Battling Form Spams In Laravel Using Honeypot
What is form spam?
In technical terms, form spam happens when malicious entities or back actors submit unwanted information through online forms to phish or send abusive messages.
In simpler terms, form spam is when unwanted messages make their way through your website’s forms (and sometimes onto the frontend of your site) — oftentimes without you even noticing. This is one type of spam that is especially aggravating for businesses.
Many businesses and institutions have contact forms on their websites for visitors to leave comments, sign up for newsletters and submit requests for their services. These contact forms can be targeted by spammers and spambots, leading to dozens, or even hundreds, of spam form submissions in your inbox.
While there are different ways to guide against form spam attacks on your site like using Google recaptcha etc, the most effective way is to make use of honeypots. How exactly do you implement one in a laravel application for instance? In this guide, I will explain what you can do to prevent spam from taking over your form submissions.
HONEYPOTS
Honeypots are means to trap a spam bot from spamming a form on your site and laravel has a package that helps with just this and is easy to use! How?
Mostly spambots are so robotic that they just fill up all your form fields. Which btw is stupid! They are not aware of which form fields are should be filled and which should not. This is where making use of a honeypot comes in, its a dummy input field that is hidden to a user. This hidden field should remain empty at the time of form submission. So while checking on the server-side if this hidden field is empty then it will be a valid form submission. And if it is not empty then it will be spam.
LARAVEL HONEYPOT PACKAGE
We are going to make use of the laravel-honeypot package. Using this package, a user can protect one or more forms easily. They don’t need to write server-side code for each form separately. On top of that this package also checks how long it took to submit the form. This is done using a timestamp in another invisible field. If the form was submitted in a ridiculously short time, the anti spam will also be triggered. Cool right?!
Having said that, let’s take a look at how to create honeypots and protect website forms from spam.
For package installation, open the terminal in your project root directory and run the command:
composer require spatie/laravel-honeypotUpon package installation, publish the config file of package using the command:
php artisan vendor:publish --provider="Spatie\Honeypot\HoneypotServiceProvider" --tag=configIf the above config file method of publishing does not work, run the command below and input the number corresponding with
Provider: Spatie\Honeypot\HoneypotServiceProvider
php artisan vendor:publishThis is the content of the config file that will be published at config/honeypot.php:
use Spatie\Honeypot\SpamResponder\BlankPageResponder;return [
/*
* Here you can specify name of the honeypot field. Any requests that submit a non-empty
* value for this name will be discarded. Make sure this name does not
* collide with a form field that is actually used.
*/
'name_field_name' => env('HONEYPOT_NAME', 'my_name'),/*
* When this is activated there will be a random string added
* to the name_field_name. This improves the
* protection against bots.
*/
'randomize_name_field_name' => env('HONEYPOT_RANDOMIZE', true),/*
* This field contains the name of a form field that will be used to verify
* if the form wasn't submitted too quickly. Make sure this name does not
* collide with a form field that is actually used.
*/
'valid_from_field_name' => env('HONEYPOT_VALID_FROM', 'valid_from'),/*
* If the form is submitted faster than this amount of seconds
* the form submission will be considered invalid.
*/
'amount_of_seconds' => env('HONEYPOT_SECONDS', 1),/*
* This class is responsible for sending a response to requests that
* are detected as being spammy. By default a blank page is shown.
*
* A valid responder is any class that implements
* `Spatie\Honeypot\SpamResponder\SpamResponder`
*/
'respond_to_spam_with' => BlankPageResponder::class,/*
* When activated, requests will be checked if honeypot fields are missing,
* if so the request will be stamped as spam. Be careful! When using the
* global middleware be sure to add honeypot fields to each form.
*/
'honeypot_fields_required_for_all_forms' => false,/*
* This switch determines if the honeypot protection should be activated.
*/
'enabled' => env('HONEYPOT_ENABLED', true),
];
Usage
First, you must add the @honeypot Blade directive to any form you wish to protect.
<form method="POST" action="{{ route('contactForm.submit') }}")>
@honeypot
<input name="myField" type="text">
</form>
Using either the Blade directive will add two fields: my_name and my_time (you can change the names in the config file).
Next, you must use the Spatie\Honeypot\ProtectAgainstSpam middleware in the route that handles the form submission. This middleware will intercept any request that submits a non empty value for the key named my_name. It will also intercept the request if it is submitted faster than the encrypted timestamp that the package generated in my_time.
use App\Http\Controllers\ContactFormSubmissionController;
use Spatie\Honeypot\ProtectAgainstSpam;Route::post(‘contact’, [ContactFormSubmissionController::class, ‘create’])->middleware(ProtectAgainstSpam::class);
If you want to integrate the Spatie\Honeypot\ProtectAgainstSpam middleware with Laravel's built in authentication routes, wrap the Auth::routes(); declaration with the appropriate middleware group (make sure to add the @honeypot directive to the authentication forms).
use Spatie\Honeypot\ProtectAgainstSpam;Route::middleware(ProtectAgainstSpam::class)->group(function() {
Auth::routes();
});
That’s it! You are done!
Now if spambots are trying to send spam in your form, the package will discard the request which is Sweet!
