Honeypot Field
Simple, invisible spam protection that requires no user interaction
A honeypot field is an invisible form field that humans won't see or fill out, but spam bots will. When a bot fills out the honeypot field, Static Forms automatically rejects the submission. This provides effective spam protection without requiring any user interaction.
Free & Easy
Honeypot fields are completely free and require no additional setup or configuration. They work immediately once added to your form.
How It Works
The honeypot technique works on a simple principle:
1. Hidden Field
You add a form field that is hidden from human users using CSS. This field is invisible to real visitors.
2. Bot Detection
Spam bots automatically fill out all form fields they can find, including the hidden honeypot field. Real users never see or interact with it.
3. Automatic Rejection
When Static Forms receives a submission with the honeypot field filled, it silently rejects the submission. The bot receives no error message, making it harder for them to adapt.
Implementation
Adding a honeypot field to your form is simple. Any field name containing "honeypot" will work:
Method 1: Using CSS display:none
Method 2: Using CSS Class
Method 3: Using position:absolute (More Hidden)
Field Name Options
Static Forms recognizes any field name containing "honeypot" (case-insensitive). You can use:
honeypot- Simple and clear_honeypot- With underscore prefixhoneypot-field- With hyphenwebsite_honeypot- With prefixcontact_honeypot_field- Descriptive name
Best Practice
Use a simple name like honeypot or _honeypot. More complex names don't provide additional security and may be easier for bots to identify.
Important Attributes
When creating your honeypot field, include these attributes for best results:
| Attribute | Purpose | Required |
|---|---|---|
| tabindex="-1" | Prevents keyboard navigation to the field | Recommended |
| autocomplete="off" | Prevents browser autofill | Recommended |
| style="display:none" | Hides the field from view | Required |
| type="text" | Standard text input type | Required |
Complete Example
Here's a complete form example with honeypot protection:
Effectiveness
Honeypot fields are effective against:
- Simple spam bots that auto-fill all fields
- Basic automated form submission scripts
- Low-sophistication attacks
However, more sophisticated bots may bypass honeypot fields. For stronger protection, consider combining with:
Layered Protection
For best results, use honeypot fields as a first line of defense, then add ALTCHA or reCAPTCHA for stronger protection. This layered approach catches both simple bots and more sophisticated attacks.
Testing Your Honeypot
To test if your honeypot is working:
Submit Form Normally
Fill out and submit your form normally (without filling the honeypot field). The submission should succeed.
Fill Honeypot Field
Use browser DevTools to make the honeypot field visible, fill it with any value, and submit. The submission should be rejected silently.
Check Email
Verify that you only receive emails for legitimate submissions (when honeypot is empty).
Common Mistakes
Using type="hidden"
Don't use type="hidden" for honeypot fields. Sophisticated bots often skip hidden fields. Use type="text" with CSS hiding instead.
Forgetting to Hide
Always ensure the honeypot field is properly hidden with CSS. If it's visible, real users might fill it out, causing legitimate submissions to be rejected.
Using Wrong Field Name
The field name must contain "honeypot" (case-insensitive). Names like spam_check or bot_trap won't work.
Best Practices
Use display:none or position:absolute
Hide the field using CSS, not the hidden attribute or type="hidden".
Add tabindex="-1"
Prevent keyboard users from accidentally tabbing to the field.
Use autocomplete="off"
Prevent browser autofill from filling the honeypot field.
Combine with Other Protection
Use honeypot as a first layer, then add ALTCHA or reCAPTCHA for stronger protection.