Honeypot fields catch bots

ab-000708 · community-moderation-safety.spam-prevention.honeypot

Severity: lowactive

Why it matters

Submission forms without honeypot fields let cheap bot scripts flood the platform with spam accounts, fake posts, comment payloads, and referral abuse at near-zero cost. That drives moderation backlog, pollutes search and recommendation surfaces, burns database rows and email quota, and erodes trust in user-generated content. Honeypots are a low-friction first filter that stops naive scrapers before they reach rate limiters or human moderators, complementing access-control defenses.

Severity rationale

Low because honeypots are a soft defense; missing them increases spam volume but does not directly breach accounts or data.

Remediation

Add a hidden decoy input to every public submission form with a plausible name like website_url or company, mark it aria-hidden="true" and tabindex="-1", and reject requests server-side whenever the field is non-empty. Enforce the check in the route handler, not in client JS, so headless bots cannot bypass it.

// src/app/api/posts/route.ts
export async function POST(req: Request) {
  const body = await req.json();
  if (body.website_url) {
    return Response.json({ error: 'Spam detected' }, { status: 400 });
  }
  // ...continue processing
}

Detection

ID: honeypot
Severity: low
What to look for: Check if forms include hidden "honeypot" fields (decoy fields that bots fill but humans don't see). Verify submission is rejected if honeypot is filled.
Pass criteria: Forms have at least 1 hidden honeypot field (a decoy input with display:none or aria-hidden). Submissions that fill the honeypot are rejected or logged server-side. Count all public submission forms and verify each includes a honeypot.
Fail criteria: No honeypot fields used on any submission form. A honeypot that is checked only client-side does not count as pass.
Skip (N/A) when: Platform has fewer than 100 active users or uses CAPTCHA on all submission forms as alternative bot prevention.
Detail on fail: "Forms have no honeypot fields. A simple bot script can submit content without CAPTCHA."

Remediation: Add hidden honeypot fields to forms. Server-side validation at src/api/posts/route.ts:

// Reject if honeypot field is filled (bots fill hidden fields)
if (req.body.website_url) { // hidden field named to attract bots
  return res.status(400).json({ error: 'Spam detected' });
}

External references

owasp:2021 · A04 — Insecure Design

Taxons

access-control

History

2026-04-18·v1.0.0·Initial import from community-moderation-safety·automated

Why it matters

Remediation

// src/app/api/posts/route.ts
export async function POST(req: Request) {
  const body = await req.json();
  if (body.website_url) {
    return Response.json({ error: 'Spam detected' }, { status: 400 });
  }
  // ...continue processing
}

Detection

ID: honeypot
Severity: low
What to look for: Check if forms include hidden "honeypot" fields (decoy fields that bots fill but humans don't see). Verify submission is rejected if honeypot is filled.
Pass criteria: Forms have at least 1 hidden honeypot field (a decoy input with display:none or aria-hidden). Submissions that fill the honeypot are rejected or logged server-side. Count all public submission forms and verify each includes a honeypot.
Fail criteria: No honeypot fields used on any submission form. A honeypot that is checked only client-side does not count as pass.
Skip (N/A) when: Platform has fewer than 100 active users or uses CAPTCHA on all submission forms as alternative bot prevention.
Detail on fail: "Forms have no honeypot fields. A simple bot script can submit content without CAPTCHA."

Remediation: Add hidden honeypot fields to forms. Server-side validation at src/api/posts/route.ts:

// Reject if honeypot field is filled (bots fill hidden fields)
if (req.body.website_url) { // hidden field named to attract bots
  return res.status(400).json({ error: 'Spam detected' });
}