Avoid forms spamming in Laravel 9

  • avatar
  • 4 mins read

Having a public site with forms can become a headache if we do not prevent spam bots from submitting fake information to our application. Luckily, there is a simple and effective way to defer some of the spam using honeypots. This technique is based on creating a hidden input field that should be left empty by the real users of the application but will most likely be filled out by spam bots.

The package we want to share with you creates a hidden DIV with two fields in it, the honeypot field and encrypted timestamp that marks the moment when the page was served to the user. When the form containing these inputs invisible to the user is submitted to your application, a custom validator that comes with the package checks that the honeypot field is empty and also checks the time it took for the user to fill out the form. If the form was filled out too quickly or if there was a value put in the honeypot field, this submission is most likely from a spam bot.


To get started, use Composer package manager to add the package to your project's dependencies.

composer require spatie/laravel-honeypot

Optionally, you can publish the config file of the package.

php artisan vendor:publish --provider="Spatie\\Honeypot\\HoneypotServiceProvider" --tag=honeypot-config

It will create a configuration file where you will be able to adjust some variables to your project needs. It will be located in config/honeypot.php.

Generating the honeypot

First, you will need to add the honeypot directive in the form where you want to generate it.

<form method="POST" action="...">

<input type="text" name="my_normal_input" value="">

It will automatically add two fields to the form. You can configure these input names in the configuration file.

Then, you must use the ProtectAgainstSpam middleware in the routes that handle the form submission. This middleware will intercept any request that get caught in the honeypot. It will also intercept the request if it is submitted faster than the configured amount of time.

use Spatie\\Honeypot\\ProtectAgainstSpam;

Route::middleware(ProtectAgainstSpam::class)->group(function() {
// Routes protected with honeypot technique

Alternatively, you can enable the honeypot validation on all your application forms adding it to the HTTP kernel middleware for web routes:

// HTTP Kernel: app/Http/Kernel.php

protected $middlewareGroups = [
'web' => [

'api' => [

Customizing the honeypot

Besides the configuration file, you can publish and customize generated output.

php artisan vendor:publish --provider="Spatie\\Honeypot\\HoneypotServiceProvider" --tag=honeypot-views

The view will be placed in resources/views/vendor/honeypot/honeypotFormFields.blade.php.

<div id="{{ $nameFieldName }}_wrap" style="display:none;">
<input name="{{ $nameFieldName }}" type="text" value="" id="{{ $nameFieldName }}">
<input name="{{ $validFromFieldName }}" type="text" value="{{ $encryptedValidFrom }}">

And all generated honeypots will follow the structure defined in the file above.


We highly recommend using this easy and straightforward technique to avoid receiving spam, fake information and unnecessary load on the services due to questionable bots activity. With correct configuration, legit users will not even notice the use of honeypots.

 Join Our Newsletter

Get the latest news and popular articles to your inbox every month


Leave a Reply

Your email address will not be published.