How to prevent robots from automatically filling up a form?

Enhanced techniques for bot prevention

Time-based analysis

Compare the timestamp when the form was accessed to when it was submitted. If it's too fast, it's likely a bot.

session_start();
// Clock starts ticking...
$_SESSION['form_started'] = time();

// Later, when submission arrives:
$duration = time() - $_SESSION['form_started'];
if ($duration < 5) { // Anything less than 5 seconds? Bot Alert!
  // Too fast, must be a bot
}


Non-JavaScript users

For users with JavaScript disabled, use a noscript tag to instruct them to leave the honeypot field blank.

<noscript>Keep this field blank, it's a secret mission</noscript>
<input type="text" name="_hidden" />


Mastering CSS hiding

Get creative with CSS to make the field invisible but not display:none.

._hidden { 
  // Hide & Seek champion
  position: absolute;
  left: -9999px;
}


Dynamic form seeking

As a secondary defense, Load the form with AJAX. But be aware it's not effective if JavaScript is disabled.

function loadForm() {
  // Fetch and display the form
}
// Even bots hate queues
if (window.addEventListener) window.addEventListener("load", loadForm, false);
else if(window.attachEvent) window.attachEvent("onload", loadForm);


Never forget a fallback for non-JS users.

Keep evolving defenses

Keeping one step ahead is game, bots are evolving too. Your defenses should be adaptive.

Diving headfirst into the honeypot

Battling smart bots

When bots start dissecting CSS and unpacking JavaScript, it's time to revisit your form submissions and tighten security.

Accessibility first

Your security checks shouldn't hinder accessibility. A fully secured form won't matter if it isn't easily accessible.

Trust issues with the server

Never solely rely on the honeypot. Having a secondary server-side validation adds much necessary backup.

Privacy counts

If you store user data like timing or other forensics, ensure you comply with the GDPR and other privacy regulations.