Honeypot Field

A honeypot is a form field that exists in the HTML but is hidden from real users using CSS (display:none, visibility:hidden, opacity:0, and tabindex=-1 together for redundancy). The field is named something a naive bot script will fill in based on the name attribute alone, like 'url', 'website', 'email_confirm', or 'address'. A real user fills out the visible fields, ignores the honeypot, and submits. A naive bot that scrapes the form HTML and fills in fields by name fills the honeypot too. On submission, the server checks the honeypot. If it's non-empty, reject the submission silently. Honeypots catch roughly 60-70% of unsophisticated form spam at zero cost and zero user friction. They have effectively no false positives because the only way a human fills the field is with a screen reader that ignores the hiding CSS, which is rare and easy to special-case. Honeypots are a defense layer, not a complete solution. Sophisticated bots that use real browser automation (Playwright, Puppeteer) see the rendered DOM and ignore hidden fields. Spam services that target specific platforms (WordPress comments, Mailchimp signups) know what honeypot names to skip. Layer honeypots with a real CAPTCHA for the best results.