🏝 If you like the content of this blog, I would really appreciate your vote in Tuple's Send an Open Source Developer on Vacation contest. Just search for "Freek Van der Herten" in the nominees list and cast your vote. 🙌

😀 This holiday won't only be a nice reward for me, but also for my girlfriend who always gives me a lot of time working on open source packages and blog posts.

Preventing spam submitted through forms

Original – by Freek Van der Herten – 2 minute read

When adding a form to a public site, there's a risk that spam bots will try to submit it with fake values. We recently released a new package, called laravel-honeypot, that can detect these spammy requests.

How honeypots work

The majority of spam bots are pretty dumb. You can thwart most of them by adding an invisible field to your form that should never contain a value when submitted. Such a field is called a honeypot. These spam bots will fill all fields, including the honeypot. When a submission comes in with a filled honeypot field, our package will discard that request.

Using the package

Using it is easy. First, you must add the @honeypot blade directive to any form you wish to protect.

<form method="POST" action="{{ action(App\Http\Controllers\ContactFormSubmissionController::class, 'create') }}")>
    <input name="myField" type="text">

@honeypot will add two fields: my_name and my_time (you can change the names in the config file).

Next, you must use the Spatie\Honeypot\ProtectAgainstSpam middleware in the route that handles the form submission. This middleware will intercept any request that submits a non-empty value for the key named my_name.

Most humans need a bit of time to fill out a form. The other field added by the Blade directive, my_time, is used to detect if the form was submitted faster than a second.

use App\Http\Controllers\ContactFormSubmissionController;
use Spatie\Honeypot\ProtectAgainstSpam;

Route::post([ContactFormSubmissionController::class, 'create'])->middleware(ProtectAgainstSpam::class);

If your app has a lot of forms handled by many different controllers, you could opt to register it as global middleware.

// inside app\Http\Kernel.php

protected $middleware = [
   // ...

In closing

A honeypot is an excellent first line of defense against spam. In my projects, it could prevent most cases of spam submission. Though a honeypot easily fools most bots, there are smarter bots around too that after a while can detect the honeypot fields. In that case, a Google Recaptcha or using a service like Akismet can be a good second line of defense.

If you like laravel-honeypot, be sure to check out the other packages team Spatie has released previously.

Stay up to date with all things Laravel, PHP, and JavaScript.

Follow me on Twitter. I regularly tweet out programming tips, and what I myself have learned in ongoing projects.

Every month I send out a newsletter containing lots of interesting stuff for the modern PHP developer.

Expect quick tips & tricks, interesting tutorials, opinions and packages. Because I work with Laravel every day there is an emphasis on that framework.

Rest assured that I will only use your email address to send you the newsletter and will not use it for any other purposes.


What are your thoughts on "Preventing spam submitted through forms"?

Want to join the conversation? Log in or create an account to post a comment.