would generally recommend using either of them. Based on our experience, we can confidently suggest using one of these names for your honeypot field.

Make it hidden

The honeypot field should be hidden from view using CSS. This is because a human user should not be able to see or interact with the honeypot field. If the honeypot field is visible, a user may accidentally fill it out, defeating the purpose of the honeypot.

It is not advisable to use inline styling like style="display: none;" or adding a class with words like “hidden” or “honeypot”. This is because advanced spambots can detect such fields and avoid them, causing spam submissions to be sent. Instead, assign a normal-looking class to the parent element and use the following CSS rules to move the element out of the browser viewport (so it remains hidden from humans):

.move-out {
    position: absolute;
    left: -9999px;
}

Also, ensure that you set up tabindex="-1" and autofocus="nopls" attributes on the honeypot field to prevent accidental focus or autocomplete by the browser. It’s worth noting that using autofocus="off" is not recommended, as some browsers may ignore it and still fill the field for the user.

Consider not telling the spammer it did not pass

To prevent spambots from detecting failed submissions and attempting to resubmit with different values, consider serving a normal 200 OK response for both valid and invalid submissions on the server.

Don’t rely solely on honeypot fields

While honeypot fields can be incredibly effective in detecting spam submissions, they should not be the only security measure implemented. It is crucial to use other security measures, such as CAPTCHAs or other forms of verification to ensure that the form has been submitted by a real person. Another effective strategy is to use a time trap field or a honeypot field combined with JavaScript, or just to combine the honeypot field with other spam protection methods.

Conclusion

In conclusion, honeypot fields are a clever and effective way to prevent spam submissions on web forms. To utilize this method effectively, web developers should use a generic name, hide the field, and set up accessibility attributes correctly. This results in the elimination of fake form submissions, allowing the end user to respond properly only to the valid ones.

Table of Contents

  1. What is a honeypot field?
  2. How does a honeypot field work?
  3. How to make a honeypot field the most efficient?
    1. Use a generic name
    2. Make it hidden
    3. Consider not telling the spammer it did not pass
  4. Don’t rely solely on honeypot fields
  5. Conclusion

Manage forms effortlesly

Create a free account