Oh Dear is the all-in-one monitoring tool for your entire website. We monitor uptime, SSL certificates, broken links, scheduled tasks and more. You'll get a notifications for us when something's wrong. All that paired with a developer friendly API and kick-ass documentation. O, and you'll also be able to create a public status page under a minute. Start monitoring using our free trial now.

Preventing spam submitted through forms

Original – by Freek Van der Herten – 2 minute read

When adding a form to a public site, there's a risk that spam bots will try to submit it with fake values. We recently released a new package, called laravel-honeypot, that can detect these spammy requests.

How honeypots work

The majority of spam bots are pretty dumb. You can thwart most of them by adding an invisible field to your form that should never contain a value when submitted. Such a field is called a honeypot. These spam bots will fill all fields, including the honeypot. When a submission comes in with a filled honeypot field, our package will discard that request.

Using the package

Using it is easy. First, you must add the @honeypot blade directive to any form you wish to protect.

<form method="POST" action="{{ action(App\Http\Controllers\ContactFormSubmissionController::class, 'create') }}")>
    <input name="myField" type="text">

@honeypot will add two fields: my_name and my_time (you can change the names in the config file).

Next, you must use the Spatie\Honeypot\ProtectAgainstSpam middleware in the route that handles the form submission. This middleware will intercept any request that submits a non-empty value for the key named my_name.

Most humans need a bit of time to fill out a form. The other field added by the Blade directive, my_time, is used to detect if the form was submitted faster than a second.

use App\Http\Controllers\ContactFormSubmissionController;
use Spatie\Honeypot\ProtectAgainstSpam;

Route::post([ContactFormSubmissionController::class, 'create'])->middleware(ProtectAgainstSpam::class);

If your app has a lot of forms handled by many different controllers, you could opt to register it as global middleware.

// inside app\Http\Kernel.php

protected $middleware = [
   // ...

In closing

A honeypot is an excellent first line of defense against spam. In my projects, it could prevent most cases of spam submission. Though a honeypot easily fools most bots, there are smarter bots around too that after a while can detect the honeypot fields. In that case, a Google Recaptcha or using a service like Akismet can be a good second line of defense.

If you like laravel-honeypot, be sure to check out the other packages team Spatie has released previously.

Stay up to date with all things Laravel, PHP, and JavaScript.

You can follow me on these platforms:

On all these platforms, regularly share programming tips, and what I myself have learned in ongoing projects.

Every month I send out a newsletter containing lots of interesting stuff for the modern PHP developer.

Expect quick tips & tricks, interesting tutorials, opinions and packages. Because I work with Laravel every day there is an emphasis on that framework.

Rest assured that I will only use your email address to send you the newsletter and will not use it for any other purposes.


What are your thoughts on "Preventing spam submitted through forms"?

Comments powered by Laravel Comments
Want to join the conversation? Log in or create an account to post a comment.